Securing Your Java ARchive (JAR) Files
As a standardized development platform, Java has tools that support securing its "distributables." For Java ARchive (JAR) files, the concept is called JAR signing. Signing a JAR is no different from signing a document; the signature merely verifies that the JAR is valid content and you are aware of what is in it. When publishing an application over the Internet or simply developing applications that can be run in an Internet environment, employing JAR signing can ensure security.
How Does Signing Work?Signing is a digital method of telling the user of a file that you are the creator or that you are aware of its contents and that they are safe to use. The most important requirement is for a mechanism to indicate that the contents of the file have not changed or been modified. When the user knows that the file is from a trusted source, he or she can rely on it for the features that it offers.
As an example, say you are monitoring the stock market using an online application, maybe an applet. While the applet is just displaying data, you are absolutely fine with it. However, at some point, the applet requests permission to save content and write to your disk. Granting permission for this operation seems risky, because you don't know what the applet will do to your local file system. You are safe though, because by default applets are controlled by the Java runtime, and not allowed to perform any operation (such as writing a file, modifying contents of files, etc.) on a local system.
However, suppose you want the applet to write to your disk in this case. That brings up the question of credibility; you would provide or grant permissions to the applet to perform activities on the local system if you knew its source. Enter the public and private key infrastructure, which resolves this trust issue. The public key (which, as its name indicates, is available publicly) can verify a signature made by a private key, and a private key can be verified only by a corresponding public key.
But how can you be sure the public key is from a trusted source, as it claims? The verification process closes the loop here. Companies specialize in the verification business and support this requirement. These trustworthy companies award certificates that declare who owns a given public key.
Getting back to JARs, when a JAR is signed, the public key becomes part of it. Anyone who wants to use the JAR can rely on the public key to verify the JAR's trustworthiness and to be doubly sure that the public key is using a certificate.
To summarize, if your application needs the capability to access resources outside the JVM, sign it. The user can then decide to grant your application the required permission to perform its intended actions.