Hi Folks, I'd really appreciate if someone can help me solve this one.
Short Description:In my J2EE application I have SSL turned on and also "client authentication required" is turned on as well. The client side certificate is installed(imported into) the browser. Now the application works fine until I try to test a page that has an applet embedded. When this page comes the JVM(I am assuming its JVM) shows up a list of certificates to choose from. The list contains only one certificate and based on the browser option it should have skipped the dialog box. It only happens once per session but is annoying to the user and unacceptable ui behaviour.
The application is typical J2EE running on IBM HttpServer(1.36) & Websphere Application Server(WAS 5.12)combination.
The Client JRE version is Version 1.5.0 (build 1.5.0_01-b08), the latest.
When I used the JRE 1.42 then the applet didnt load at all(error on the server said client certificate not sent).
The certificates is self signed
The JRE plugin's Control panel's Advanced tab has an option called
"Use certificate and keys from browser keystore". This is turned ON.
I have tried turning the above off and importing the certificate into the Java plugin itself, same result.
The browser has an option(Tools-->Internet Options-->Security-->Pick appropriate zone-->Miscellaneous-->Don't prompt for client certificate when no certificate or only one certificate. This is enabled. Disabled causes certificate selection dialog even for normal non applet pages.
[ February 03, 2005: Message edited by: santosh kulkarni ]
As far as I know, the applet will ALWAYS show a certificate. There is no way to turn it off from the browser. This certificate will popup even if you sign the applet using a certificate authority like Verisign. The certificate shows up because your signed applet is trying to do something that is out of java's sandbox. So, the certificate is asking the user whther the JRE should let your applet outside off the sandbox
I remember that there is a way to make an applet trusted by changing the .java.security(I might have the name wrong) file in your client's JRE, I dont remember the setting either.
posted 15 years ago
Jayesh, thanks for taking the time to reply to my message. My problem is slightly different. The certificate I'm talking about is the one on the client side which is sent from the client to the (web) server to prove its identity(this certificate being sent to the client by other secure means in advance and installed to the browser)
Further, the dialog box is the one asking the user which certificate it should send to the server, not whether the applet should be allowed to do anything on the client machine.
you are right about the the signed applet dialog box always popping up, however the user does have an option to click "always" and the certificate will get installed into the clients machine and the user will be spared the trouble of clicking on the same dialog box again.
I hope I am clear and forgive me if I misunderstood. Santosh
Impossible is not a fact its an opinion
posted 15 years ago
In case anybody is interested in this topic here is the resolution. The default selection of client side certification is broken in JRE's released versions(1.4.2 and 1.5). It is however fixed in Mustang(to be released in Spring 2006). Since we cannot use this bleeding edge meant for developer version in a production environment we have switched to using ActiveX control for the printing.