Signed Applet without a Cert

Similar Messages

• Self sign applet without doing any change in policy file at client end

  Hi all,
  I developed an applet which make some webservice calls,
  I have given following permission in policy file at client end
  grant codeBase "http://nta2311:7001/-" {
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.util.PropertyPermission "*", "read, write";
  permission java.net.SocketPermission "*", "connect, resolve";
  with these settings applet is working fine
  Now I want to make applet signed in order to avoid policy file modifications
  for testing I want to self sign it
  please help me

  Signing applets:
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and reply 18 for the java class file using doprivileged
  http://forum.java.sun.com/thread.jsp?forum=63&thread=409341
  4th post explaining how to set up your own policy with your own keystore
  Still problems?
  A Full trace might help us out:
  http://forum.java.sun.com/thread.jspa?threadID=656028

• JRE 1.4.x Plugin - Signed Applets and Weird Behaviour (Policy)

  Hello.
  I have recently experienced some strange behaviour related to signed applets and policy files in JRE 1.4.2-b28 ( a friend got the same behaviour in a flavour of 1.4.1-xx as well ). Both tests were on Windows 2000 Professional platforms.
  Initially my unsigned applet, which attempts socket connections to a server different from the download location, fails with security exceptions ( as expected ). Then I did the following to sign the applet jar and configure my environment
  Steps: 1) Import "trusted CA" certificate into ${java.home}/lib/security/cacerts. (JRE home outside the JDK)
  2) Signed the jar using jarsigner and a certificate generated from the "trusted CA" (Entrust CA and certificate).
  3) Imported the signing certificate into the Java plugin using import in the plugin control panel.
  4) Created a new keystore (keytool,jks) and imported the signing certificate into the keystore with alias "developer". The keystore is stored in the user home as .keystore.
  5) Created a .java.policy for the user and attaching the keystore in 4) to it. ( also stored in user home ).
  6) Used the policy tool to grant socketpermissions to the specific codebase ( testing with file:/C:/test/* initially ) signed by "developer"
  After this, when I ran the test page under IE 5.5SP2 and Netscape 7.1 it worked without any security exception. Ditto for using the appletviewer and the policy file I created for the user.
  The weird part occurred when I removed the policy entry from the user policy file. After doing this, Netscape and IE still allow the applet to execute - somehow remembering that it was granted permissions at some point. The appletviewer does not allow it to execute, generating security exceptions.
  It appears the old policy is being cached somewhere, but I cannot find where. If I replace the applet jar with an unsigned version it does fail in IE and Netscape. I tried cleaning the plugin cache and removing the "deployment.certs" files related to the users but still get the same behaviour.
  Does anyone know where the old policy information is being stored ? Does anyone know how to revoke the permissions so that I am restored to my original base environment ( no permissions for "designer" signed applets ) ? Would attempting to utilize the AccessController.doPriveleged( xxxx ) operations in JDK 1.4 avoid all of this confusion with policy files, keystores and certificate storage ? After all the messing about I would like a zero-footprint alternative ( or minimzed footprint anyway ).
  Any ideas would be most welcome.
  Regards,
  James.

  Hello Again.
  I am either enlightened or confused at this point. I found that as long as all of my related Jars are signed ( even by self-signed certificates ) I am granted SocketPermissions for calls outside of the originating server. Unsigned code is refused, but even when the Jars were signed using a self-signed certificate the Socket calls were allowed.
  Am I experiencing the appropriate behaviour in this case ( which would mean not having to utilize policy files to distribute an applet that uses calls to arbitrary servers - e.g. JavaMail ) or am I suffering from something damaged in my environment ?
  It has been a long time since I played with signed applets and I am having difficulty determining what operations require policy file entries/AccessController.doPrivileged() calls and which are granted when a user elects to trust a signed applet without policy.
  Any assistance in clearing up my confusion would be appreciated.
  Regards,
  James.

