Hi Friends, I have created an applet which writes data into files at client side. My problem is that security Exception is thrown when it is loaded in a browser.At present I resolved my problem by changing security settings in IE 5 . Now, I want to create a trusted applet. I followed the approach that is explained in www.developer.com/java/data/article.php/3303561. But it has produced no result and browser is throwing the same Exception. Can any one explain the way to create a trusted applet that can work without loading any plugins in browser. Iam asking this because I have observed that some applets (encounterd during browsing net) asks for permission(yes/no dialog box) during loading but my applet which followed the procedure i.e explained in the above link is not working. Anyone plz guide me in preparing a trusted applet.
Usually an applet is bundled and signed by an intranet developer and handed off to the end user who verifies the signature and runs the applet. In this example, the intranet developer performs Steps 1 through 5 and Ray, the end user, performs Steps 6 through 8. But, to keep things simple, all steps occur in the same working directory.
Compile the applet Create a JAR file Generate Keys Sign the JAR file Export the Public Key Certificate Import the Certificate as a Trusted Certificate Create the policy file Run the applet Intranet Developer
Susan, the intranet developer, bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
1: Compile the Applet
In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
2: Make a JAR File
Susan then stores the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
jar cvf SignedApplet.jar SignedAppletDemo.class
3: Generate Keys
A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
Susan creates a keystore database named compstore that has an entry for a newly generated public and private key pair with the public key in a certificate using the keytool command.
In her working directory, Susan creates a keystore database and generates the keys:
This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
The generated key pair is stored in a keystore database called compstore (-keystore compstore) in the current directory, and accessed with the compstore password (-storepass ab987c).
The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates. In this example, Susan uses her last name, Jones, for the common name. She could use any common name that suits her purposes.
You can view all keytool options and parameters by typing:
4: Sign the JAR File
JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
The -storepass ab987c and -keystore compstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
5: Export the Public Key Certificate
The public key certificate is sent with the JAR file to the end user who will be using the applet. That person uses the certificate to authenticate the signature on the JAR file. A certificate is sent by exporting it from the compstore database.
In her working directory, Susan uses keytool to copy the certificate from compstore to a file named CompanyCer.cer as follows:
As the last step, Susan posts the JAR and certificate files to a distribution directory on a web page.
Ray, the end user, downloads the JAR file from the distribution directory, imports the certificate, creates a policy file granting the applet access, and runs the applet.
6: Import Certificate as a Trusted Certificate
Ray downloads SSignedApplet.jar and CompanyCer.cer to his home directory. Ray must now create a keystore database (raystore) and import the certificate into it using the alias company. Ray uses keytool in his home directory to do this:
keytool -import -alias company -file CompanyCer.cer -keystore raystore -storepass abcdefgh
7: Create the Policy File
The policy file grants the SSignedApplet.jar file signed by the alias company permission to create demo.ini (and no other file) in the user's home directory.
8: Run the Applet in Applet Viewer
Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
Note: Type everything on one line and put a space after Write.jp The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
Running an Application with a Policy File
This application invocation restricts MyProgram to a sandbox-like environment the same way applets are restricted, but allows access as specified in the polfile policy file.
Hello Nikos sokaf, Thank u very much for ur excellent reply. You have listed out every thing in an excellent manner. But I got some doubts which are listed below.
 I have follwed the steps from 1 to 6 as u have described. Ican't follow step  i.e creating a policy file as I didn't know to create a policy file.
 [a] What I want to do is to read and write data to/from files at client side from an applet. Applet willbe loaded by means of a browser. [b] During loading , a dialog box will pop up asking whether to trust the applet i.e being loaded. After pressing the 'yes' button, the applet can execute out of sandbox. This will enable steps 6 to 8 that u have described tobe discarded and hence any client without performing that steps 6 to 8 can load applet and give it file i/o permission at client side, hence reducing some work at client side except pressing yes button when dialog box pops up.
 Inorder to accomplish the above step, I have copied the SSignedApplet.jar file and CompanyCer.cer to root dor. of tomcat and loaded the applet thru http://localhost:8080/signedappletdemo.html, which loads the applet. But this doesn't make the applet to accomplish the file i/o.
Can u kindly suggest me how to accomplish the task of creating a trusted applet which pops up a dialog box while it is loaded for first time at client's side and pressing 'yes' button will enable the applet tobe run out of sandbox. My major concern is to create a trusted applet that will run in almost all browsers without imposing some overhead i.e importing certificates manuallly by client. For eg. consider a yahoo chat application and similar other applications, which will popup a dialog box when it is loaded for first time and pressing yes button will give it some special permissions and here client will not import certificates manually. Kindly provide your valuable guidance in accomplishing this.
Regards, Ch.Praveen Kumar.
Joined: May 01, 2004
Hello my Friend,
First try to complete the step with the "key".In java-bin directory you will find the keytool.exe so you can follow this step. If you find some problems post them or check on google "Keytool configuration".
I think , this is the main problem of these messages. Then try to add to your browser your site , on internet options, as a trusted site.
Joined: Mar 08, 2004
Hello nikos sokaf,
Thanks for your reply. I have created a certificate as you mentioned (with .cer extension) and imported in IE thru Tools->Internet Options->Content->Certificates. But in Netscape 7 Iam not able to import this certificate (with .cer extension). Can you give your suggestions regarding this.