The signJOGL.sh shellscript creates and signs a JOGLbase JAR file. It is explained below.
The following applet SignedAppletDemo.java tries to creates a file named newfile in the user's homedirectory:
import java.applet.Applet;
import java.awt.Graphics;
import java.io.*;
import java.awt.Color;
public class SignedAppletDemo extends Applet {
public String test()
{
setBackground(Color.white);
String fileName = System.getProperty("user.home") +
System.getProperty("file.separator") + "newfile";
String msg = "This message was written by a signed applet!!!\n";
String s ;
try {
FileWriter fos = new FileWriter(fileName);
fos.write(msg, 0, msg.length());
fos.close();
s = new String("Successfully created file :" + fileName);
} catch (Exception e) {
System.out.println("Exception e = " + e);
e.printStackTrace();
s = new String("Unable to create file : " + fileName);
}
return s;
}
public void paint(Graphics g)
{
g.setColor(Color.blue);
g.drawString("Signed Applet Demo", 120, 50);
g.setColor(Color.magenta);
g.drawString(test(), 50, 100);
}
}
javac SignedAppletDemo.javaCreate a SignedAppletDemo.html file containing a simple applet tag to call the applet:
<applet code="SignedAppletDemo.class" archive="SSignedApplet.jar" width=400 height=400> </applet>Now try to start start the applet using the appletviwer:
appletviwer SignedAppletDemo.classYou will see an error message:
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read) ...
If an applet attempts to access local system resources, the applet must be signed and the local system must have a policy file configured to allow the access.
If a signature is needed for the access, the applet has to be bundled into a Java ARchive (JAR) file before it can be signed.
jar cvf SignedAppletDemo.jar SignedAppletDemo.classA JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic.
keytool -genkey -alias signMyFiles -keystore mystore -keypass mykey -dname "cn=YourName" -storepass mykeystoreThis keytool -genkey command generates a key pair that is identified by the alias signMyFiles. Subsequent keytool command invocations use this alias and the key password (-keypass myKey) to access the private key in the generated pair.
The generated key pair is stored in a keystore database called mystore (-keystore mystore) in the current directory, and accessed with the password (-storepass mykeystore).
jarsigner -keystore mystore -storepass mykeystore -keypass mykey \
-signedjar SSignedApplet.jar SignedAppletDemo.jar signMyFiles
jarsigner extracts the certificate (signMyFiles) from the keystore (-keystore mystore)
and attaches it to the generated signature of the signed JAR file
(-signedjar SSignedApplet.jar) using the prvate key (-keypass mykey).
keytool -export -keystore mystore -storepass mykeystore -alias signMyFiles -file me.cer
Your friend must now create a keystore database (a file called localstore) with a password (-storepass localkeystore) and import your certificate (me.cer)--say, you are Fred and he renames it to fred.cer--into it, using fred as alias:
keytool -import -alias fred -file fred.cer -keystore localstore -storepass localkeystore
keystore "localstore";
grant SignedBy "fred" {
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "${user.home}/newfile", "write";
};
appletviewer -J-Djava.security.policy=Write.jp SignedAppletDemo.htmlThe Policy file can be stored on a server and specified in the appletviewer invocation as a URL.