Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

ClassNotFoundException when online certification validation is enabled

Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an applet that's embedded on a web page that's in a signed secure jar which is self sufficient, meaning it doesn't have any dependency on any other jars. The applet works fine unless "online certification validation" is enabled through Java Control Panel -> Advanced tab -> Settings -> Security -> General -> Enabled online certification validation checkbox.

If online certification is enabled, the JVM cannot find my applet class and throws a ClassNotFoundException; however, if online certification is disabled, everything works just fine.

The jar contains all the classes it needs and is fully signed.

The applet is run in Java Plug-in using JRE version 1.6.0_20-b02 Java HotSpot(TM) Client VM.

The HTML tags are as follows:

The Java Console output is as follows:

Any insight is greatly appreciated.
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
John: Have you gotten any responses on this issue? I am experiencing the exact same issue with applets that I have signed using a valid code signing certificate issued to me by a valid CA (Certification Authority).

For my applets, the ClassNotFoundException occurs when one (or both) of the following Java security settings are enabled:

- Check Certificated for revocation using Certificate Revocation Lists (CRLs)
- Enable online certificate validation

My Java Console log output is almost exactly the same as yours; the online certificate validation appears to succeed, but the ClassNotFoundException occurs shortly after, when the class loader attempts to load the applet class.

Again, like you have experienced, everything works fine if both of the above Java security settings are disabled. I have tried various combinations of Java versions: compiling with 1.6.0_24 and signing with 1.6.0_29, compiling with 1.6.0_19 and signing with 1.6.0_17, compiling with 1.6.0_29 and signing with 1.6.0_29. All combinations yield the same ClassNotFoundException when the above security settings are enabled.

This is a real puzzler and I would appreciate any additional information you have on this issue. FYI: I have other resources working on this and we may contact Oracle for assistance. I will update this post if we gain any traction in resolving this.

John Lin
Posts: 17
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I looked into Java browser plugin's source code (plugin.jar and deploy.jar) and found a couple of bugs that turn out to be the root cause of this issue. In my situation, with CRL/OCSP enabled, I was able to load the applet as long as "Mixed code security verification is disabled". When I changed the setting to "Mixed code security verification enabled -- show warning if needed", you would think you would get a warning at the most since everything worked fine when such setting was disabled. But instead, you would get a ClassNotFoundException.

Since 1.6.0_19, Java browser plugin has been enhanced to separate the codebase into two domains, trusted vs. sandboxed. There're two class loaders involved, the parent loader responsible for loading the trusted code and child loading the sandboxed jars.

One of the bugs I've found is that when your signed jar is "not" explicitly marked as "Trusted-Library: true" in its manifest file, it will get silently ignored by the parent class loader. There're two issues here: 1) if the parent class loader determines the signed jar cannot be treated as "trusted", it should at least allow the child class loader to load it as a sandboxed jar; 2) it should definitely write something to the Java console instead of simply ignoring the jar silently.

Because the signed jar is ignored silently by the parent class loader, it's neither loaded by the parent class loader nor the child class loader, the class cannot be found anywhere, hence ClassNotFoundException.

Per Java guide, when you have a signed jar that does "not" have any dependencies on untrusted components, you should mark it as "Trusted-Only" in the manifest. However, it doesn’t work for me. My workaround is to mark my jar as "Trusted-Library", even though my jar is self-sufficient and doesn't depend on any untrusted components. Once I added the said attribute in the manifest, the ClassNotFoundException went away. I hope it works for you as well.

If you're interested in more details, you can look into "". Also, FYI, I've submitted a bug report to Oracle ( Let me know if you have any questions.

Good luck.
Dan D. Wang
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Thank you so much for your reply. The behavior (and workaround) that you described is exactly the same behavior as I am experiencing. I have verified that the bug you reported to Oracle regarding "Trusted-Only", as it also occurs with my simple test applet, which contains only one (signed) class.

Thanks again for your help. You have been a tremendous help and I am truly grateful.

Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am running into class not found exception on IE and have the jars signed with Trusted-Library attribuge. We have java 1.7 installed and following is my object tag.

var objectHtml = '<OBJECT  ID ="RadsAppletS" classid="clsid:CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA"' +
  ' width="1" height="1" align="baseline" codebase=",7,0,0"; Permissions="all-permissions">' +
  ' <PARAM name="code" value="">' +
  ' <PARAM name="codebase" value="<%= request.getContextPath() + "/S3OnlineReceipts/jsp/html/" %>">' +
  ' <PARAM name="type" value="application/x-java-applet;version=1.7">' +
  ' <PARAM id="arcid" name="archive" value="TranReceiptApplet.jar, TDBFG_ThermalDocument.jar">' +
  ' <PARAM name="scriptable" value="true">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_PRIMARYKEY %> VALUE="<%=persistPrimaryKey%>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_REQUESTINGUSERID %> value="<%=userName %>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_APIENDPOINTURL %> value="<%=endpointURL %>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_IMAGEPATH %> value="<%=imagePath %>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_RESPONSECACHEKEY %> value="<%=respCacheKey %>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_POSITION%> value="<%=pos %>">' +
' <PARAM NAME=<%=OnlineReceiptsConstants.FLD_HIDDEN_PRINTSTRING%> VALUE="<%=encodedReceiptString %>">' +

Appreciate help.
    Bookmark Topic Watch Topic
  • New Topic