Tuesday, December 22, 2009

Signed Applet and how to make a signed jar

A signed Applet is a trusted Applet (applet will reside inside a jar). In order to get access to the file system all jar files in an application must be signed. By default for security reasons, Java applets are contained within a sandbox.

This means that the applets can’t do anything, which might be threatening to the user’s machine (e.g. reading, writing or deleting local files, putting up message windows, or querying various system parameters).

Early browsers had no provisions for Java applets to reach outside of the sandbox. Recent browsers, however have provisions to give “trusted” applets the ability to work outside the sandbox. For this power to be granted to one of your applets, the applet’s code must be digitally signed with your unforgettable digital ID, and then the user must state that he trusts applets signed with your ID. The mistrusted applet can request to have privileges outside the sand box but will have to request the user for privileges every time it executes. But with the trusted applet the user can choose to remember their answer to the request, which means they won’t be asked again.

Let’s see what it takes to create your own signed applets. There are few tools given by Sun to create your own signed applets. It mainly comprise of three main steps.

(1) First step is generating a keypair with the keytool.

D:/j2sdk1.5/bin/keytool -genkey -alias green -keypass greenpass

green is the alias for the keypair, and greenpass is the password to access that alias(or keypair). The keypair
will be stored in the file .keystore in your homedirectory unless you specify otherwise.
You'll be asked a lot of questions, you may lie or just hit enter!

(2) Create a self-signed certificate.

D:/j2sdk1.5/bin/keytool -selfcert -alias green

(3) After the keypair has been generated the jar file can be signed with jarsigner.

jarsigner YourJarFileName alias

d:/j2sdk1.5/bin/jarsigner Test.jar green
It will ask for both passwords specified while generating the keys.

The jar file has now been signed. Now you can distribute this jar file to anyone or it can run on any system with the privilege to access your file system.

Note: this signature is only valid for 6 months. After that it will expire so you probably need to sign it again after 6 months.

No comments:

Popular Posts