• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Applet not selecting default Client certificate

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Folks, I'd really appreciate if someone can help me solve this one.

Short Description:In my J2EE application I have SSL turned on and also "client authentication required" is turned on as well. The client side certificate is installed(imported into) the browser. Now the application works fine until I try to test a page that has an applet embedded. When this page comes the JVM(I am assuming its JVM) shows up a list of certificates to choose from. The list contains only one certificate and based on the browser option it should have skipped the dialog box. It only happens once per session but is annoying to the user and unacceptable ui behaviour.

Details:
  • The application is typical J2EE running on IBM HttpServer(1.36) & Websphere Application Server(WAS 5.12)combination.
  • The Client JRE version is Version 1.5.0 (build 1.5.0_01-b08), the latest.
  • When I used the JRE 1.42 then the applet didnt load at all(error on the server said client certificate not sent).
  • The certificates is self signed
  • The JRE plugin's Control panel's Advanced tab has an option called

  • "Use certificate and keys from browser keystore". This is turned ON.
  • I have tried turning the above off and importing the certificate into the Java plugin itself, same result.
  • The browser has an option(Tools-->Internet Options-->Security-->Pick appropriate zone-->Miscellaneous-->Don't prompt for client certificate when no certificate or only one certificate. This is enabled. Disabled causes certificate selection dialog even for normal non applet pages.


  • [ February 03, 2005: Message edited by: santosh kulkarni ]
     
    Ranch Hand
    Posts: 502
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    As far as I know, the applet will ALWAYS show a certificate. There is no way to turn it off from the browser. This certificate will popup even if you sign the applet using a certificate authority like Verisign. The certificate shows up because your signed applet is trying to do something that is out of java's sandbox. So, the certificate is asking the user whther the JRE should let your applet outside off the sandbox

    I remember that there is a way to make an applet trusted by changing the .java.security(I might have the name wrong) file in your client's JRE, I dont remember the setting either.
     
    santosh kulkarni
    Greenhorn
    Posts: 18
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Jayesh, thanks for taking the time to reply to my message.
    My problem is slightly different. The certificate I'm talking about is the one on the client side which is sent from the client to the (web) server to prove its identity(this certificate being sent to the client by other secure means in advance and installed to the browser)

    Further, the dialog box is the one asking the user which certificate it should send to the server, not whether the applet should be allowed to do anything on the client machine.

    you are right about the the signed applet dialog box always popping up, however the user does have an option to click "always" and the certificate will get installed into the clients machine and the user will be spared the trouble of clicking on the same dialog box again.

    I hope I am clear and forgive me if I misunderstood.
    Santosh
     
    santosh kulkarni
    Greenhorn
    Posts: 18
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    In case anybody is interested in this topic here is the resolution.
    The default selection of client side certification is broken in JRE's released versions(1.4.2 and 1.5).
    It is however fixed in Mustang(to be released in Spring 2006).
    Since we cannot use this bleeding edge meant for developer version in a production environment we have switched to using ActiveX control for the printing.
     
    Greenhorn
    Posts: 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I am dealing with problems related to this Santosh. Can you please
    point me to where you got this information. Is it on Suns bug site?
    Thanks for any info you can give me !

    Sean
    reply
      Bookmark Topic Watch Topic
    • New Topic