Confused about signed applets

Similar Messages

• About Signed Applet

  Dear All:
  I am so sorry for this to ask an old question to whom know about this question.
  My question is that I have sign the applet, but I use the certificate which is not checked by third party. Because I just want to use it to demo the applet program. I don't know if using the unchecked certificate will let me can't use this applet as the one with checked certificate. Because I also see the prompted dialog to ask me if I trust this application.... yes/no, when I choose "yes", there is still a exception, AccessControlException: access denied. Is there anyone can help me out this trouble? I have read the related article, but I still can't understand it well and make my applet work well.

  p.s. I use jre 1.5.0_09 and my browser is IE

• Dude about signed applets?

  What are exactly the restriccions of applets, I must do an applet that receives data from sql server 2000, both loaded on the server and a user conected on a client machine, it works from the IDE but not from the html file. (acces denied)
  To sign an applet do I need to sign all the clases or just the applet one?
  Can I solve the problem in another way?
  How to load an applet from a jar file?

  Applets are not allowed to read or write data to the client machine. I don't think they are allowed to open socket connections either, however I think applets are allowed to open a connection back to the server they were hosted from without being signed (but I could be wrong)
  Usually you package your applet into a JAR file and then you sign the JAR.
  I created a file upload applet and this is what my tag looks like
  <APPLET codeBase="/UploadAppletExample/applet" CODE="org.frontier.webapp.applet.FrontierUploadApplet.class" ARCHIVE="SFrontierUploadApplet.jar,SJacksum.jar" WIDTH="800" HEIGHT="352">
  </APPLET>All the classes the make up the applet are in a JAR file called SFrontierUploadApplet.jar. This JAR is signed. The Applet also uses some library functions in another JAR file called SJacksum.jar. This JAR is also signed. The main class that extends Applet is org.frontier.webapp.applet.FrontierUploadApplet.class. The actual JAR files are under a directory called [web root]/UploadAppletExample/applet.
  make sense?
  To sign an applet you must first use the keytool program to create a keystore. This example creates a keystore called MyStore.
  keytool -genkey -alias myKey -keystore MyStore -keypass foo123 -dname "cn=blah" -storepass foo456Then you can sign your JAR using the jarsign tool and your keystore. This example take my JAR FrontierUploadApplet.jar and creates a signed JAR called SFrontierUploadApplet.jar
  jarsigner -keystore MyStore -storepass foo456 -keypass foo123 -signedjar SFrontierUploadApplet.jar FrontierUploadApplet.jar myKey-S

• Signing applets: Classnotfoundexception

  Hi everyone,
  I've created a web application that contains an applet as well. In that applet ,the user should be given the opportunity to open and save files from and to a directory on his own computer. I've read alot of things about signing applets to make that possible, but I haven't managed to get a working application yet.
  This is what I've done till now:
  I created a bat file containing the following script:
  set path=C:\Program Files\Java\jdk1.5.0_05\bin
  keytool -genkey -keystore applet\AppletKeystore -keyalg rsa -alias myApplet -storepass 123456 -keypass 789012
  keytool -selfcert -alias myApplet -keystore applet\AppletKeystore -storepass 123456 -keypass 789012
  keytool -export -keystore applet\AppletKeystore -alias myApplet -storepass 123456 -file applet\appletPublicKey.cer
  jar cvf applet\theContent.jar applet\*.class applet\appletPublicKey.cer
  jarsigner -verbose -keystore applet\AppletKeystore -storepass 123456 -keypass 789012 applet\theContent.jar myApplet
  htmlConverter templates.jsp
  I saved the file and I ran it. I got a keystore, a cer file and a jar file in my applet directory. So far so good, I guess.
  After that, I added an extra parameter in my jsp file so I get the following code:
  <jsp:plugin type="applet" archive="applet.theContent.jar" jreversion="1.5" code="applet.TemplateCreatorApplet.class" codebase="." width="1280" height="800" align="middle">
          <jsp:fallback>
              Plugin tag OBJECT or EMBED not supported by browser
          </jsp:fallback>
      </jsp:plugin>Then I copied the jar file and the jsp file to the webserver. When I run my application and I want to show the applet I get an error telling me that the TemplateCreatorApplet.class file can't be found. I don't understand why I get this error when all the necessary class file are supposed to be in the jar file. Can anyone help me???
  Thanks in advance,
  Plunofix

  Hi everyone,
  i manage to solve this problem. The Classnotfoundexception raised when the applet try to find the path of the class file.
  make sure when you create a jar file , you given a full path.
  For example, your class file located in the com/java/test/TestApplet.class. when you create a jar file please do in the root folder
  1. jar cvf TestApplet.jar com/java/test/TestApplet.class
  2. jar tvf TestApplet.jar
  It will display the complete path of class file.

• Learn about writing applet for java smart card

  hi to all i am newbie in here and need to start write applet for my project
  but i am little confuse about writing applet please guide me for doing that
  thank you

  maybe this link how to develop new smart card application(write and read data on smart card will be useful

• Uploaded content modification detecting(from Signed Applet)

  Hello,
  I have a question about signed applets and content verification on client machine. Let's consider the following scenario:
  I have uploaded an image to client machine(using signed applet)
  Client have modified the image
  I want to detect that image was modified... And change it to default, stored in web host.
  Is there any way to identify modification? Or maybe there are some other tecniques of storing content to client's machine, not using raw resources?
  Thanks in advance.

  >
  Setting the proxy in the java control panel has no
  effect on the available system properties.
  Rather it has no impact on the VM that the applet runs in. Which is different than saying it has no impact at all.
  I suspect there is a file somewhere that controls the actual system values for applets.
  Given that an app should be able to detect the proxy
  settings of the person running it, how is this
  possible if the properties are not available from
  within the app?What exactly are you trying to do?
  An applet, which is not an app, normally has certain restrictions which would be sufficient for most apps.
  And the proxy setting impacts the VM, nothing else. So if the applet returns null then it means the VM has no setting. That doesn't mean that one or more proxies are not in the chain of communication. But you are not going to get those from the VM.

• Question about Java Applet Jar file signing.

  These questions pertain to Java 6 Standard Edition 1.6.0_22-b04 and later.
  I have gone through the Oracle Java Tutorial for generate public and private key information
  to sign a jar file, and how to sign the jar itself, all at
  [http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html]
  , and seek some clarification on the following related questions:
  -In order to "escape" the java applet sandbox that exists around the client's
  copy of the applet running in their web browser, ie.
  (something forbidden by default), is verification of the signed applet enough, or is a policy file required
  to stipulate these details?
  -using the policytool policy file generator, what do I need to add under "Principals"
  (if anything) when dealing with a Java applet? Are Codebase and SignedBy simply author information?
  -If I choose to use a java.security.Permission subclass object set up in equivalent fashion within the Applet,
  which class within the Applet jar do I instantiate that object in? Does it need to be mentioned
  in the applet's jar Manifest.MF file?
  -Is the "keystore database" a java language service/process which runs in
  the Server's memory and is simply accessed and started by default
  by the client verifier program (appletview/web browser)?
  -The public key certificate file (*.cer) is put in the webserver directory holding
  the Applet jar file (ie. Apache Tomcat, for example).
  -Presumably, the web browser detects the signed jar
  and certificate file, and provides the browser pop up menu asking the user
  about a new, non recognised certificate (initially).
  Is this so?
  -With this being the case, can the applet now escape
  the sandbox, be it with or without the stipulated
  policy permissions?

  848439 wrote:
  -In order to "escape" the java applet sandbox that exists around the client's
  copy of the applet running in their web browser, ie.
  (something forbidden by default), is verification of the signed applet enough, or is a policy file required
  to stipulate these details?Just sign the applet, the policy file is not necessary.
  -Is the "keystore database" a java language service/process which runs in
  the Server's memory and is simply accessed and started by default
  by the client verifier program (appletview/web browser)?No.
  -The public key certificate file (*.cer) is put in the webserver directory holding
  the Applet jar file (ie. Apache Tomcat, for example).No. For a signed Jar, all the information is contained inside the Jar.
  -Presumably, the web browser detects the signed jar
  and certificate file, and provides the browser pop up menu asking the user
  about a new, non recognised certificate (initially).
  Is this so?No. It is the JVM that determines when to pop the confirmation dialog.
  -With this being the case, can the applet now escape
  the sandbox, ..Assuming the end-user OK's the trust prompt, yes.
  ..be it with or without the stipulated
  policy permissions?Huh?

• Confusion about applet

  sir
  i have confusion about applet that if an applet compile successfully but on running it shows a exception message about "main"that no such method exist.help me out please

  The full text of the error message would make it easier for us to see what is wrong BUT it sounds like you are trying to run the Applet as an applicaiton from the comand line rather than through an HTML tag in an HTML page loaded into your browser!
  Though you can make Applets run as applications it not normal to do so.

• Signed Applet--please tell me something about the basics of it

  Hi guys .
  I am in the process of developing a GUI using an applet.The GUI involves reading a file given as input and parsing it for punctuaion errors.
  This applet has to write to a file called "errors.txt" to report about errors.I came to know from a friend that applets do not have access permissions to write files to disk .This feature can be achieved using Signed Applets .If there is anyone who can tell me about the basics of Signed Applets then please help me as to how I can make changes in my program and elsewhere so that my program is able to do that.
  My program is as follows(if youm need it):
  import java.io.*;
  import java.awt.*;
  import java.applet.*;
  public class textcopy extends Applet
  public void init()
  Choice ch=new Choice();
  ch.addItem("Click Next to continue.");
  ch.addItem("Framework Properties");
  Label l1=new Label(" ");
  Label nm=new Label("Please specify the errors that you want to be checked for in the file:");
  Label a1=new Label("Write the pathname here:");
  ta=new TextArea(1,20);
  B=new Button("OK");
  Checkbox b1=new Checkbox("Punctuation errors");
  Checkbox b2=new Checkbox("Finding whether a key string is misspelt");
  Label l2=new Label("Please select the key string from one of these:");
  add(a1);
  add(ta);
  add(B);
  add(l1);
  add(nm);
  add(b1);
  add(b2);
  add(l2);
  add(ch);
  TextArea ta;
  Button B;String str="";
  public boolean action(Event e,Object obj)
  if(e.target instanceof Button)
  repaint();
  return true;
  return false;
  public void paint(Graphics g)
  String s=ta.getText();
  try{
  FileReader fin=new FileReader(s);
  PrintWriter fout=new PrintWriter(new BufferedWriter(new FileWriter("c:\\avichal\\java\\errors.txt")));
  parse(fin,fout);
  fin.close();
  fout.close();
  catch(IOException e)
  Label avi=new Label("arsehole!!!");
  add(avi);
  //g.drawString("SOme Error",500,300);
  //e.printStackTrace();
  public static void parse(FileReader fin,PrintWriter fout)throws IOException
  String str="Punctuation Errors:\n"; /*Heading*/
  fout.println(str);
  fout.println("========================================================");
  int i=0,j=0,k=0,l=0;
  j=fin.read();
  do{
  do{
  i=j;
  j=fin.read();
  }while((!((char)i=='('&&(char)j=='R'))&&(j!=-1));
  if(j==-1)break;
  j=fin.read();
  j=fin.read();
  j=fin.read();
  j=fin.read();
  j=fin.read();
  j=fin.read();
  j=fin.read();
  char refnum[]=new char[5];
  l=0;
  while((char)j!=')')
  j=fin.read();
  if((char)j!=')')
  refnum[l++]=(char)j;
  fout.write("REF. NUM: ");
  for(int a=0;a<l;a++)fout.write(refnum[a]);fout.write(": ");
  j=fin.read();
  l=0;
  do{
  i=j;
  j=fin.read();
  if((char)i=='\n')
  k++;
  //'k' gives the line no. and finally the no. of lines and neglects the lines before first occurence of "Ref Num
  if(((char)i==',')&&((char)j!=' '))
  l++;
  String st=l+". error at line number "+ (k+1) + ": There should be "+
  "a space after comma(,) \n";
  fout.println(st);
  if(((char)i=='.')&&((char)j!=' '))
  l++;
  String st=l+". error at line number "+ (k+1) + ": There should be "+
  "a space after period(.) \n";
  fout.println(st);
  if(((char)i=='.')&&((char)j=='.'))
  l++;
  String st=l+". error at line number "+ (k+1) + ": There should not be "+
  "two periods(.) together \n";
  fout.println(st);
  if(((char)i==' ')&&((char)j=='.'))
  l++;
  String st=l+". error at line number "+ (k+1) + ": There should not be "+
  "a space before a period(.) \n ";
  fout.println(st);
  }while((!((char)i=='-' && (char)j=='T')) && j!=-1);
  fout.println(" ");
  /*if(l==0)
  fout.println("No errors!!!!");*/
  if(j==-1)break;
  }while(j!=-1);

