• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Signing Applets and security concerns

 
Biswajyoti Dutta
Greenhorn
Posts: 1
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everybody,

I am using an applet to open a word document file. Is there a way that I can stop the security pop-up from appearing, which asks for the permission to run the applet?
I do not want to modify Java settings at the client side. It will be preferable that the applet is enabled to run also when the security setting is high. Currently, I have to lower this to medium in order for the applet to run.

Although, I am using a CA certificate to sign my applet jar, why does it show the publisher as unknown, when i run the applet in chrome or firefox?

There is another issue which needs to be taken care of : I have to modify the java security policy tool to include File permissions to read, write and execute, in order for the Applet to open the document. How can I avoid doing this at the client side?
 
L Foster
Ranch Hand
Posts: 185
10
Android Java Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello, Biswajyoti:
What you should look into is signing your (j)applet, and using JNLP. You can see more tips on deploying here: http://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html and this link https://weblogs.java.net/blog/cayhorstmann/archive/2014/01/16/still-using-applets-sign-them-or-else talks about how to sign them. Note that the easy/cheap way is to make your own certificate, or self-sign. That, however, will still lead to the prompt. So if you really don't want to incur a click-through, you should have a certificate authority that is ultimately linked back to one of the certificates that comes with the JRE distribution (there are several, included in a keystore that comes with the JRE). This could cost you money, however.

I have been experimenting a lot with this stuff lately, but since it is for learning purposes, I cannot see generating a certificate signing request and sending it off to someone like RSA, who will charge money (I hear it is in the hundreds of dollars). I suppose that is by way of a disclaimer. I have, in the past, worked with an internal IT department to have them sign one for me, but then they also control what goes into the distributed keystore.

I hope that helps, or at least gets you started. Oracle appear, recently, to be tightening the clamps on this stuff. They seem very concerned about someone "repurposing" a well-meant application (distributed as an applet) into malware.

Regards
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic