Friday, July 27, 2007

Java permissions and the signed applet

As we know that by default, applets have no access to system resources outside the directory from which they were launched, but a signed applet can access local system resources as allowed by the local system's security policy. The JDK provides security tools so end users and system administrators can sign applets and applications, and define their local security policy by specifying in a policy file (placed in the user home directory plus the default one in the JRE_HOME\lib\security) how much access to local system resources a signed applet or application can have.

Work in steps:-
  1. Set Applet Permissions

    2. You can set the permissions that your applet wants to run correctly in its init method, those are a sample permissions:

    private void setPolicyPermissions() throws MalformedURLException {
    Policy policy = Policy.getPolicy();
    PermissionCollection permissions = policy.getPermissions(new CodeSource(new URL(getParameter("CODE_SOURCE_URL")),
    new Certificate[0]));
    RuntimePermission accessClassPermission = new RuntimePermission("accessClassInPackage.sun.awt.windows");
    permissions.add(accessClassPermission);
    }

    You can see the available permissions in Java. and choose the suitable for your mission.


  2. Compile the Applet

    3. In your working directory, use the javac command to generate the class file:

    javac MyApplet.java


  3. Generate the Jar file

    4. Now it's the time to generate a jar file to contain the .class files, so we'll use the jar command to finish this task:

    jar -cvf MyApplet.jar *.class


  4. Generate Keys

    5. Here we'll generate the needed keys to sign the jar file to be enabled to run at the client and use his machine resources safely using the keytool command. the prompt will ask you for a password to the key and another one for the store... handle that:

    keytool -genkey -alias MyKey -keypass KeyPass


  5. Self certify

    6. we'll use the keytool command again to make our key self certify. (i think that command used instead of using the private and public key):

    keytool -selfcert -alias MyKey


  6. Sign the JAR File

    7. JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, jarsigner to make a signed copy of the MyApplet.jar file:

    jarsigner -storepass StroePass -keypass KeyPass MyApplet.jar MyKey

Now you have a signed applet jar which has the suitable permissions to use the client machine resources ;)
Posted by at No comments:
Subscribe to: Posts (Atom)