• Signed applet throws security exceptions

  Since nobody seems to be reading the Signe Applet forum, I decided to try here:
  Hi all
  I have problems with signed applet (self-made cert), and after reading this forum I see this is more or less common.
  The problem that I am having is, that I can not use doPrivilege() and similar tricks, because applet needs to be Java 1.1 compatible.
  So, signing will have to work.
  Applet is signed using 1.5.0_06 jarsigner. Jarsigner verifies it OK.
  It works on JVM 1.5.0_06 but not on 1.4.2_08.
  Please help me make if work under any JVM.
  The error I get is:
  Java(TM) Plug-in: Version 1.4.2_08
  Using JRE version 1.4.2_08 Java HotSpot(TM) Client VM
  User home directory = C:\Documents and Settings\miha
  Proxy Configuration: Automatic Proxy Configuration
       URL: http://orion.nil.si/proxy.pac
  c:   clear console window
  f:   finalize objects on finalization queue
  g:   garbage collect
  h:   display this help message
  l:   dump classloader list
  m:   print memory usage
  o:   trigger logging
  p:   reload proxy configuration
  q:   hide console
  r:   reload policy configuration
  s:   dump system properties
  t:   dump thread list
  v:   dump thread stack
  x:   clear classloader cache
  0-5: set trace level to <n>
  java.security.AccessControlException: access denied (java.net.SocketPermission host.domain.dom resolve)
  TelnetWrapper PROXY: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:0 connect,resolve)
  java.lang.NullPointerException
       at net.propero.rdp.ISO.connect(ISO.java:123)
       at net.propero.rdp.MCS.connect(MCS.java:84)
       at net.propero.rdp.Secure.connect(Secure.java:153)
       at net.propero.rdp.Secure.connect(Secure.java:171)
       at net.propero.rdp.Rdp.connect(Rdp.java:498)
       at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:615)
       at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:222)
  FATAL: java.lang.NullPointerException: nullWhat is funny, is that I have two applets, and one works and the other one doesn't. It is like this:
  Applet A (signed) needs to connect to host1, fails and tries to connect through proxy using my proxy library (also signed - different JAR). Everything works.
  Applet B (signed) needs to connect to host1, fails and tries to connect through proxy using the same proxy library. It gets a security exception.
  All JARs are signed using the same key/certificate.
  Both applets try to connect to the same "host1".
  Both applets try to use the same proxy - which is different from "host1".
  The one thing that might make a difference, is that in the working applet, everything is within one thread, and in the broken applet, the proxy object is in the main applet thread, and this applet may open many windows, that all utilize the same proxy object - only they can't.
  When I tried to move the proxy object down to the child threads, I get the following exception:
  Exception in thread "Thread-1952" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.misc)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
       at sun.applet.AppletSecurity.checkPackageAccess(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClassInternal(Unknown Source)
       at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:567)
       at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:211)It seems that I can only create the proxy object in the Applet.init() method, to avoid this exception.
  So to, summarize: I would prefer just one object for all threads that I will create, but then my applet behaves like it is not signed (at least under JVM 1.4.2_08). Java 1.5.0_06 doesn't have any problems with this.
  Regards, Miha Vitorovic

  The one thing that might make a difference, is that in the working applet, everything is within one thread, and in the broken applet, the proxy object is in the main applet thread, and this applet may open many windows, that all utilize the same proxy object - only they can't.
  When I tried to move the proxy object down to the child threads, I get the following exception:
  Exception in thread "Thread-1952" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.misc)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
       at sun.applet.AppletSecurity.checkPackageAccess(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClassInternal(Unknown Source)
       at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:567)
       at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:211)It seems that I can only create the proxy object in the Applet.init() method, to avoid this exception.
  So to, summarize: I would prefer just one object for all threads that I will create, but then my applet behaves like it is not signed (at least under JVM 1.4.2_08). Java 1.5.0_06 doesn't have any problems with this.
  Regards, Miha Vitorovic

• How can I access the Server file system without using any signed applet?

  Is it possible for me to run an applet on the client machine such that the client can view my server file system and perform uploading and downloading of files through the applet without signing the applet?

  Add the following in your java.policy file, your plug in accesses.
  grant {
  permission java.permission.AllPermission;

• Signing applets and a dialog box.

  What's the procedure to follow when you want an applet to ask the user to grant access to file reading/writing and similar?
  I have signed the .jar, we have a nice .x509 certification at my company etc., but when I was following the tutorials it seemed really complicated. I mean we need the user to just press a "grant permissions" button or similar and then the applet would run.
  Reading the tutorials I got the impression that you need to go through a lot of trouble with exporting the keystore entries and then importing them again (the client that is).
  So, what would I do in order to have a dialog pop up and ask for the granting of permissions? Preferably never to pop up again (if possible).
  Any urls would also be helpful.
  Thanks

  Your system will be much easier to maintain if you place the certificate and policy file on the intranet server. Just follow the 10 steps. Supose your certificate is called MySoftware and you signed your JAR file with this certificate. The certificate is stored in a file called certs.store.
  Inside the policy file you can specify the keystore location:
  keystore "http://intranet.mysoft.com/admin/certs.store", "JKS";
  grant signedBy "MySoftware"
  { permission java.io.FilePermission "<<ALL FILES>>", "read" };
  The advantage of this way of working is everything can be managed remotely. As you can see, the applets that are sigend by the MySoftware certificate have permission for file IO. You can specify different security settings for each certificate in the policy file.
  Every visiter can now access your applet without needing the certificate installed because it can be found on the server.

