Applets are (by design) restricted on what they can do. These restrictions are to protect a user from arbitrary code executing on their machine. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A signed applet should be signed using a certificate from a recognized certificate authority (costs money), but self-signing a certificate will work (is free).
Here is the Simplest (with reasonable options
included) way to self-sign an applet.
Say that your applet is contained in a jar file named
"Security.jar".
keytool
-genkey -dname "cn=Trusted Developer" -validity 365 -storepass
SecretStorePassword -keypass SecretKeyPassword
jarsigner
Security.jar -keystore SecretStorePassword -keypass SecretKeyPassword mykey
Below are all the steps necessary to produce a signed jar file named "Security.jar" from a Java source code file called Security.java
::] keytool -genkey -dname "cn=Trusted Developer" -validity 365 -storepass SecretStorePassword -keypass SecretKeyPassword
The above step does not need to be done again.
The following steps need to be done each
time a self-signed jar file is to be made.
::] javac -version javac 1.6.0_21 ::] javac Security.java ::] jar -cf Security.jar Security.class ::] jarsigner -storepass SecretStorePassword -keypass SecretKeyPassword Security.jar mykey
The following step shows how to verify the signed jar file.
::] jarsigner -verify -verbose Security.jar 138 Mon Oct 04 23:34:56 EDT 2010 META-INF/MANIFEST.MF 259 Mon Oct 04 23:34:56 EDT 2010 META-INF/MYKEY.SF 804 Mon Oct 04 23:34:56 EDT 2010 META-INF/MYKEY.DSA 0 Mon Oct 04 23:34:44 EDT 2010 META-INF/ smk 620 Mon Oct 04 23:34:30 EDT 2010 Security.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
Normally Applet security prevents un-signed applets from displaying a
user's account name.
The following applet source code attempts to display the
user's account name.
public class Security extends javax.swing.JApplet { public Security() { add(new javax.swing.JLabel("user name = " + System.getProperty("user.name"))); } }
Getting a users account name is a restricted operation. The
applet security model will prevent the applet from running.
The applet will run if the code is put in a signed jar file and
the user accepts the code signature certificate.
Below is an example of the above applet put in a signed jar file.
(Security.jar)
pack200
compressed jar filesFirst read Java Applets in HTML5
Here are the steps:
::] javac -version javac 1.6.0_21 ::] javac Security.java ::] jar cvf Compressed_Security.jar *.class added manifest adding: Security.class(in = 620) (out= 381)(deflated 38%) ::] pack200 -r Compressed_Security.jar ::] jarsigner -storepass SecretStorePassword -keypass SecretKeyPassword Compressed_Security.jar mykey ::] pack200 Compressed_Security.jar.pack.gz Compressed_Security.jar
To verify that the compressed jar file is signed correctly, use
unpack200
to uncompress the jar file.
::] unpack200 Compressed_Security.jar.pack.gz Verify.jar ::] jarsigner -verify -verbose Verify.jar jarsigner -verify -verbose Verify.jar 138 Mon Oct 04 23:36:24 EDT 2010 META-INF/MANIFEST.MF 259 Mon Oct 04 23:36:24 EDT 2010 META-INF/MYKEY.SF 804 Mon Oct 04 23:36:24 EDT 2010 META-INF/MYKEY.DSA 0 Mon Oct 04 23:35:46 EDT 2010 META-INF/ smk 620 Mon Oct 04 23:34:30 EDT 2010 Security.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
pack200
Compressed jar file Signed Applet