• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Signing Applets and security concerns

 
Greenhorn
Posts: 1
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello everybody,

I am using an applet to open a word document file. Is there a way that I can stop the security pop-up from appearing, which asks for the permission to run the applet?
I do not want to modify Java settings at the client side. It will be preferable that the applet is enabled to run also when the security setting is high. Currently, I have to lower this to medium in order for the applet to run.

Although, I am using a CA certificate to sign my applet jar, why does it show the publisher as unknown, when i run the applet in chrome or firefox?

There is another issue which needs to be taken care of : I have to modify the java security policy tool to include File permissions to read, write and execute, in order for the Applet to open the document. How can I avoid doing this at the client side?
 
Ranch Hand
Posts: 270
15
Android Angular Framework Spring AngularJS Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello, Biswajyoti:
What you should look into is signing your (j)applet, and using JNLP. You can see more tips on deploying here: http://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html and this link https://weblogs.java.net/blog/cayhorstmann/archive/2014/01/16/still-using-applets-sign-them-or-else talks about how to sign them. Note that the easy/cheap way is to make your own certificate, or self-sign. That, however, will still lead to the prompt. So if you really don't want to incur a click-through, you should have a certificate authority that is ultimately linked back to one of the certificates that comes with the JRE distribution (there are several, included in a keystore that comes with the JRE). This could cost you money, however.

I have been experimenting a lot with this stuff lately, but since it is for learning purposes, I cannot see generating a certificate signing request and sending it off to someone like RSA, who will charge money (I hear it is in the hundreds of dollars). I suppose that is by way of a disclaimer. I have, in the past, worked with an internal IT department to have them sign one for me, but then they also control what goes into the distributed keystore.

I hope that helps, or at least gets you started. Oracle appear, recently, to be tightening the clamps on this stuff. They seem very concerned about someone "repurposing" a well-meant application (distributed as an applet) into malware.

Regards
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic