• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

self-signed applet: "always trust" not recognized/remembered on Mac 10.7

 
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
(This question was posted on OTN two days ago, and also a few Mac forums, but I have not received any helpful information to date.)

Hello,

I have developed a website archive which is privately distributed as a stand alone archive to be run locally on the user's computer (no server). It uses Lucene search engine (Java) to search the archive; the search API/applet is packaged in a jar file and the jarfile/applet is self-signed.

In order to do the search, a self-signed certificate is created for the search applet, since the files in the archive it is searching are on the user's hard drive. After the initial installation of the archive, and upon the first search initiated, the security window pops up asking the user permission for the user to run the applet.

The problem lies here:

With Windows and all versions of Mac OS X prior to 10.7 (Lion), the user can check "always trust" (or similar), and from then on, subsequent searches are carried out without prompting the user to accept the certificate (even after restarting the browser application)

However, on Lion, the user can run the applet only once, and will continue to get a security prompt on every search afterwards, even though "always trust" is checked.

This behaviour occurs whether using Firefox or Safari, so it is apparent this is System related, not a browser issue.

I attempted to manually import the certificate both into the Keychain Access, and also into Authorities under Firefox's certificate manager (see http://www.clintharris.net/2009/self-signed-certificates/). This however was not successful.

Some possibilities I have considered are:

There is no publisher name for a self-signed cert. On previous versions of OS X, the security window states the signer's name, and the option to view the certificate. The user can check "Always trust these certificates". On Lion, the security window only states the publisher's name, which comes up as "UNKNOWN". The analogous "always" checkbox states, "Always trust content from this publisher". So it appears pre-Lion is allowing the option to always trust the particular certificate, whereas Lion is allowing the option to always trust the publisher.

Is there a way to create a publisher name when self-signing?

As far as importing the certificate, could it be that because the archive is local (url = file://) that it won't recognize it? Does anyone know why this doesn't work?

Does anyone know what is happening here, or can suggest a work-around for this (besides paying for a "trusted" CA). Everything worked just hunky-dory -- until Lion...

Thank you kindly,

Allasso Travesser
 
Allasso Travesser
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have observed that if I attempt to load the applet from a webserver, a different security prompt appears, giving the option to always accept content from the particular site, or if I go into advanced options, can choose to always accept content with the same signature. When I do this, it behaves as desired.

So it appears the problem only reveals itself when the applet is located on the local filesystem. I do not know why such a distinction should be made.

Allasso
 
Don't sweat petty things, or pet sweaty things. But cuddle this tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic