views:

50

answers:

1

Hi,

I have an applet which is present in a signed jar. This applet uses another 3rd party jar file which is unsigned. On launching the applet I get the Mixed code warning which I want to avoid.

To solve this issue, I added "Trusted-Library: true" to the unsigned jar which is being used by my applet.

But, it still throws SecurityException. I tried this with JRE update 20 as well but problem persists.

Can someone please help me with this? How to avoid getting the warning message when I have to use an unsigned jar.

Thanks!

+2  A: 

Use your tool chain to sign the 3rd party JAR with your key.

Aaron Digulla
Can we sign a 3rd party jar with our signature? meaning, will that be legal?
raghvendra
@raghvendra: check with your legal department for that. But from what I see, it is not an uncommon practice.
Joachim Sauer
ok, Thanks a lot!
raghvendra
You can sign it, but make the signature say that you're signing on behalf of third-party providers. Like that, it's *you* that is making the assertion that the code is OK, but you're not claiming ownership.
Donal Fellows
@Donal You are also putting your name against the code being secure. Being secure is a different kettle of fish from not being malicious.
Tom Hawtin - tackline
@Tom: Yes, but that's why you should only grant exactly what is needed for the code to do its job. Don't give access to the whole filesystem when only only a tiny bit will do; don't give the ability to open any socket when connecting to your server (with known IP address) is enough.
Donal Fellows
@Donal Whilst that can be useful, it's very rare to be done in practice. It's difficult to work out what the exact permission should be (they'll be hidden in libraries) and it doesn't tend to achieve much.
Tom Hawtin - tackline