  You need to understand many concepts before you start work on .
  Here is some useful links for you
  1. http://mindprod.com/jgloss/signedapplets.html
  2. http://java.sun.com/products/plugin/reference/codesamples/index.html examples of 1.4 plugin
  3. http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/contents.html
  4. http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/faq/basics.html
  5. http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html

• Signed applets and dialogs

  hi all,
  question to clarify my understanding of signed applets.
  got a bog-standard applet. nothing clever or special.
  got myself a bog-standard cert from thawte.
  signed the applet and put it on a webserver.
  displays the correct security notice on first load. continue and "Always trust this company" etc...
  all runs fine.
  in the applet init, i've put in
  java.awt.AWTPermission perm = new java.awt.AWTPermission("showWindowWithoutWarningBanner");
  try {
    AccessController.checkPermission(perm);
    System.out.println("access allowed?");
  } catch (AccessControlException ex) {
    ex.printStackTrace();
  }open the main frame, and all is good. no banner or access denied exception.
  show a popup menu, or tooltip. no banner.
  display a dialog. oops, a banner "Java Applet Window" and the bottom section of the dialog is covered with the warning msg.
  so i'm confused.
  does this mean that this permission does not apply to dialogs? (if so, what?)
  even with a cert, this msg cannot be removed? (please tell me no)
  wrap and recode all dialog openings with AccessController.doPrivileged? (i dont wanna do this)
  or i missed something with the setup.
  i've been searching the forums for some info, but seem to be going in circles. editing the policy file on all client comps is not a valid option, unless there is sometrick i dont know about .
  tia
  -a

  hi,
  i got the answer from the link
  http://www.javaworld.com/javaworld/jw-12-2000/jw-1215-security.html

• JRE 1.4.x Plugin - Signed Applets and Weird Behaviour (Policy)

  Hello.
  I have recently experienced some strange behaviour related to signed applets and policy files in JRE 1.4.2-b28 ( a friend got the same behaviour in a flavour of 1.4.1-xx as well ). Both tests were on Windows 2000 Professional platforms.
  Initially my unsigned applet, which attempts socket connections to a server different from the download location, fails with security exceptions ( as expected ). Then I did the following to sign the applet jar and configure my environment
  Steps: 1) Import "trusted CA" certificate into ${java.home}/lib/security/cacerts. (JRE home outside the JDK)
  2) Signed the jar using jarsigner and a certificate generated from the "trusted CA" (Entrust CA and certificate).
  3) Imported the signing certificate into the Java plugin using import in the plugin control panel.
  4) Created a new keystore (keytool,jks) and imported the signing certificate into the keystore with alias "developer". The keystore is stored in the user home as .keystore.
  5) Created a .java.policy for the user and attaching the keystore in 4) to it. ( also stored in user home ).
  6) Used the policy tool to grant socketpermissions to the specific codebase ( testing with file:/C:/test/* initially ) signed by "developer"
  After this, when I ran the test page under IE 5.5SP2 and Netscape 7.1 it worked without any security exception. Ditto for using the appletviewer and the policy file I created for the user.
  The weird part occurred when I removed the policy entry from the user policy file. After doing this, Netscape and IE still allow the applet to execute - somehow remembering that it was granted permissions at some point. The appletviewer does not allow it to execute, generating security exceptions.
  It appears the old policy is being cached somewhere, but I cannot find where. If I replace the applet jar with an unsigned version it does fail in IE and Netscape. I tried cleaning the plugin cache and removing the "deployment.certs" files related to the users but still get the same behaviour.
  Does anyone know where the old policy information is being stored ? Does anyone know how to revoke the permissions so that I am restored to my original base environment ( no permissions for "designer" signed applets ) ? Would attempting to utilize the AccessController.doPriveleged( xxxx ) operations in JDK 1.4 avoid all of this confusion with policy files, keystores and certificate storage ? After all the messing about I would like a zero-footprint alternative ( or minimzed footprint anyway ).
  Any ideas would be most welcome.
  Regards,
  James.

