Applets, Policy Files, jar signing, JNI, etc

Similar Messages

• Where does applet.policy files go?

  does any body know where to put applet.policy file? i am running
  appache so i believe it should go under c:\webdocs\applet.policy
  it it correct???
  Please help

  The include directory contains C language header (.h) files that may be linked with files in the lib directory. Those files are used by adadmin and adpatch (and some other ad utilities) to relink executable files which will be located under the $PRODUCT_TOP/bin directory. Please note that not all products require this directory.
  Oracle Applications Concepts
  http://download-uk.oracle.com/docs/cd/B25516_14/current/acrobat/11iconcepts.pdf

• How to resolve problems in policy file of signed Applet

  Hi to All,
  I want to connect the web site through my Signed Applet which is working as a Proxy server. but i m facing certain problems in my policy file:
  this is my policy file :-
  grant {
  permission java.security.AllPermission "", "";
  permission java.net.SocketPermission "http://www.google.com:4321", "connect, accept,resolve";
  permission java.security.UnresolvedPermission;
  n i got such type of exceptions n my Applet prompt applet not initialized.
  Got connection Socket[addr=/192.168.1.232,port=1200,localport=4321]
  Reading request...
  URI is: http://www.google.com/
  Host to contact is: www.google.com at port 80
  Got request...
  java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
  at java.net.InetAddress.getAllByName(InetAddress.java:1061)
  at java.net.InetAddress.getByName(InetAddress.java:958)
  at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
  at java.net.Socket.<init>(Socket.java:179)
  at ProxyApplet.handle(ProxyApplet.java:75)
  at ProxyApplet.<init>(ProxyApplet.java:132)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  at java.lang.Class.newInstance0(Class.java:350)
  at java.lang.Class.newInstance(Class.java:303)
  at sun.applet.AppletPanel.createApplet(AppletPanel.java:721)
  at sun.applet.AppletPanel.runLoader(AppletPanel.java:650)
  at sun.applet.AppletPanel.run(AppletPanel.java:324)
  at java.lang.Thread.run(Thread.java:595)
  here 4321 is Port no. which i've as a random port no.
  plz Help
  thnx in advance
  with regards
  pank_naini

  Please, if you can't help me, could you tell me who can I contact ?

• Applet and dependency jars signing

  Hi applet gurus,
  I hope to receive help from you with the following issues:
  1) I'm trying to sign an applet application which has dependency jars. So my first question is: Do I have to sign also the dependency jars? If yes, can I sign them with the same certificate?
  2) As I want to suppress warning messages from the applet which might scare ordinary users, I'm putting Permissions and Caller-Allowable-Codebase attribute in the manifest. If I have to sign also the dependency jars, do I have to also put these attributes into their manifest files? If yes, how?

  I'm not a guru, but the answer to question 1) is yes. I know this because I've seen plenty of historical problems in this forum relating to exactly this, especially in combination with Bouncy Castle which seems to already be signed with its own certificate. You should sign them with the same certificate as your application I believe, but that would require experimentation to confirm.
  I don't know anything about 2). The only thing I know is that it is likely impossible to completely remove the popup, a user will have to accept it at least once even when you have a valid signed certificate. I mean I have seen Microsoft software ask if I trust Microsoft
  Final note: be sure you are actually allowed to legally modify and distribute the jars in such a way! Probably yes, but it would be very unfortunate if you get slapped with a lawsuit because you broke the usage terms of a particular commercially oriented third party jar that you failed to notice.

• Does anyone know how to set policy file, so applet can connect other host?

  I have an signed applet, it may connect to other host.
  The applet should display a HTML pages, which may contains image tag points to a picture stored anywhere. I use a JTextPane to display this HTML page, but when it is loaded. a error occurs.
  java.lang.SecurityException
  at java.lang.SecurityManager.checkPermission(Unknown Source)
  at java.lang.SecurityManager.checkConnect(Unknown Source)
  at sun.awt.image.URLImageSource.checkSecurity(Unknown Source)
  at sun.awt.image.ImageRepresentation.imageComplete(Unknown Source)
  at sun.awt.image.InputStreamImageSource.errorConsumer(Unknown Source)
  at sun.awt.image.InputStreamImageSource.setDecoder(Unknown Source)
  at sun.awt.image.InputStreamImageSource.doFetch(Unknown Source)
  at sun.awt.image.ImageFetcher.fetchloop(Unknown Source)
  at sun.awt.image.ImageFetcher.run(Unknown Source)
  I have those kind of error (connection refused) before I signed my applet and write policy file to granr socketpermission to the codebase of my class files. But this error still occurs. I suppose it is because the sun.awt.image.* is Java standard class, so my policy file has no effect on them. But how can I make it works?

