Contents / Previous / Next


(see the article by Monica Pawlan and Satya Dodda and the Signed Applet Tutorial by Larry Siden)

The signJOGL.sh shellscript creates and signs a JOGLbase JAR file. It is explained below.

Signed Applets

By default, applets have no access to system resources outside the directory from which they were launched, but a signed applet can access local system resources as allowed by the local system's security policy.

The following applet SignedAppletDemo.java tries to creates a file named newfile in the user's homedirectory:

import java.applet.Applet;
import java.awt.Graphics;
import java.io.*;
import java.awt.Color;

public class SignedAppletDemo extends Applet {

    public String test() 
    {
        setBackground(Color.white);

	String fileName = System.getProperty("user.home") +
				  System.getProperty("file.separator") + "newfile";
	String msg  = "This message was written by a signed applet!!!\n";
	String s ;
				  
	try {
	    FileWriter fos = new FileWriter(fileName);
	    fos.write(msg, 0, msg.length());
	    fos.close();
	    s = new String("Successfully created file :" + fileName);

	} catch (Exception e) {
	    System.out.println("Exception e = " + e);
	    e.printStackTrace();
	    s = new String("Unable to create file :  " + fileName);
	}
	return s;
    }	

    public void paint(Graphics g) 
    {
        g.setColor(Color.blue);
        g.drawString("Signed Applet Demo", 120, 50);
        g.setColor(Color.magenta);
        g.drawString(test(), 50, 100);
    }
}


Signing your Applet

What follows now is a walktrough for signing your applet (see: SUN docs: Steps for the Code Signer):
  1. Compile the Applet (javac or make)
  2. Compose a JAR File (jar)
  3. Generate Keys (keytool)
  4. Sign the JAR File (jarsigner)
  5. Export the Public Key Certificate (keytool)

Compile the Applet

Compile the source code to produce the SignedAppletDemo.class file:
javac SignedAppletDemo.java
Create a SignedAppletDemo.html file containing a simple applet tag to call the applet:
<applet code="SignedAppletDemo.class"
   archive="SSignedApplet.jar"
   width=400 height=400>
</applet>
Now try to start start the applet using the appletviwer:
appletviwer SignedAppletDemo.class
You will see an error message:
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
...

If an applet attempts to access local system resources, the applet must be signed and the local system must have a policy file configured to allow the access.

If a signature is needed for the access, the applet has to be bundled into a Java ARchive (JAR) file before it can be signed.

Compose a JAR File

jar cvf SignedAppletDemo.jar SignedAppletDemo.class
A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic.

Generate Keys

You creates a keystore database (a file) named mystore that has an entry for a newly generated public and private key pair with the public key in a certificate:
keytool -genkey -alias signMyFiles -keystore mystore -keypass mykey -dname "cn=YourName" -storepass mykeystore
This keytool -genkey command generates a key pair that is identified by the alias signMyFiles. Subsequent keytool command invocations use this alias and the key password (-keypass myKey) to access the private key in the generated pair.

The generated key pair is stored in a keystore database called mystore (-keystore mystore) in the current directory, and accessed with the password (-storepass mykeystore).

Sign the JAR File

JAR Signer is a command line tool for signing and verifying the signature on JAR files. Use jarsigner to make a signed copy of the SignedApplet.jar file:
jarsigner -keystore mystore -storepass mykeystore -keypass mykey \
          -signedjar SSignedApplet.jar SignedAppletDemo.jar signMyFiles
jarsigner extracts the certificate (signMyFiles) from the keystore (-keystore mystore) and attaches it to the generated signature of the signed JAR file (-signedjar SSignedApplet.jar) using the prvate key (-keypass mykey).

Export the Public Key Certificate

The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it. This is done using keytool to extract the signMyFiles certificate from mystore and copy it to a file named me.cer:
keytool -export -keystore mystore -storepass mykeystore -alias signMyFiles -file me.cer


Accept (Trust) an Applet

What follows now is a walktrough to accept (trust) an applet (see: SUN docs: Steps for the Code Receiver):
  1. Import Certificate as a Trusted Certificate (keytool)
  2. Create the Policy File (emacs Write.jp)
  3. Run the Applet in Applet Viewer (appletviwer -J-D... )

Import Certificate as a Trusted Certificate

You friend receives your JAR file, imports your certificate (me.cer), creates a policy file granting the applet access, and runs the applet.

Your friend must now create a keystore database (a file called localstore) with a password (-storepass localkeystore) and import your certificate (me.cer)--say, you are Fred and he renames it to fred.cer--into it, using fred as alias:

keytool -import -alias fred -file fred.cer -keystore localstore -storepass localkeystore

Create the Policy File

The policy file (Write.jp) grants the SSignedApplet.jar file signed by the alias fred permission to create newfile (and no other file) in the user's home directory:
keystore "localstore";

grant SignedBy "fred" {
  permission java.util.PropertyPermission "user.home", "read";
  permission java.io.FilePermission "${user.home}/newfile", "write";
};

Run the Applet in Applet Viewer

Type everything on one line without space after the options -J and -D:
appletviewer -J-Djava.security.policy=Write.jp SignedAppletDemo.html
The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.


Links

http://java.sun.com/developer/technicalArticles/Security/Signed/
http://java.sun.com/docs/books/tutorial/security/toolsign/wstep3.html
http://java.sun.com/docs/books/tutorial/security/index.html
http://www.cokeandcode.com/book/print/11
http://www.cokeandcode.com/info/webstart-howto.html
http://java.sun.com/developer/technicalArticles/Security/ReallySecure/