apache > db
Apache DB Project
Font size:      

Signed Jar Files

Signed Jar Files

In a Java 2 environment, Derby can detect digital signatures on jar files. When attempting to load a class from a signed jar file stored in the database, Derby will verify the validity of the signature.

The Derby class loader only validates the integrity of the signed jar file and that the certificate has not expired. Derby cannot ascertain whether the validity/identity of declared signer is correct. To validate identity, use a Security Manager (i.e., an implementation of java.lang.SecurityManager).

When loading classes from an application jar file in a Java 2 environment, Derby behaves as follows:

  • If the class is signed, Derby will:
    • verify that the jar was signed using a X.509 certificate (i.e., can be represented by the class java.security.cert.X509Certificate). If not, throw an exception.
    • verify that the digital signature matches the contents of the file. If not, throw an exception.
    • check that the set of signing certificates are all valid for the current date and time. If any certificate has expired or is not yet valid, throw an exception.
    • pass the array of certificates to the setSigners() method of java.lang.ClassLoader. This allows security managers to obtain the list of signers for a class (using java.lang.Class.getSigners) and then validate the identity of the signers using the services of a Public Key Infrastructure (PKI).
Derby does not provide a security manager.

For more information about signed jar files, see the Java 2 specifications at http://java.sun.com.

For more information about Java 2 security, go to http://java.sun.com/security/.

Previous Page
Next Page
Table of Contents