  you need to install the jre, and place the win32.dll at JavaSoft\JRE\1.3.1_06\bin, that properties file place at JavaSoft\JRE\1.3.1_06\lib, comm.jar at JavaSoft\JRE\1.3.1_06\lib\ext\
  and in ur code try to use it to open ur com port
  public String test() {
  String drivername = "com.sun.comm.Win32Driver";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  drivername = "javax.comm.*";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  portList = CommPortIdentifier.getPortIdentifiers();
  while (portList.hasMoreElements()) {
  portId = (CommPortIdentifier) portList.nextElement();
  if (portId.getPortType() == CommPortIdentifier.PORT_SERIAL) {
  if (portId.getName().equals("COM2")) {
  //if (portId.getName().equals("/dev/term/a")) {
  try {
  serialPort = (SerialPort)
  portId.open("SimpleWriteApp", 2000);
  } catch (PortInUseException e) {}
  try {
  outputStream = serialPort.getOutputStream();
  } catch (IOException e) {}
  try {
  serialPort.setSerialPortParams(9600,
  SerialPort.DATABITS_8,
  SerialPort.STOPBITS_1,
  SerialPort.PARITY_NONE);
  } catch (UnsupportedCommOperationException e) {}
  int i=0;
  while(true)
  try {
  messageString="hi";
  System.out.println(i++);
  outputStream.write(messageString.getBytes());
  } catch (IOException e)
  System.out.println(e);
  messageString=String.valueOf(e);
  return messageString;
  and yet u need to signed the applet
  1. Compile the applet
  2. Create a JAR file
  3. Generate Keys
  4. Sign the JAR file
  5. Export the Public Key Certificate
  6. Import the Certificate as a Trusted Certificate
  7. Create the policy file
  8. Run the applet
  Susan
  Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
  1. Compile the Applet
  In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
  javac SignedAppletDemo.java
  2. Make a JAR File
  Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
  jar cvf SignedApplet.jar SignedAppletDemo.class
  3. Generate Keys
  Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
  In her working directory, Susan creates a keystore database and generates the keys:
  keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c
  This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
  The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).
  The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.
  You can view all keytool options and parameters by typing:
  keytool -help
  4. Sign the JAR File
  JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
  jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5. Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5: Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:
  keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer
  Ray
  Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.
  6. Import Certificate as a Trusted Certificate
  Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:
  keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh
  7. Create the Policy File
  The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.
  Ray creates the policy file in his home directory using either policytool or an ASCII editor.
  keystore "/home/ray/raystore";
  // A sample policy file that lets a JavaTM program
  // create newfile in user's home directory
  // Satya N Dodda
  grant SignedBy "susan"
  permission java.security.AllPermission;
  8. Run the Applet in Applet Viewer
  Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
  Html code :
  </body>
  </html>
  <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
  width="600" height="400" align="middle"
  codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,1,2">
  <PARAM NAME="code" VALUE="SignedAppletDemo.class">
  <PARAM NAME="archive" VALUE="SSignedApplet.jar">
  <PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
  </OBJECT>
  </body>
  </html>
  appletviewer -J-Djava.security.policy=Write.jp
  http://aURL.com/SignedApplet.html
  Note: Type everything on one line and put a space after Write.jp
  The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
  Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
  9. Run the Applet in Browser
  Download JRE 1.3 from Javasoft
  good luck! [email protected]
  i already give u many tips, i use 2 weeks to try this to success, hopw that u understand that, a result of success is not important, the process of how to get things done is most usefull!

• IS there code to avoid policy file push in a VeriSign Signed applet?

