views:

1064

answers:

6

I'm trying to deploy a Java applet on my website. I also need to sign it, because I need to access the clipboard. I've followed all the signing tutorials I could find but have not had any success. Here is what I've done so far:

  • Wrote an applet in NetBeans. It runs fine in the applet viewer.
  • Made a .jar file out of it.
  • Created a certificate by doing this:
keytool -genkey -keyalg rsa -alias myKeyName
keytool -export -alias myKeyName -file myCertName.crt
  • Signed it wtih jarsigner like this:
jarsigner "C:\my path\myJar.jar" myKeyName
  • Made an html file containing this:
<html>
  <body>
<applet code="my/path/name/myApplet.class" archive="../dist/myJar.jar"/>
  </body>
</html>

When I open that html file, I never get the security confirmation dialog box (and thus get the "java.security.AccessControlException: access denied" error). This happens on all browsers.

Am I missing a step?

A: 

I suggest that you don't sign the code. If you're playing about with other people's security, then you really should know what you are doing.

JTextComponent should allow copy and paste of text, if that is sufficient.

jarsigner -verify will check that your jar is signed. You can also have a quick look at the manifest file and files within META-INF/.

The pop up dialog to trust certificates may be disabled. In Sun's implementation: open the Java Control Panel; go to the Advanced tab; expand the Security node; the top two tickboxes should be "Allow user to grant permissions to signed context" and "Allow user to grant permissions to content from an untrusted authority".

Tom Hawtin - tackline
Based on my requirements, the code has to be signed.I checked my jar file and it says everything is okay. my class file is labeled smk: signature was verified, entry is listed in manifest, and at least one certificate was found in keystore. The META-INF folder looks alright too.The settings are also fine in my control panel. I can view other self-signed applets fine.
In fairness, signing applets (and working with certificates in general) can be a fairly irritating process. It doesn't necessarily mean the poster doesn't "know what they're doing" in terms of the code...
Neil Coffey
The number of people who "know what they're doing" in terms of security appears to be quite small.
Tom Hawtin - tackline
A: 

First, I'd suggest getting a valid code signing certificate. You can get a free cert from Thawte. Although generally these certs are used for S/MIME, they are also valid for code signing.

The second option is to import your self signed cert into the cacert file of the JRE which your browser is invoking.

The next thing to check is to make sure your browser is running your latest jar. One way to do this is to always increment your version number. The other option is for you to clear your Java applet cache. I usually clear my browser's cache as well, but this shouldn't be needed.

brianegge
I believe the problem of using e-mail certificates for code signing has been fixed.
Tom Hawtin - tackline
A: 

You mentioned:

When I open that html file, I never get the security confirmation dialog box...

Are you opening the file from your local file system, or via a URL to a web server hosting the HTML file and applet jar(s)? That could be why you get no warning.

monceaux
I'm opening from my local system. Are you saying that the security dialog will not show up if it's opened locally? If this is true, is there any way to get it to appear locally? It would make testing my project much much easier. Meanwhile, I'll go try it out on the web server to see if this is the problem.
It's still not working, when accessed from the web server. I only need my .class files, .jar file, and .html file, right? Do I need any files related to the certificates?
+2  A: 

Perhaps it's because you're opening some .class files outside the jar file?

That way it may not display the warning. I tried doing it that way but it still showed me the certificate warning and for a simple case it actually prevented me from accessing a class from the JAR with the separated class.

Maybe your specific setup or file organization causes that behavior. If you can layout that in more detail we could help better (or rather, try putting all those .class files in yet another signed Jar and add it to the archive"..., anotherJar.jar").

EdSG
I fixed it. The problem was that my jar files weren't being compiled in the same way that I was referencing the class files. It works now. Thanks!
A: 

I also have this problem, the applet that I made is currently referencing classes from different jar files. This API's are commons-codec-1.3,commons-httpclient-3.1 and commons-logging-1.1.1. Does this mean I have to sign this jar files also? By the way I'm using netbeans 6.5.

+1  A: 

Here is a way to sign your jars and then check to see that all the class files are signed with your keystore.

#!/bin/bash
KEYSTORE=/home/user/NetBeansProjects/sign/keystore
FILES=`find /home/user/NetBeansProjects/Project/dist/ -name "*.jar"`
for f in $FILES; 
   do echo password |  /usr/bin/jarsigner -keystore $KEYSTORE -verbose $f myself;
   echo "Signed $f"; 
  /usr/bin/jarsigner -verify -verbose -certs $f | grep X.509 | sort -u;
done
Milhous