Signed Jar Files
In a Java 2 environment, Derby can detect digital signatures on jar
files. When attempting to load a class from a signed jar file stored in
the database, Derby will verify the validity of the signature.
- Note:
- The Derby class loader only validates the integrity of the signed jar
file and that the certificate has not expired. Derby cannot
ascertain whether the validity/identity of declared signer is correct.
To validate identity, use a Security Manager (i.e., an
implementation of java.lang.SecurityManager).
When loading classes from an application jar file in a Java 2 environment,
Derby behaves as follows:
- If the class is signed, Derby will:
- verify that the jar was signed using a X.509 certificate
(i.e., can be represented by the class
java.security.cert.X509Certificate). If
not, throw an exception.
- verify that the digital signature matches the contents of the file.
If not, throw an exception.
- check that the set of signing certificates are all valid for the current
date and time. If any certificate has expired or is not yet valid,
throw an exception.
- pass the array of certificates to the setSigners() method of
java.lang.ClassLoader. This allows
security managers to obtain the list of signers for a class (using
java.lang.Class.getSigners) and
then validate the identity of the signers using the services of a Public Key
Infrastructure (PKI).
- Note:
- Derby does not provide a security manager.
For more information about signed jar files, see the Java 2 specifications
at http://java.sun.com.
For more information about Java 2 security, go to
http://java.sun.com/security/.
[ Previous Page
Next Page
Table of Contents
Index ]