  Hello Again.
  I am either enlightened or confused at this point. I found that as long as all of my related Jars are signed ( even by self-signed certificates ) I am granted SocketPermissions for calls outside of the originating server. Unsigned code is refused, but even when the Jars were signed using a self-signed certificate the Socket calls were allowed.
  Am I experiencing the appropriate behaviour in this case ( which would mean not having to utilize policy files to distribute an applet that uses calls to arbitrary servers - e.g. JavaMail ) or am I suffering from something damaged in my environment ?
  It has been a long time since I played with signed applets and I am having difficulty determining what operations require policy file entries/AccessController.doPrivileged() calls and which are granted when a user elects to trust a signed applet without policy.
  Any assistance in clearing up my confusion would be appreciated.
  Regards,
  James.

• Prevent abuse of a signed applet?

  Hi
  I am creating an application using HTML, javascript, and a set of java classes.
  Communication betwwen the javascript and java is done by an applet, signed with a real certificate.
  I would like to prevent someone copying my signed jar, and abusing it.
  The classes behind my applet will do (a.o.) local I/O.
  The type of abuse I am worried about is e.g. java code from another jar calling public methods on classes in my signed jar, using them to read or write files, and thus abusing my certificate for doing something else than my applet/jar was meant to.
  I am looking for advice on how to prevent such things from happening.
  Thoughts that already crossed my mind, are:
  - making sure only my applet (and as few as possible other classes) has a public constructor
  - declaring as much classes as possible (at least the sensitive classes) as final
  - avoid non-final public static variables that contain default names of files
  If anyone has some more ideas, please post them! I'll be very gratefull!
  If you know about a similar question (and answer) in this forum, please let me know, as I have not found it.

  harmmeijer,
  thanks for the answer, and especially the idea of checking the call stack!
  You scared the hell out of me however, by saying:
  Your applet would not work at all in jre 1.4.2 signed or policy, when the method is called by javascriptand reading the thread you referenced!
  Everything worked fine in jre 1.4.1_2 and earlier. It continued working in 1.4.2_01 in combination with Netscape (v 7.1)
  But the combination MSIE (v6.0) with jre v1.4.2_01 did require a minor change:
  From my signed applet, I called a .class.getResource(...).getURL()
  It didn't work anymore, so I do it know in my applet's init() method, instead of in a stack started by javascript.
  All my other I/O (and reflection) still works (thank all gods!), since I do it in a separate thread that I start in my applet's init() method. I hope it keeps working in jre 1.5 :-)
  Any other input is very welcome!

• Signed applet for file download?

  Hello folks,
  I have a signed applet through which i can upload multiple files to a servlet. I wish to create another applet or enhance this one to enable it to download multiple files from the server to the client m/c. Any idea, how to go about it?
  I will appreciate your helpful replies.
  Thank you,
  Coreli

  which part? You apparently already know how to sign an applet... and use a file chooser... and create servlets that can take files.... seems you need to do the opposite and use input streams where you used output streams before and vice versa...

• Classloader caching in signed applet is very slow and weird

  I have a signed applet running in the 1.4.1_01 plugin environment, and
  I'm getting the following kinds of messages when I use debug mode 5 in the console:
  Connecting http:[myserver]/someclass.class with no proxy
  Connecting http:[myserver]/someclass.class with cookie "JSESSIONID=..."
  Sometimes, the classloader will say:
  WARNING: Unable to cache someclass.class
  Moreover, some classes will be repeated two or three times, as if the classloader is trying to get the same class two or three times.
  Some of these classes are even in the java.lang package!!
  The thing is, I'm actually trying to get the applet to use webservices, so I've signed the Apache Axis jar files (about 8 or so) and included them in the "cache_archive" parameter. The classes giving problems are from these archives, not from my main applet jar.
  The applet will eventually work, but the first time takes a LONG time to initialize because the classloader is trying to verify all the classes (i think). Subsequent runnings of the applet within the same browser will be much faster, but the same thing will happen if I start a new browser instance.
  My questions are:
  1) Why is the classloader trying to load from my http server rather than from the local jars? (they seem to be statically cached, I checked the plugin control panel)
  2) Why is the classloader reloading the same classes multiple times?
  3) Is the classloader verifying the signatures for each class, because it's taking a long time due to very many classes (100's).
  I can't seem to find ANY documentation for this at Sun or Google.
  Please help if you can!
  Andrew

  I've got the same problem with applet using SOAP based on jwsdp.
  But classloader only try to get classes from server that are used in SOAP calls.
  The only workaround I found is to move this classes to root package, but still there are problems with
  Connecting http://<host>/int.class with no proxy
  Connecting http://<host>/int.class with no proxy
  WARNING: Unable to cache http://<host>/int.class
  requests.
  Maybe this is a bug of Sun SOAP implementation?