• Signed applets and restrictions ?

  Hello,
  I've a question regarding applets security : in fact I've tried to sign myself a Jar file containing all required classes for an application (using the jarsigner tool from Sun). However I'm still getting security problems even of it was digitally signed ans don't understand exactly the causes : Could somebody explain me them ? I understood that I had to sign the Jar files using an official authority like Verisign to get all permissions, is it true ? Would it mean that we can't get these permissions without paying any submissions ?
  TU a lot...
  PA
  http://wwww.doffoel.com

  I understood that I had to sign the Jar files using an official authority like Verisign to get all permissions, is it true ?
  Its not compulsory to go to verisign for signing your applet. You can also create your own certificates with Java's keytool. Its 200% free of cost. However, if you are inclined to build a commercial application, where you don't know the clients, who download the applet, get certs from verisign , Thales et al.
  Would it mean that we can't get these permissions without paying any submissions ?
  No. Not at all. You can always make a descent application without going to the standard certificates and without paying $$$.
  Post your quetions in http://forum.java.sun.com/forum.jsp?forum=63 for expert answers.
  Have a look at this famous thread for signing applets.
  http://forum.java.sun.com/thread.jsp?forum=63&thread=132769
  good wishes,
  Rajesh

• Determine when signed applet certification is rejected

  Hello,
  When a signed applet is first run and the cert is verified, the dialog allows the user to "Run" or "Cancel". If they click "Cancel" the applet continues to run, but without the permissions it may need to do its job. Is there a way for the applet or the web page to determine if the user clicked "Cancel"?
  The applet can of course try to do a privileged operation and catch AccessControlException, but that doesn't necessarily mean that the user clicked "Cancel"; maybe OS or browser security settings are preventing the applet from doing the operation.
  Thanks

  Yes, you can check that a permission is allowed without attempting that action. You will need to change the 'permission' object to be of the type of permission that you want to check.
  try {
  java.util.PropertyPermission permission = new java.util.PropertyPermission("my.fav.property", "read");
  java.security.AccessController.checkPermission(permission);
  System.out.println("Permission Check Passed");
  } catch (AccessControlException e) {
  System.out.println("Permission Check Failed");
  }