  Q: Must a digtally signed ( thus Trusted) Applet have some some security code scripts -within the applet- to read specific "out of SandBox Permission" which have been Granted in the users Java.Policy file.
  Actually at first I thought the applet was not finding the users Java.Policy file so I hard coded the permission below into the standard java.policy file just to test it but no luck.
  I have the following Java Applet code which is digitally signed against a Versigin Class3 Code Signing Certificate in the Trusted root. SO I kow the applet runs..
  import java.awt.*;
  import java.io.*;
  import java.lang.*;
  import java.applet.*;
  public class UserName extends Applet {
  public void init() {
  public String runajacode()
  String UserName="";
  try {
  UserName = System.getProperty("user.name");
  catch (SecurityException e) {
  return UserName;
  I Keep getting the security exception error when I try to read User.name property
  Here is the text of the Java.Policy file which is placed in the users home directory
  /* AUTOMATICALLY GENERATED ON Fri May 10 11:37:28 CDT 2002*/
  /* DO NOT EDIT */
  grant {
  permission java.util.PropertyPermission "user.name", "read";
  Thanks BeforeHand
  AJ

  We cannot use the Java Plugin (company Rules) so you
  are saying I must modify the original java.policy
  file and without the Plugin the IE 5.5 VM will notWell, i have to say that if u r not using the java plugin, then there is no need for the policy file and u have to use the VM of the browser.I dont think the browser will support the latest version of java and so u have to write your code according the java 1.0 version. Mircosoft have not updated their java jvm due to issues with sun.
  Can u give me the code of the html file where u include the applet tags and let me have a look at it.
  if u plan to use the applet in IE and signed, then u have to use the CAB file utility which can be downloaded from the microsofft site. A signed cab file can run on IE only.Signed Jar can be run in plugins and netscape .
  Let me know if u need further help.
  ciao

• Signed applets (are policy files needed!)

  I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
  Is this the expected behavior?
  I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

  I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
  Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
  Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
  There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
  Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
  The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
  RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
  In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
  I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

• Signing Applets..Policy File

  Hi All,
  I have developed a Applet to read from local hard disk file. I have signed it. Regarding policy file i hv sm confusion.wihtout policy file also it is working. Isn't must to use policy files. If it is must how and where i will install it on other remote machines.
  Reg Certificates, whether we hv to manually give a link in our html. or anyother way is there to let IE automatically pop up that "Plugin Window" asking abt certficate(Grant,deny..\)
  Lemme me know the details..

  I have followed the instuction and signed all other libraries and I have encountered a runtime error in IE.
  The title of the message is Microsoft Visual C++ Runtime Library.
  The content is
  Runtime error!!
  Program: C:\program files\internet exploer\iexplorer.exe
  Abnormal program termination.
  I have tested serval version of IE and Java plug-in. It include:
  IE 6.0 sp1 with JRE 1.3.1_10
  IE 6.0 sp1 with JRE 1.3.1_06
  IE 5.5 sp2 with JRE 1.3.1_05
  Could someone can help me? Thanks!!

• Self sign applet without doing any change in policy file at client end

  Hi all,
  I developed an applet which make some webservice calls,
  I have given following permission in policy file at client end
  grant codeBase "http://nta2311:7001/-" {
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.util.PropertyPermission "*", "read, write";
  permission java.net.SocketPermission "*", "connect, resolve";
  with these settings applet is working fine
  Now I want to make applet signed in order to avoid policy file modifications
  for testing I want to self sign it
  please help me

  Signing applets:
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and reply 18 for the java class file using doprivileged
  http://forum.java.sun.com/thread.jsp?forum=63&thread=409341
  4th post explaining how to set up your own policy with your own keystore
  Still problems?
  A Full trace might help us out:
  http://forum.java.sun.com/thread.jspa?threadID=656028

• Signed applets called from javascript - how/where to load policy file?

