aspose file tools*
The moose likes Applets and the fly likes Applet won't work due to security? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "Applet won Watch "Applet won New topic
Author

Applet won't work due to security?

Mich Robinson
Ranch Hand

Joined: Jun 28, 2009
Posts: 250
    
    1
I have a simple applet that doesn't stray outside the sandbox. It used to work fine before Java 7 but now it craps out with security warnings. It does nothing but play a game, it doesn't even save the state of the game. Any ideas on how to fix?
This is the applet, it's a very simple chess program.

The warnings and popups I'm getting are:
  • activate javaTM platform SE 7U?
  • allow now?
  • activation blocked by security settings - I never changed any security settings and as I said, this applet stays firmly in the sandbox so I can't see what the issue is.
  • Viewing the java error window I see

  • Java Plug-in 10.51.2.13
    Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM
    User home directory = C:\Users\Mike
    ----------------------------------------------------
    c: clear console window
    f: finalize objects on finalization queue
    g: garbage collect
    h: display this help message
    l: dump classloader list
    m: print memory usage
    o: trigger logging
    q: hide console
    r: reload policy configuration
    s: dump system and deployment properties
    t: dump thread list
    v: dump thread stack
    x: clear classloader cache
    0-5: set trace level to <n>
    ----------------------------------------------------


    I'm not sure why it shows the C:\Users\Mike directory in the above listing, there is no access to files etc.
    The applet plays fine if I run it in appletviewer.

    What do I need to do to make this simply work in anyone's browser?
    Thanks for reading.

    PS I have a similar problem with a (rather funky) Connect 4 program I wrote. It worked fine for years and then just stopped with the Java 7.


    Arcade : Alien Swarm
    Board : Chess - Checkers - Connect 4 - Othello
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42274
        
      64
    Yep, Java 7 tightened the plugin security restrictions. You could check your security settings if there's maybe something obvious that would need to be adapted.


    Ping & DNS - my free Android networking tools app
    Mich Robinson
    Ranch Hand

    Joined: Jun 28, 2009
    Posts: 250
        
        1
    But does this mean that applets now no longer work at all? or that users have to jump through hoops to make them work?

    I tried using webstart but they seem to have changed the security there as well and I find the keytool facility a bit mind boggling.

    I resorted to releasing my arcade game as a windows exe and this seems to work but it's a complicated process and obviously it's not ideal.

    Mike
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42274
        
      64
    More hoops. WebStart is also implemented by the plugin, so similar restrictions apply. Have you looked through all settings if there is something that may need fiddling?
    Mich Robinson
    Ranch Hand

    Joined: Jun 28, 2009
    Posts: 250
        
        1
    I don't really change my security settings because I like to have something that's representative of what most users might have.
    At the moment I'm having the problem with my own applets running on my own web site but I'm guessing no user can run any of my programs any more apart from those I've converted to exe's.
    These apps run entirely in the sandbox and so should be as safe as houses (if we can still say that in these post sub-prime days).
    I'm just shaking my head wondering what those who administer Java are actually thinking.

    It's also the time I spent writing these apps .... wasted

    Mike
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42274
        
      64
    I mentioned that as a way of finding out what it might take to make them run. But you're right, a stock system has advantages.

    The folks administering Java have belatedly come to the conclusion that they need to take more drastic steps to address the security holes of the JVM, just like the folks running Silverlight and Flash have had to conclude. They may have gone overboard with this one.
    Mich Robinson
    Ranch Hand

    Joined: Jun 28, 2009
    Posts: 250
        
        1
    So what should I do? I hate the idea of throwing away a bunch of programs, all of which I'm quite fond of.

    Tony Docherty
    Bartender

    Joined: Aug 07, 2007
    Posts: 2311
        
      49
    Mich Robinson wrote:So what should I do? I hate the idea of throwing away a bunch of programs, all of which I'm quite fond of.


    I'm afraid you will probably have to sign the applets - I'm not even sure is self signed certificates are acceptable these days so you may have to get a certificate from a trusted authority.
    As to why you are now getting the problems see this article: https://www.java.com/en/download/help/appsecuritydialogs.xml

    The only other alternative I'm aware of is to add the applets URL to Exception Site List, located under the Security tab of the Java Control Panel. But obviously suggesting to all your potential users that they do this is not really an acceptable solution.
    Mich Robinson
    Ranch Hand

    Joined: Jun 28, 2009
    Posts: 250
        
        1
    You'd think that something running entirely in the sandbox would be trusted but I guess Oracle knows something we don't.