• Signed applet don't work on XP

  Hi,
  I'am currently working on a point-of-sale (POS) using windows XP/Firefox and a linux apache/jboss server.
  I have developed a dynamic windows library in order to use an industrial printer connected to the POS to perform some printing without confirmation of the customer.
  The POS is under Windows XP SP2 and use Firefox 2.0.0.11/JRE 1.5.0.14.
  This dll is used by a signed applet located on the apache/jboss server.
  The applet is correctly downloaded by the client, but normally i have to wait for the certicat authentification windows appearing and for confirming that i want execute the applet. And instead i have a java exception :
  security: La v�rification du certificat � l'aide des certificats AC racine a �chou�
  security: Aucune information d'horodatage disponible
  java.lang.NullPointerException
       at com.sun.deploy.ui.UIFactory.showSecurityDialog(Unknown Source)
       at com.sun.deploy.security.TrustDeciderDialog.showDialog(Unknown Source)
       at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
       at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
       at sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
       at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.access$100(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  security: L'utilisateur a refus� les droits d'acc�s au code
  basic: Taille de cache du chargeur de classes courant : 1
  basic: Termin�...
  basic: Jonction du thread d'applet...
  basic: Destruction de l'applet...
  basic: Elimination de l'applet...
  basic: Sortie de l'applet...
  java.lang.ExceptionInInitializerError
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission loadLibrary.C:\Program Files\BICImpression\impression_api.dll)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkLink(Unknown Source)
       at java.lang.Runtime.load0(Unknown Source)
       at java.lang.System.load(Unknown Source)
       at applets.impression.Impression.<clinit>(Impression.java:38)
       ... 11 moreand then the certicat authentification windows appears but it's too late, the applet won't never execute ...
  the apache/jboss server is accessed via some gateway, firewal, ... tha t i can't control
  the apache jboss/server on my own PC is accessed directly :
  What is amazing, is that work fine with my own professionnal PC on W2000 SP4, with JRE1.5.0.14 and Firefox 2.0.0.11 :
  when I look in the java console, the java freeze until i have answered this java security window (certicat authentification windows). And when i answered "run" no problem the applet makes her own job.
  here is the code when it works :
  security: La v�rification du certificat � l'aide des certificats AC racine a �chou�
  security: Aucune information d'horodatage disponible
  basic: Plugin modality.pushed
  basic: Modalit� empil�e
  basic: push javax.swing.JDialog[dialog0,379,296,519x323,layout=java.awt.BorderLayout,modal,title=Avertissement - S�curit�,defaultCloseOperation=HIDE_ON_CLOSE,rootPane=javax.swing.JRootPane[,3,22,513x298,layout=javax.swing.JRootPane$RootLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=16777673,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true]
  basic: Chargement arr�t�...
  basic: Arr�t de l'applet...Conclusion
  POS : Win XP SP2, JRE1.5.0.14 (i tried 1.5.0.6 and 1.6.3 the latest), Firefox 2.0.0.11 (I tried 2.0.0.0 and 3 beta2 don't work anyway)
  my own server/client : W2000 SP4, JRE1.5.0.14, Firefox 2.0.0.11
  Linux server : RHEL4
  It works with IE on the POS with the linux sever but it's not the selected browser.
  It works with IE on the POS with my own server.
  It works with Firefox on the POS with my own server.
  It works with IE on my own server with the linux sever but it's not the selected browser.
  It works with IE on my own server with my own server.
  It works with Firefox on my own server with the linux sever.
  It works with Firefox on my own server with my own server.
  If you have some idea to make it work i'm you're buyer !!
  Thank a lot for reading this, and i apologize for my poor english ...
  greetings,
  Benoit
  Edited by: bendur on Feb 29, 2008 3:49 AM

  Ok I have found my problem :
  On every web pages, we have defined some inactivity timeouts.
  On my own server I have disabled these timeouts but not on the distant timeout.
  And it seems that the timeout (defined in javascript ont he web pages : 3s) has a very bad influence on the launching of my applet ... only with firefox (with IE and Opera no problem)
  My problem is anwsered but the problem keep alive for firefox ...

• IIS, Javascript, Signed Applet and ASP Blank Page Problem

  Hi,
  I'm having a problem using a Signed Applet in a site that runs in a IIS (Windows Server 2003).
  My aspx web page uses the applet to read my smart card and get information from it.
  This applet uses an auxiliar dll (stored in a second Signed Jar file) in order to read the information from my smart card.
  The way the solution is design:
  1) Aspx page is asked from server
  2) Internet Explorer recieve the page and asks the server for it content (images, applet, javascripts, etc)
  3) After this the JVM runs (console opens)
  4) After the Aspx page render fully a javascript register onload fires and call an applet method
  5) Applet receive the call and run the logic of the method:
       - reads the smart card;
       - calls Javascript function in order to fill aspx fields with information from smart card
       - calls Javascript function the simulates a click in a botton of aspx page (in order to call server side part sending data readed from smart card to server)
  5) The server makes some logic with the information receive and responds to client registering in aspx page a call to another Javascrit function
  6) The client received the asnwer from server and runs the Javascript function registered on step 5)
       This Javascript calls another method from applet and runs the following logic:
       - reads more information from smart card;
       - call javascript function in order to fill more fields of aspx page with the information readed
       - calls Javascript function the simulates a click in a botton of aspx page (in order to call server side part sending data readed from smart card to server)
  7) The server makes some logic and call another pages with no Applets
  8) Client asks for a second page with the same applet and we start with another logic express on steps 1);2);3),4);5) and then 7).
  This is all ok, until sometimes the server stop responding correcly for requests regarding this two pages with the Applet.
  When this happens the server just responds with a blank page.
       - with fiddler I can seer the request for the aspx page (that uses the applet)
       - but server responds with a blank html page
  The JVM doesn't fire.
  The IIS log don't show errors.
  The eventviewer doesn't show errors.
  The problem is solved with an IIS reset or a Application Pool reset.
  After a while the problem returns.
  This problem occours for other user in another machine, the server just stops responding correcly to request regarding pages with applets, the other pages still continue to work.
  If we disable Java Control Panel->Advanced->Java Plug-in->Enable the next-generation Java Plug-in the problem seend to stop, but we can't force all clients to disable this option right?
  Or there is a way to force the Applet to run with this option disabled?
  As anyone experience similar problem?
  Regards,
  OF