• Calling1.4.1 signed applet from Javascript causes keyboard/focus problems

  Pretty sure there's a JRE bug here, but I'm posting to forums before I open one in case I'm missing something obvious :-)
  This issue may be specific to IE, I haven't tested elsewhere yet. Our web application is centered around a signed applet that is initialized with XML data via Javascript. We first noticed the problem when our users started upgrading from the 1.3.x plug-in to the 1.4.x plug-in. The major symptom was that shortcut keys stopped working. I debugged the problem off and on for about a month before I boiled it down to a very simple program that demonstrates the issue (included below). Basically, the program has a function that adds a JButton to a JPanel and registers a keyboard listener (using the new DefaultKeyboardFocusManager class) that prints a message to the console. This function is called by the applet's init() method, as well as by a public method that can be called from Javascript (called callMeFromJavascript()). I also included a very simple HTML file that provides a button that calls the callMeFromJavascript() method. You can test this out yourself: To recreate, compile the class below, JAR it up, sign the JAR, and put in the same dir with the HTML file. Load the HTML file in IE 5.0 or greater, and bring the console up in a window right next to it. Now click the button that says init--you should see the small box appear inside the button that indicates it has the focus. Now press some keys on your keyboard. You should see "KEY PRESSED!!!" appearing in the console. This is proper behavior. Now click the Init Applet from Javascript button. It has removed the button called init, and added one called "javascript". Press this button. Notice there is no focus occurring. Now press your keyboard. No keyboard events are registered.
  Where is gets interesting is that if you go back and make this an unsigned applet, and try it again, everything works fine. This bug only occurs if the applet is signed.
  Furthermore, if you try it in 1.3, signed or unsigned, it also works. So this is almost certainly a 1.4 bug.
  Anyone disagree? Better yet, anyone have a workaround? I've tried everything I could think of, including launching a thread from the init() method that sets up the components, and then just waits for the data to be set by Javascript. But it seems that ANY communication between the method called by Javascript and the code originating in init() corrupts something and we don't get keyboard events. This bug is killing my users who are very reliant on their shortcut keys for productivity, and we have a somewhat unique user interface that relies on Javascript for initialization. Any help or suggestions are appreciated.
  ================================================================
  Java Applet (Put it in a signed JAR called mainapplet.jar)
  ================================================================
  import javax.swing.*;
  import java.awt.*;
  import java.awt.event.*;
  public class MainApplet extends JApplet implements KeyEventDispatcher
      JPanel test;
      public void init()
          System.out.println("init called");
          setUp("init");
      public void callMeFromJavascript()
          System.out.println("callMeFromJavascript called");
          setUp("javascript");
      private void setUp(String label)
          getContentPane().removeAll();
          test = new JPanel();
          getContentPane().add( test );
          JButton button = new JButton(label);
          test.add( button );
          test.updateUI();
          DefaultKeyboardFocusManager.getCurrentKeyboardFocusManager().addKeyEventDispatcher(this);
      public boolean dispatchKeyEvent(KeyEvent e)
          System.out.println("== KEY PRESSED!!! ==");
          return false;
  }================================================================
  HTML
  ================================================================
  <form>
  <APPLET code="MainApplet" archive="mainapplet.jar" align="baseline" id="blah"
       width="200" height="400">
       No Java 2 SDK, Standard Edition v 1.4.1 support for APPLET!!
  </APPLET>
  <p>
  <input type="button" onClick="document.blah.callMeFromJavascript();" value="Init Applet via Javascript">
  </form>

  I tried adding the requestFocus() line you suggested... Same behavior.
  A good thought, but as I mention in my description, the applet has no trouble gaining the focus initially (when init() is called). From what I have seen, it is only when the call stack has been touched by Javascript that I see problems. This is strange though: Your post gave me the idea of popping the whole panel into a JFrame... I tried it, and the keyboard/focus problem went away! It seems to happen only when the component hierarchy is descended from the JApplet's content pane. So that adds yet another variable: JRE 1.4 + Signed + Javascript + components descended from JApplet content pane.
  And yes, signed or unsigned DOES seem to make a difference. Don't ask me to explain why, but I have run this little applet through quite a few single variable tests (change one variable and see what happens). The same JAR that can't receive keyboard events when signed, works just fine unsigned. Trust me, I'm just as baffled as you are.