  I'm running into some apparently well-known problems with signed applets accessing a client machine's hard drive.
  So, I can get things to work if I place the following two lines in my 'local' JDK installation:
  permission java.io.FilePermission "${user.home}/x.properties", "read,write";
  permission java.util.PropertyPermission "user.home", "read";These let me a) read the user's home directory and b) read/write a file that's located there.
  What I don't want to do is edit the java.policy file, but I'm having problems loading a separate policy file. The app server we run with our product is jetty, and I'm assuming I would be passing in the '-Djava.security.policy=='filename' with the other jetty start-up parameters- is this a correct assumption? And, what path do I give for the file, will I need to put it somewhere in the .war file we distribute, or in the JDK installation on the server? If it's on the server, will client machine's know about these extra rights?
  I'd REALLY appreciate any help I could get on this...
  thanks in advance,
  +0^^

  Maybe you didn't realize but my previous post was sarcastically ment:
  "hello SUN security stop bugging me in writhing this malicious program"
  and
  "hello SUN security, I'm a good boy now trust what I'm doing"
  Are in a practical sense exactly the same.
  SUN should either remove the stack check or the doprivileged. The stack check takes up
  valuable resources for nothing since a malicious program can easily circumvent that.
  Your post about a malicious user abusing your (CA) signed applet to ruine someone's
  system is correct, it would not be difficult. A CA signed applet will not even ask a user to
  trust or not. This is one of the reasons we have the usepolicy in affect, but this cannot be
  used on "grandma's old PC" since it's too complicated for users to do such things.
  YOU seem to be the one to blame, not the hacker! (The user accepted YOUR
  certificate!).Actually you are to blame, because you made software that exposes a vonurability
  other people can take advantage of.
  what you can do before calling the doprivileged private method is check the call stack.
  So your signed applet has a public method checking the callstack, if this lookes OK
  that method will call the private doprivileged method.
  Here is the example
  package t;
  import java.util.Properties;
  import java.applet.Applet;
  public class test extends Applet {
           public test(){
                 startingPrivileged();
           public void startingPrivileged(){
                 System.out.println("this is the stack");
                 try{
                      throw new Exception("get the call stack");
                 }catch(Exception e){
                      StackTraceElement stack[] = e.getStackTrace();
                      for (int i=0; i<stack.length; i++) {
                           System.out.println("file: " + stack.getFileName() + " method: " + stack[i].getMethodName() + " class: " + stack[i].getClassName() + " at " + new Integer(i).toString());
                      // this is a really simple check to see if this method was started from the t. package
                      // a good hacker can just create it's own package named t and take advantage of this method
                      // if this method was started from the same package there is no reason to make this method
                      // public, protected would work.
                      // there must be a better way to check if this method was called by "your" or "trusted" code
                      if(stack[1].getClassName().startsWith("t.")){
                           dosomePrivileged();
            private void dosomePrivileged(){
                 System.out.println("this is the method that does privileged stuff");
       public static void main(String args[]) {
            new test();

• File Access with unsigned Applet through editing the java.policy file

  I'am starting to lose my hair on this...
  I am trying to get an applet to run so that it can access the file system to move files on my local maschin. Because this applet is only running on my VM i can change the java.policy to avoid the signing of the applet.
  first of all, if i wrote in the java.policy file
  grant {
    permission java.security.AllPermission; 
  };everything is working perfekt.
  But I have not the intention to open the gates for any applet out there, so i want to limit the access to my applet. With every of the following versions I get at best an
  java.security.AccessControlException: access denied (java.io.FilePermission...
  My Setup
  My Java Version: jre1.6.0_02
  My applet is located unter the url
  http://admin.mydomain.com/applet.jar
  In Html i tryed the following different versions of loading the applet - none worked
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet codebase="http://admin.mydomain.com" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet name="shortcut" code="start.class" archive="http://admin.mydomain.com/applet.jar" width="0" height="0"></applet>in java.policy i tryed following versions with every html applet load version
  grant codeBase "http://admin.x-press.de/-" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/+" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/applet.jar" {
    permission java.security.AllPermission; 
  };why is it with
  grant {
    permission java.security.AllPermission; 
  };working, and not with the other versions?
  i am almost bold now, please try to save my last hair from falling down.
  any suggestion would be nice
  thanks, feyyaz
  Message was edited by:
  feyyazdogu

  I read the mentioned documentation and your right, some of my versions were wrong, but after reading the doumentation again i came to following result which should had worked but didn't.
  java.policy
  grant codeBase "http://admin.mydomain.com/*" {
    permission java.security.AllPermission;
  HTML File
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" height="0" width="0"></applet>if I am entering http://admin.mydomain.com/applet.jar i can download the jar, so the archive lays in the correct directory.
  what i am doing wrong? do i have to change an additional file somewhere else?

