permaculture playing cards*
The moose likes Applets and the fly likes Regarding Trusted Applets Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "Regarding Trusted Applets" Watch "Regarding Trusted Applets" New topic
Author

Regarding Trusted Applets

ch praveen
Ranch Hand

Joined: Mar 08, 2004
Posts: 67
Hi Friends,
I have created an applet which writes data into files at client side. My problem is that security Exception is thrown when it is loaded in a browser.At present I resolved my problem by changing security settings in IE 5 . Now, I want to create a trusted applet. I followed the approach that is explained in www.developer.com/java/data/article.php/3303561. But it has produced no result and browser is throwing the same Exception. Can any one explain the way to create a trusted applet that can work without loading any plugins in browser. Iam asking this because I have observed that some applets (encounterd during browsing net) asks for permission(yes/no dialog box) during loading but my applet which followed the procedure i.e explained in the above link is not working. Anyone plz guide me in preparing a trusted applet.

Regards,
Ch.Praveen Kumar.
nikos sokaf
Ranch Hand

Joined: May 01, 2004
Posts: 57
Usually an applet is bundled and signed by an intranet developer and handed off to the end user who verifies the signature and runs the applet. In this example, the intranet developer performs Steps 1 through 5 and Ray, the end user, performs Steps 6 through 8. But, to keep things simple, all steps occur in the same working directory.

Compile the applet
Create a JAR file
Generate Keys
Sign the JAR file
Export the Public Key Certificate
Import the Certificate as a Trusted Certificate
Create the policy file
Run the applet
Intranet Developer

Susan, the intranet developer, bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.

1: Compile the Applet

In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.

javac SignedAppletDemo.java

2: Make a JAR File

Susan then stores the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.

jar cvf SignedApplet.jar SignedAppletDemo.class

3: Generate Keys

A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.

Susan creates a keystore database named compstore that has an entry for a newly generated public and private key pair with the public key in a certificate using the keytool command.

In her working directory, Susan creates a keystore database and generates the keys:

keytool -genkey -alias signFiles -keystore compstore
-keypass kpi135 -dname "cn=jones"
-storepass ab987c

This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.

The generated key pair is stored in a keystore database called compstore (-keystore compstore) in the current directory, and accessed with the compstore password (-storepass ab987c).

The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates. In this example, Susan uses her last name, Jones, for the common name. She could use any common name that suits her purposes.

You can view all keytool options and parameters by typing:

keytool -help

4: Sign the JAR File

JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.

jarsigner -keystore compstore -storepass ab987c
-keypass kpi135
-signedjar
SSignedApplet.jar SignedApplet.jar signFiles

The -storepass ab987c and -keystore compstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.

5: Export the Public Key Certificate

The public key certificate is sent with the JAR file to the end user who will be using the applet. That person uses the certificate to authenticate the signature on the JAR file. A certificate is sent by exporting it from the compstore database.

In her working directory, Susan uses keytool to copy the certificate from compstore to a file named CompanyCer.cer as follows:

keytool -export -keystore compstore -storepass ab987c
-alias signFiles -file CompanyCer.cer

As the last step, Susan posts the JAR and certificate files to a distribution directory on a web page.

End User

Ray, the end user, downloads the JAR file from the distribution directory, imports the certificate, creates a policy file granting the applet access, and runs the applet.

6: Import Certificate as a Trusted Certificate

Ray downloads SSignedApplet.jar and CompanyCer.cer to his home directory. Ray must now create a keystore database (raystore) and import the certificate into it using the alias company. Ray uses keytool in his home directory to do this:

keytool -import -alias company -file
CompanyCer.cer -keystore
raystore -storepass abcdefgh

7: Create the Policy File

The policy file grants the SSignedApplet.jar file signed by the alias company permission to create demo.ini (and no other file) in the user's home directory.

8: Run the Applet in Applet Viewer

Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:

appletviewer -J-Djava.security.policy=Write.jp
http://aURL.com/SignedApplet.html

Note: Type everything on one line and put a space after Write.jp
The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.


Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.