  This is all ok, until sometimes the server stop responding correcly for requests regarding this two pages with the Applet.
  When this happens the server just responds with a blank page.
  - with fiddler I can seer the request for the aspx page (that uses the applet)
  - but server responds with a blank html pageWell, if http requests look identical in case of success and failure (pay attention to cookies, etc) then it has to be something on the server side.
  It could be that server gets into this wrong state because of previous requests made by applet but it is hard to tell.
  I am not clear how old/new plugin can make a difference unless your applets run in the legacy mode (i.e. you are actually trying to reuse SAME instance of the applet when
  it is loaded next time).
  I'd start with
  1) carefully comparing good/bad sessions
  2) checking whether server will serve correct response to another client when it serves "bad" page for current client
  3) add debug statements to aspx - it is scripted page, may be some condition is not met and then it returns blank?
  4) record all http requests in one session until you get to "error" state and then use any http server testing tool to "replay" this set of requests.
  You should be able to get server into the same state without use of applet. Then you can try to tweak set of requests to see what makes a difference.

• Signed Applet not loading on Mac OS X if using HTTPS protocol

  Hi All,
  I need to open a trusted applet on Mac OS 10.2. The applet works fine if using HTTP protocol. But if the protocol used is HTTPS the the applet does not loads and "javax.net.ssl.SSLException - untrusted server cert chain" exception comes on the console.
  The error comes for both - Verisign and javakey - signed applet.
  On seaching for possible solution on the net, i came across following link: http://www.macosxhints.com/article.php?story=20020525101202503&query=Workaround+for+secure+Java+applet+problems
  It says that this is Mac's known bug and gives the workaround as:
  1. Access the problematic site with Internet Explorer on Windows. Click on the padlock item and export the certificate to a file.
  2. Copy the certificate to your Mac.
  3. Use the command
  sudo keytool -import -trustcacerts -keystore /Library/Java/Home/lib/security/cacerts -file mycert.cer
  to import the certificate file to your keystore (substitute mycert.cer with the name of the file containing the certificate). The keystore is password protected - the default password is "changeit".
  4. Restart your browser
  But the client cannot be asked to do all this to run the applet.
  Is this problem being solved by Mac in their java implementation or is there any other possible solution?
  Thanx in advance.
  Regards,
  Charu

  I am experiencing the same problem - I notice it does not happen on OS9.2 using IE but appears a problem on all browsers on OSX
  Apple gave me the following reply.....
  Re: Bug ID# 3268633: cannot load applet class under https connection
  Hello Andrew,
  Thank you for bringing this problem to our attention. We have received feedback
  from engineering on your
  reported issue.
  Please know that to get Java to recognize the certificate you will need to do
  one of two things, depending
  on which VM you are using. Since you want it to work with Internet Explorer, we
  will assume Java 1.3.1.
  In Java 1.3.1 you'll need to add the certificate to
  /Library/Java/Home/lib/security/cacerts using
  /usr/bin/keytool to import the certificate into the certificate database.
  In Java 1.4.1 you should be able to just add the certificate to the keychain
  using certtool. For more
  details on how to do this, please refer to the information found at
  <http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html>. After
  doing so, if you should require
  further help from Apple in resolving this issue, we recommend that you request
  assistance from Developer
  Technical Support. This must be done by filing a Technical Support Incident.
  So I am supposed to tell every Mac user to do the above am I?!!!

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• Signed applet does not grant AudioPermission "record"

