Friday, June 26, 2009

Signing Java Applet - Allowing Applet Full Access to the Local System

There are two ways to grant an applet full access to the local system:
  1. On the receiving side, grant access to the incoming applet by modifying Java's security policy.
  2. On the sending side, have the applet seek access permission from the receiver via signed certificates.
Granting Applet Access by Modifying Java Security Policy

Method 1 requires modifying the java.policy file in jre/lib/security by adding the following lines:
grant codeBase "" {

As a word of caution, dropping the "codeBase" qualifier grants all applets all permission and is not advisable.

Seeking Applet Access Via Signed Certificate

Method 2 requires creating a trusted certificate and signing the applet.
  1. Write, compile and jar your applet as you normally does.
  2. Use keytool to generate private/public key pairs. This also creates a self-signed certificate.
keytool -genkey -alias alias -keystore keystore -keypass keypass -dname cn=xxxx -storepass storepass
This generates a private/public key pair stored in the keystore protected by storepass. Use the alias and the keypass to access the private key of this generated pair.
  1. This step is optional if you are signing your applet with a self-signed certificate. If you are publishing your applet to the Internet, generate a certificate request (CSR), submit it to a certificate authority (CA) and get a CA-signed trusted certificate back. Replace the self-signed certificate with this trusted certificate.
keytool -certreq -alias alias -keystore keystore -keypass keypass -storepass storepass

keytool -import -alias
alias -file trustedCert.cer -keystore keystore -storepass storepass
  1. Sign your applet: jarsigner
jarsigner -keystore keystore -storepass storepass -keypass keypass -signedjar YourSignedApplet.jar
  1. keytool - Key and Certificate Management Tool, Sun.
  2. Larry Siden, Signed Applet Tutorial.
  3. Chapter 10: Signed Applets, SDN tutorials, 1994-2009.
  4. How to Create a Self-signed SSL Certificate.
  5. Thawte Code Signing Certificates Enrollment Page.
  6. Verisign Certificate Center Purchase Page.
  7. Java SE Security, Sun.
  8. Lesson: API and Tools Use for Secure Code and File Exchanges, The Java Tutorials, Sun.
  9. Certificate, Java Glossary.
  10. Chris W. Johnson, Java Certificate Parsing, 5/18/2004.
  11. EJBCA User Guide.
  12. CertificateFactory, Java 6 Javadoc, Sun.

No comments:

Post a Comment