• How to sign java applet policy to end user?

  i have putted my applet class on server, i want all end users can access it on server, how to sign the java.policy to there JRE?
  can anyone help me?

  I found this some where else. It shows how to sign an applet.
  START OF DOC
  How To Sign a Java Applet
  The purpose of this document is to document the steps required to sign and use an
  applet using a self-signed cert or CA authorized in the JDK 1.3 plugin.
  The original 9 steps of this process were posted by user irene67 on suns message forum:
  http://forums.java.sun.com/thread.jsp?forum=63&thread=132769
  -----begin irene67's original message -----
  These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
  The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
  1. Create your code for the applet as usual.
  It is not necessary to set any permissions or use security managers in
  the code.
  2. Install JDK 1.3
  Path for use of the following commands: [jdk 1.3 path]\bin\
  (commands are keytool, jar, jarsigner)
  Password for the keystore is any password. Only Sun knows why...
  perhaps ;-)
  3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
  Enter keystore password: *******
  What is your first and last name?
  [Unknown]: Your Name
  What is the name of your organizational unit?
  [Unknown]: YourUnit
  What is the name of your organization?
  [Unknown]: YourOrg
  What is the name of your City or Locality?
  [Unknown]: YourCity
  What is the name of your State or Province?
  [Unknown]: YS
  What is the two-letter country code for this unit?
  [Unknown]: US
  Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  correct?
  [no]: yes
  (wait...)
  Enter key password for tstkey
  (RETURN if same as keystore password):
  (press [enter])
  4. Export key: keytool -export -alias tstkey -file tstcert.crt
  Enter keystore password: *******
  Certificate stored in file tstcert.crt
  5. Create JAR: jar cvf tst.jar tst.class
  Add all classes used in your project by typing the classnames in the
  same line.
  added manifest
  adding: tst.class(in = 849) (out= 536)(deflated 36%)
  6. Verify JAR: jar tvf tst.jar
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
  849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  7. Sign JAR: jarsigner tst.jar tstkey
  Enter Passphrase for keystore: *******
  8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
  130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
  183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
  920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  (tstkey)
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
  (recommended to use HTML Converter Version 1.3)
  10. (Omitted See Below)
  -----end irene67's original message -----
  To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
  1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
  When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
  To export request:
  keytool -certreg -alias tstkey -file tstcert.req
  To import response:
  keytool -import -trustcacerts -alias tstkey -file careply.crt
  An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.
  2) For development or otherwise, you may want to just use your self-signed certificate.
  In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
  This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
  To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
  For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
  For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security
  Import your self-signed cert into the cacerts keystore:
  keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
  (the password is literally 'changeit')
  Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermission setting and all other classes from unsigned jars will run in the sandbox.
  NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
  The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