  From what I gather, if I have a trusted signed applet sitting on a webpage and
  the visitor accepts (runs) the applet, then they should not need to have:
  grant {
  permission javax.sound.sampled.AudioPermission "record";
  in their java policy file. Well I have done all this (with a certificate from
  Thawte) and posted a thorough example at:
  http://www.livesite.net/JavaSoundTest
  At the bottom of that page there is a "Check permissions" link which will alert
  true/false if we have record permission. Clicking any "Record" link will
  attempt to open a TargetDataLine.
  My experience (and problem) is: record permission must be granted even though
  the applet is signed by a trusted CA.
  I would very much appreciate any help.
  Are you able to record/playback (without granting record permission in your
  java policy files) with the JavaSoundTest applet webpage?
  Is there something I am missing?
  ------ More information ------
  Java Control Panel -> Advance -> Security
  'allow user to grant permissions to signed content' is checked
  Reproducable on:
  MS NT4 w/ IE6
  MS Windows 2000 w/ Firefox 1.5
  MS Windows XP w/ Firefox 1.5
  MS Windows XP w/ IE6
  Fedora FC6 w/ Firefox 2.0
  Also, this happens with a commented-out record permission in the user
  .java.policy file, or when the policy file does not exist.
  ------ Source code: opening the target data line ------
  Using the JavaSoundTest applet page without granted permission, clicking a
  record link will yield this exception in the java console:
  java.security.AccessControlException: access denied (javax.sound.sampled.AudioPermission record)
  at java.security.AccessControlContext.checkPermission
  at java.security.AccessController.checkPermission
  at java.lang.SecurityManager.checkPermission
  at com.sun.media.sound.JSSecurityManager.checkRecordPermission
  at com.sun.media.sound.DirectAudioDevice$DirectDL.implOpen
  at com.sun.media.sound.AbstractDataLine.open
  at net.livesite.jsound.Recorder.run(Recorder.java:161)
  while opening a TargetDataLine as:
  23 private static TargetDataLine line;
  157 line = (TargetDataLine) AudioSystem.getLine( lineInfo );
  158
  159 try
  160 {
  161 line.open( format, (int) format.getSampleRate() );
  162 }
  ------ Source code: Using the security manager ------
  The "Check permissions" link on the TestJavaSound applet page calls this method:
  191 public boolean hasSoundRecPriv()
  192 {
  193 boolean ret = false;
  194
  195 try
  196 {
  197 SecurityManager sm = System.getSecurityManager();
  198 if (sm != null)
  199 {
  200 sm.checkPermission(new AudioPermission("record"));
  201 }
  202 ret = true;
  203 }
  204 catch(SecurityException e)
  205 {
  206 ret = false;
  207 }
  208
  209 return ret;
  210 }
  (This is a continued post from JAVASOUND-INTEREST at SUN.COM)

  Is there something I am missing?1) Applets are not well supported by Sun,
  and are inherently problematic as a reult
  of that.
  2) My experience suggests that the diagnotics
  applet is not reliable for detecting JMF.
  3) I guess the JMF applet is doing checks of
  policy files, despite the signed code.
  You might circumvent most of these problems,
  by using web-start to launch an application.
  Here are some of my tests at launching
  JMF using web-start.
  http://www.javasaver.com/testjs/jmf/

• Signed applet not working with weblogic 5.1

  I have a problem with a signed applet. The applet is signed correctly
  and it starts up the dynamic trust management console in java plugin
  1.3.1_02 when accessed locally with the browser. But when trying to
  access the applet through weblogic (5.1) the dynamic trust management
  doesn't popup, as if the applet is not recognized as signed. In the
  weblogic policy file in WLS I have set permissions to include the
  applet class (AllPermission given to codeBase https://-, and file:/-
  to be sure that it's not the problem).
  I have tryed to run it under both http and https. I'm not making an
  rmi connection back to WL. I'm simply trying to write on the local
  file system with the applet.
  The error received in the javaconsole is java.lang.SecurityException:
  java.lang.SecurityException: Unable to create temporary file
       at java.io.File.checkAndCreate(Unknown Source)
       at java.io.File.createTempFile(Unknown Source)
       at java.io.File.createTempFile(Unknown Source)
       at com.primelog.applet.DirectPrintAppletSigned.downloadFileToPrint(DirectPrintAppletSigned.java:64)
       at com.primelog.applet.DirectPrintAppletSigned.run(DirectPrintAppletSigned.java:32)
       at java.lang.Thread.run(Unknown Source)
  I really apreaciate any tips you might have!

  yeah. I noticed the same thing. now the splash screen comes on without the flashing green squares and just hangs. i tried unintalling and then reinstalling and still no go. kind of annoying but they will probably come out with an update pretty soon

• How to run java signed applet in vista with changing IE security options

  how to run java signed applet in vista with changing IE security options. If i change the IE security settings to low. it works.
  without changing the security setting, how to run.

  j_nanaji9 wrote:
  how to run java signed applet in vista with changing IE security options. If i change the IE security settings to low. it works.
  without changing the security setting, how to run.Can't be done without changing the security setting.