Running an Application with a Policy File

This application invocation restricts MyProgram to a sandbox-like environment the same way applets are restricted, but allows access as specified in the polfile policy file.

java -Djava.security.manager
-Djava.security.policy=polfile MyProgram
===================================================

/*
* File: @(#)SignedAppletDemo.java1.1
* Comment:Signed Applet Demo
*
* @(#)author: Satya Dodda
* @(#)version: 1.1
* @(#)date: 98/09/11
*/


import java.applet.Applet;
import java.awt.Graphics;
import java.io.*;
import java.awt.Color;

/**
*
* A simple Signed Applet Demo
*
*/

public class SignedAppletDemo extends Applet {

public String test() {

setBackground(Color.white);

String fileName = System.getProperty("user.home") +
System.getProperty("file.separator") +
"demo.ini";
String msg = "This message was written by a signed applet!!!\n";
String s ;

try {

FileWriter fos = new FileWriter(fileName);
fos.write(msg, 0, msg.length());
fos.close();
s = new String("Successfully created file :" + fileName);

} catch (Exception e) {
System.out.println("Exception e = " + e);
e.printStackTrace();
s = new String("Unable to create file : " + fileName);
}
return s;

}

public void paint(Graphics g) {

g.setColor(Color.blue);
g.drawString("Signed Applet Demo", 120, 50);
g.setColor(Color.magenta);
g.drawString(test(), 50, 100);

}

}
ch praveen
Ranch Hand

Joined: Mar 08, 2004
Posts: 67
Hello Nikos sokaf,
Thank u very much for ur excellent reply. You have listed out every thing in an excellent manner. But I got some doubts which are listed below.

[1]
I have follwed the steps from 1 to 6 as u have described. Ican't follow step [7] i.e creating a policy file as I didn't know to create a policy file.

[2]
[a] What I want to do is to read and write data to/from files at client side from an applet. Applet willbe loaded by means of a browser.
[b] During loading , a dialog box will pop up asking whether to trust the applet i.e being loaded. After pressing the 'yes' button, the applet can execute out of sandbox. This will enable steps 6 to 8 that u have described tobe discarded and hence any client without performing that steps 6 to 8 can load applet and give it file i/o permission at client side, hence reducing some work at client side except pressing yes button when dialog box pops up.

[3]
Inorder to accomplish the above step, I have copied the SSignedApplet.jar file and CompanyCer.cer to root dor. of tomcat and loaded the applet thru http://localhost:8080/signedappletdemo.html, which loads the applet. But this doesn't make the applet to accomplish the file i/o.

Can u kindly suggest me how to accomplish the task of creating a trusted applet which pops up a dialog box while it is loaded for first time at client's side and pressing 'yes' button will enable the applet tobe run out of sandbox. My major concern is to create a trusted applet that will run in almost all browsers without imposing some overhead i.e importing certificates manuallly by client. For eg. consider a yahoo chat application and similar other applications, which will popup a dialog box when it is loaded for first time and pressing yes button will give it some special permissions and here client will not import certificates manually. Kindly provide your valuable guidance in accomplishing this.

Regards,
Ch.Praveen Kumar.
nikos sokaf
Ranch Hand

Joined: May 01, 2004
Posts: 57
Hello my Friend,

First try to complete the step with the "key".In java-bin directory you will find the keytool.exe so you can follow this step. If you find some problems post them or check on google "Keytool configuration".

I think , this is the main problem of these messages. Then try to add to your browser your site , on internet options, as a trusted site.


Farewell.
ch praveen
Ranch Hand

Joined: Mar 08, 2004
Posts: 67
Hello nikos sokaf,

Thanks for your reply. I have created a certificate as you mentioned (with .cer extension) and imported in IE thru Tools->Internet Options->Content->Certificates. But in Netscape 7 Iam not able to import this certificate (with .cer extension). Can you give your suggestions regarding this.

Regards,
Ch.Praveen Kumar.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Regarding Trusted Applets
 
Similar Threads
Trusted Applets Not Working
Platform independence and digital sign
access control exception
to save a file dynamically
JNDI