• Java.lang.SecurityException: Jurisdiction policy files are not signed by t

  Hi
  *I am installing ECC6 onAIX 6.1 with oarcle 10g.*
  *I am getting error in create secure store*
  *Policy and security files are ok,*
  aused by: java.lang.ExceptionInInitializerError
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:218)
          at javax.crypto.Cipher.a(Unknown Source)
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at iaik.security.provider.IAIK.a(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at com.sap.security.core.server.secstorefs.Crypt.<clinit>(Crypt.java:82)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          at com.sap.security.core.server.secstorefs.SecStoreFS.setSID(SecStoreFS.java:158)
          at com.sap.security.core.server.secstorefs.SecStoreFS.handleCreate(SecStoreFS.java:804)
          at com.sap.security.core.server.secstorefs.SecStoreFS.main(SecStoreFS.java:1274)
          ... 6 more
  Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
          at javax.crypto.b.<clinit>(Unknown Source)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          ... 17 more
  Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.access$600(Unknown Source)
          at javax.crypto.b$0.run(Unknown Source)
          at java.security.AccessController.doPrivileged(AccessController.java:246)
          ... 20 more
  ERROR      2009-07-07 14:10:47.063
             CJSlibModule::writeError_impl()
  CJS-30050  Cannot create the secure store. SOLUTION: See output of log file SecureStoreCreate.log:
  SAP Secure Store in the File System - Copyright (c) 2003 SAP AG
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
          at java.lang.reflect.Method.invoke(Method.java:391)
          at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
  Caused by: java.lang.ExceptionInInitializerError
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:218)
          at javax.crypto.Cipher.a(Unknown Source)
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at iaik.security.provider.IAIK.a(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at com.sap.security.core.server.secstorefs.Crypt.<clinit>(Crypt.java:82)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          at com.sap.security.core.server.secstorefs.SecStoreFS.setSID(SecStoreFS.java:158)
          at com.sap.security.core.server.secstorefs.SecStoreFS.handleCreate(SecStoreFS.java:804)
          at com.sap.security.core.server.secstorefs.SecStoreFS.main(SecStoreFS.java:1274)
          ... 6 more
  Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
          at javax.crypto.b.<clinit>(Unknown Source)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          ... 17 more
  Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.access$600(Unknown Source)
          at javax.crypto.b$0.run(Unknown Source)
          at java.security.AccessController.doPrivileged(AccessController.java:246)
          ... 20 more.
  ERROR      2009-07-07 14:10:47.547 [sixxcstepexecute.cpp:960]
  FCO-00011  The step createSecureStore with step key |NW_Onehost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|2|0|NW_CreateDBandLoad|ind|ind|ind|ind|10|0|NW_SecureStore|ind|ind|ind|ind|8|0|createSecureStore was executed with status ERROR ( Last error reported by the step :Cannot create the secure store. SOLUTION: See output of log file SecureStoreCreate.log:
  SAP Secure Store in the File System - Copyright (c) 2003 SAP AG
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
          at java.lang.reflect.Method.invoke(Method.java:391)
          at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
  Caused by: java.lang.ExceptionInInitializerError
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:218)
          at javax.crypto.Cipher.a(Unknown Source)
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at iaik.security.provider.IAIK.a(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at iaik.security.provider.IAIK.addAsJDK14Provider(Unknown Source)
          at com.sap.security.core.server.secstorefs.Crypt.<clinit>(Crypt.java:82)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          at com.sap.security.core.server.secstorefs.SecStoreFS.setSID(SecStoreFS.java:158)
          at com.sap.security.core.server.secstorefs.SecStoreFS.handleCreate(SecStoreFS.java:804)
          at com.sap.security.core.server.secstorefs.SecStoreFS.main(SecStoreFS.java:1274)
          ... 6 more
  Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
          at javax.crypto.b.<clinit>(Unknown Source)
          at java.lang.J9VMInternals.initializeImpl(Native Method)
          at java.lang.J9VMInternals.initialize(J9VMInternals.java:196)
          ... 17 more
  Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.a(Unknown Source)
          at javax.crypto.b.access$600(Unknown Source)
          at javax.crypto.b$0.run(Unknown Source)
          at java.security.AccessController.doPrivileged(AccessController.java:246)
          ... 20 more.).
  what could be the problem ?
  Please give me the soluation
  regards
  Vijay

  Dear Juan
  You are correct.
  I downloaded correct file from IBM site , and Create Secure store step completed but innext step IMPORT JAVA DUMP
  it gave error
  n error occurred while processing service SAP ERP 6.0 Support Release 3 > SAP Systems > Oracle > Central System > Central System( Last error reported by the step : Execution of JLoad tool '/usr/java14_64/bin/java -classpath /swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/launcher.jar -showversion -Xmx512m -Xj9 com.sap.engine.offline.OfflineToolStart com.sap.inst.jload.Jload /swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/lib/iaik_jce.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/jload.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/antlr.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/exception.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/jddi.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/logging.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/offlineconfiguration.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/opensqlsta.jar:/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/install/sharedlib/tc_sec_secstorefs.jar:/oracle/client/10x_64/instantclient/ojdbc14.jar -sec AGQ,jdbc/pool/AGQ,/usr/sap/AGQ/SYS/global/security/data/SecStore.properties,/usr/sap/AGQ/SYS/global/security/data/SecStore.key -dataDir /swdump/NW7.0_SR3_JAVA_COMP_51033513/DATA_UNITS/JAVA_EXPORT_JDMP -job /swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/IMPORT.XML -log jload.log' aborts with return code 1. SOLUTION: Check 'jload.log' and '/swdump/tmpinst/sapinst_instdir/ERP/SYSTEM/ORA/CENTRAL/AS/jload.java.log' for more information.
  regards
  vijjay

