Building your own signed applets:
- Get a certificate
make: use keytool to generate a self signed cert. This works well for quick testing.
buy: contact thawte to purchase one. This may take weeks so plan ahead.
- Import certificate into your private store
The best tool for doing this is KeyMan from IBM alphaWorks.
- Modify applet code if necessary
If the applet will be called from JavaScript you need to be aware that the security privileges will be revoked for those calls. This is because the originating caller is not signed. To get around this you must implement the PrivilegedAction interface and call any restricted operations within the run() method. Use AccessController.doPrivileged(yourPrivilegedAction) to execute your operations, this will allow consistent signed behavior regardless of the caller. Obviously this should be used with caution and the run() method should be kept as short as possible.
- Build applet jar
As you normally would. Using your IDE or Ant.
- Sign Jar
This can be done by hand or as part of your Ant script.
byHand:
jarsigner -keystore YOURPRIVATESTORE -signedjar SIGNEDJARNAME.JAR OLDJARNAME.JAR signFiles
byAnt:
<target name="signJar">
<signjar verbose="true" keystore="${keystore}" alias="${alias}" storepass="${storepass}" jar="${jarfile}"/>
</target>
Restricting or empowering applets not written by you:
Modify the java.policy file found in the lib\security folder under your JRE plugin install. For most windows users you will find this under C:\Program Files\java\JREx.x.x_xx\lib\security. You can limit or allow behavior on applets based on their signed alias, code base or principle (individual making a request).
Click here for specifics.
Other Sources:
National Security Agency
Security in Java 2 SDK
Java Glossary - Signed Applets
No comments for Signed Applets »
No comments yet.
Leave a comment