    Does self signing allow users to continue using applets & webstart apps or do they need to do stuff themselves?
    Does it cost to get a certificate from a signing authority? any idea how much? does paying for a cert somehow stop exploiters from doing the same?

    I'll admit I didn't understand the keytool application - I followed an example from somewhere and managed to sign my stuff a year ago but it turned out the keys were all for a year and now they've run out. No idea what to do now!

    It amazes me that people haven't complained loudly about all this.
    Paul Clapham
    Bartender

    Joined: Oct 14, 2005
    Posts: 18651
        
        8

    I don't know how sandbox-suitable applets work these days, but it seems your experiments in the field are providing you with some answers. As for the other questions:

    Self-signing allows users to continue using applets and webstart apps, but the users either have to set their Java security level to Medium or else configure the Java security panel to accept code from particular URLs. I've tried these and they both work.

    It costs several hundred dollars to get a Verisign certificate (it wasn't me who wrote the cheque at work but that was my understanding). The issuers of those certificates don't just sell them to anybody but I have no idea how they ensure that you aren't a bad guy. All I know is that they do some kind of checking.

    As for your expired certificates, all you have to do is throw away those signed jars and create new ones with the keytool application. I have to say I didn't understand it either and just used the MSMD (Monkey See Monkey Do) process as well.
    Mich Robinson
    Ranch Hand

    Joined: Jun 28, 2009
    Posts: 250
        
        1
    I don't want to force my users to alter their security settings then self signing is out. I can't justify paying out for an official certificate and I have no idea whether they'd give me one.
    I'll try the keytool again but I feel like one lone monkey with a type writer trying to produce Shakespeare.
    It makes me wonder what sort of person created that keytool app - I presume the same sort of guy that documented how it was used!
    I'll also try to move my existing applications to exe's as these seem to install and run without a million security warnings popping up.
    This seems like a crazy solution but heyho.

    Mike

    PS
    I looked into whether this is going to get changed in future versions of Java but can't see anything. It's interesting that they're focusing on important things like lambda expressions while ignoring the small issue that you can't even release a sandboxed app that doesn't raise a dozen security popups. Perhaps by getting rid of the grass roots support of the language they feel they can make Java more of a corporate solution. I can't help feeling like I've just been completely shafted by Oracle in this.
    Jaime Hablutzel
    Greenhorn

    Joined: Dec 25, 2009
    Posts: 6
    The fact is that for signing something (an applet, an executable, etc) it helps much to know what is a certificate, a digital signature (it is PKI stuff), and the true is that the topic is somehow dense. so I'll try to be concise.

    You start with a public/private key pair (some bits mathematically related generated by keytool), you send the public part (public key/CSR) to a certification authority (one of the certification authorities that any java default installation has registered by default), they verify you are who you say you are (they could ask for a notarial letter), and if they verify your identity correctly they will sign your public key with their certification authority, this is, they generate a certificate for you.

    You latter use your private key (which is private, never sent anywhere) to sign your applet and append your certificate to the signed code (jarsigner comes here), so a client (java plugin) that downloads your applet does the following verification:

    1. Verify the signature is correct, this is that is has been generated with your private key.
    2. Check if the certificate has been issued/generated by a certification authority included in the default java list.
    3. Execute your code.

    From Java 1.7.0_45 (or _51 not sure) Java Applets will require your code to be signed with a commercial certification authorities (one in the list java has by default), and well the price will depend on the certification authority, you can get them from $80/year and they work the same (http://stackoverflow.com/questions/155241/cheapest-java-code-signing-certificate-not-self-signed)

    Well, the procedure for signing your applet and get it working for all your clients like before could go as this:

    1. Read http://www.youdzone.com/signature.html and get sure to understand the basics of digital signature.
    2. Using keytool (or a frontend like Portecle) generate a key pair (the result will be a keystore.jks file), then a CSR with your public key and send this CSR to the certification authority.
    3. Install the certificate sent by the certification authority to your keystore.jks
    4. Sign you .jar using jarsigner
    5. Follow new requirements for MANIFEST.MF, include "Permissions" attribute, see https://www.java.com/en/download/help/java_blocked.xml

    If you need any clarification on any part of the process I can detail it for you (e.g. commands involved)
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Applet won't work due to security?