• Class not found in applet using 2 jar files

  I have an applet which has been working for years as a stand alone or connecting directly to a derby database on my home server. I have just changed it to connect to MySQL on my ISP server via AJAX and PHP.
  I am now getting a class not found error in my browser, probably because I'm stuffing up the class path.
  The HTML I am using to call the applet is:
  <applet code="AMJApp.class"
  codebase="http://www.interactived.com/JMTalpha"
  archive="AMJ014.jar,plugin.jar"
  width="500"height="500"
  MAYSCRIPT style="border-width:0;"
  name="jsap" id="jsap"></applet>The AMJ014.jar contains the applet and supporting class files.
  The error message is strange to me because it refers to a class I noticed on another web page but which has nothing to do with my applet. Anyway, the message in full is:
  load: class NervousText.class not found.
  java.lang.ClassNotFoundException: NervousText.class
       at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
       at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
       at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.ClassNotFoundException: NervousText.class
  java.lang.UnsupportedClassVersionError: AMJApp : Unsupported major.minor version 51.0
       at java.lang.ClassLoader.defineClass1(Native Method)
       at java.lang.ClassLoader.defineClassCond(Unknown Source)
       at java.lang.ClassLoader.defineClass(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
       at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
       at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
       at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.UnsupportedClassVersionError: AMJApp : Unsupported major.minor version 51.0

  Thanks again.
  The page code is:
  <html>
  <head>
    <title>Applet to JavaScript to PHP</title>
  </head>
  <body>
  <script type="text/javascript">
  function updateWebPage(myArg)
  document.getElementById("txt1").innerHTML=myArg;
  if (myArg=="")
    document.getElementById("cbxItem").innerHTML="";
    return;
  if (window.XMLHttpRequest)
    {// code for IE7+, Firefox, Chrome, Opera, Safari
    xmlhttp=new XMLHttpRequest();
  else
    {// code for IE6, IE5
    xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  xmlhttp.onreadystatechange=function()
    if (xmlhttp.readyState==4 && xmlhttp.status==200)
      document.getElementById("cbxItem").innerHTML=xmlhttp.responseText;
  xmlhttp.open("GET","putitem.php?id="+myArg,true);
  xmlhttp.send();
  </script>
  <form>
  <table border=1 align='center' cellpadding=0 cellspacing=0 >
  <tr><td style='text-align:center; background-color:#C0C0C0'>Compiled Java Applet</td></tr>
  <tr><td><applet code="AMJApp.class" codebase="http://www.interactived.com/JMTalpha" archive="AMJ014.jar" width="500"height="500" MAYSCRIPT style="border-width:0;" name="jsap" id="jsap"></applet> </td></tr>
  <tr><td style='text-align:center; background-color:#C0C0C0'>HTML Textbox filled by JavaScript</td></tr>
  <tr><td><textarea style='width:500px; height:50px' name='txt1' id='txt1'>Query goes here</textarea></td></tr>
  <tr><td style='text-align:center; background-color:#C0C0C0'>HTML diagnostic messages rendered by PHP script</td></tr>
  <tr><td><div id="cbxItem">PHP info will populate this space</div></td></tr>
  </table>
  </form>
  </body>
  </html>The URL of the problem page is:
  http://www.interactived.com/JMTalpha/AMJTest.htm
  The code in the page is based on the following test page, which works:
  http://www.interactived.com/test5Applet.htm
  And the Applet, before I made any changes can be seen at this address:
  http://www.interactived.com/jartest0906.htm
  Thanks again for you interest.
  Edited by: 886473 on 21-Sep-2011 00:47

• Is thr way to applet write file, client machine without  entry in policy

  hi,
  is there any way to allow applet write file in local machine (client ) without entry in policy file... i feel this extra step to clients...
  To achieve this what are class i have to implements...

  No, thank God there isn't.