Java run self signed applications

How to sign a Java applet

This tutorial explains necessary steps to sign a Java applet, either by using a self-signed certificate (self-signing) or by using a trusted certificate issued by a certificate authority like VeriSign or Thawte. Signing a Java applet is not difficult task, and it should be done correctly. First, let’s take a look why sometimes we need to have a Java applet signed.

1. Why need to sign Java applet?

When running inside web browser, Java applets are living in a restricted environment so called “sandbox” – which prevents the applets from accessing system resources and devices such as files, network connections, printers, cameras, microphones, etc – without user-granted permission. This tight security is designed to make users safe from malicious code which always tries to execute automatically without user’s intervention.

The following picture illustrates how such restriction is applied for unsigned applet and signed applet within the sandbox:

java applet sandbox

To access system resources and devices, the applet must be signed with a digital certificate which is issued by a trusted Certificate Authority (CA). Thus the user can trust this applet and grant permission.

Читайте также:  Selenium get html element

For example, you are developing applets that read/write files system, capture video from camera, or record audio from microphone… then you must sign your applets, definitely.

Though there is another way to grant permission for applets through the usage of .java.policy file, but this method is for development only. It’s not suitable for deploying applets on production environment because it requires the user manually put the .java.policy file on their computer. Thus signing the applet is the convenient way.

2. A Sample applet for signing

To illustrate the process of signing an applet, this tutorial will work with a sample Java applet that shows an open dialog for browsing files on user’s computer. Here is code of the applet:

package net.codejava.applet; import java.awt.*; import java.awt.event.*; import javax.swing.*; public class FileBrowseApplet extends JApplet < private JButton button = new JButton("Browse"); public void init() < getContentPane().setLayout(new FlowLayout()); getContentPane().add(button); button.addActionListener(new ActionListener() < public void actionPerformed(ActionEvent evt) < JFileChooser fileChooser = new JFileChooser(); fileChooser.showOpenDialog(FileBrowseApplet.this); >>); > >

file browse applet in browser

When hitting the Browse button, an exception of type java.security.AccessControlException is thrown:

java console error

It is because the open dialog needs permission to access file system resources, but an unsigned applet is denied this permission by default. So, to overcome this, the applet must be signed.

3. Requirement to sign Java applet

Before signing an applet, it requires packaging all applet classes into a single jar file. This can be done by using jar tool which comes with JDK. For example:

jar cfv FileApplet.jar net

That will add all classes under package net.codejava into FileApplet.jar file.

And two programs are required:

    • keytool.exe : A key and certificate management tool. We use this tool for generating a RSA public/private key pair associates with a certificate — called self-signed certificate, or reading a trusted certificate.
    • jarsigner.exe : A signing tool that creates a digital signature of a jar file using a provided certificate.

    The following diagram illustrates the signing process:

    signing process

    Now, let’s dive into the signing process using two types of certificate: self-signed certificate and trusted certificate.

    4. Sign a Java applet using self-signed certificate

    A certificate which is created and signed by a same entity is called self-signed certificate. This self-signing method is simple and quick because we can use our own certificate which is generated by the keytool program; don’t have to spend time on requesting and obtaining certificate from a certificate authority; and it does not cost any bucks. However, its drawback is that the user may not accept the certificate since it is not trusted by any public authority. So this method is suitable for development and testing purpose only.

    Syntax of the command to generate a self-signed certificate is as follows:

    keytool -genkey -alias -keystore -keypass -dname -storepass -validity

      • : a unique identifier of the certificate. Note that alias is case-insensitive.
      • : name of the file which stores the certificate.
      • : password to protects the key pair.
      • : distinguished name of the certificate.
      • : password of the certificate store.
      • : number of days after which the certificate will expire.

      keytool -genkey -alias myAlias -keystore myCert -keypass myKeyPass -dname «CN=FileApplet» -storepass myStorePass -validity 1825

      The –validity parameter specifies that this certificate will expire after 5 years (1825=5×365).

      Now we use the jarsigner tool to sign the applet’s jar file. Syntax of this command is as follows:

      jarsigner -keystore -keypass -storepass

      For example, the following command signs the FileApplet.jar using the self-signed certificate stored in the file myCert :

      jarsigner -keystore myCert -keypass myKeyPass -storepass myStorePass FileApplet.jar myAlias

      The jarsigner tool signs the applet by creating digital signature for all classes of the applet and put it into META-INF directory inside the jar file.

      Run the applet again by refreshing the browser, this time a Security Warning dialog shows up:

      run self-signed applet warning

      Note that the Publisher field is set to UNKNOWN because this certificate is self-signed.

      Click More Information, then Certificate Details… to see information about the certificate, like the following screenshot:

      self-signed certificate information

      To grant permission for the applet, check the option “I accept the risk and want to run this application” in the Security Warning dialog, then click Run.

      Now click the Browse button in the applet again, the Open dialog is now displayed:

      open dialog

      That’s the process of signing a Java applet using a self-signed certificate. Let’s switch to second approach.

      5. Sign aJava applet using trusted certificate

      A trusted certificate is one which is signed by a public trusted certificate authority, such as Verisign, Thawte, Entrust…This process is similar to self-signing, except that we don’t create our own certificate using the keytool tool. Instead, we have to purchase and obtain a certificate issued by the certificate authority – which takes more time and cost. However, this method increases degree of trust to our application, because no one can fake a trusted certificate.

      Suppose we have our trusted certificate stored in a .pfx file format, CompanyCert.pfx and we know the password to access the certificate. Use the following command syntax to obtain alias name of the certificate:

      keytool -list -storetype pkcs12 -keystore -storepass

      keytool -list -storetype pkcs12 -keystore CompanyCert.pfx -storepass myStorePass

      We got the output like the following screenshot:

      get certificate alias

      The alias name is shown in the yellow-marked section (for security purpose, other information is blurred in this screenshot). Copy the alias name, and using the following command to sign the applet’s jar file:

      jarsigner -storetype pkcs12 -keystore CompanyCert.pfx -storepass myStorePass FileApplet.jar myAlias

      Replace the “myStorePass” and “myAlias” by real value correspond to your certificate.

      Now run the applet again, a warning dialog appears as following screenshot:

      run trusted certificate warning

      We can notice that, this time, the warning dialog is slightly different than the one for a self-signed certificate. Obviously the publisher name has a specific value rather than UNKNOWN. Check “Always trust content from this publisher” then click Run. We have granted permission for an applet signed by a trusted certificate.

        • If the applet requires external libraries, we should sign all the required jar files as well.
        • You can find a list of trusted certificates for all Java applets in the Java Plug-in control panel, under Security tab.
        • You can use the command jarsigner –verify to verify if a jar file is signed or not.

        Other Java Applet Tutorials:

        About the Author:

        Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He started programming with Java in the time of Java 1.4 and has been falling in love with Java since then. Make friend with him on Facebook and watch his Java videos you YouTube.

        Источник

        Java run self signed applications

        Java Application Blocked

        Добрый день уважаемые читатели и подписчики блога, наверняка у многих из вас на работе есть отдел бухгалтерии или финансисты. Сейчас в современном мире большинство вещей делается, через интернет и браузер, и сотрудники данных отделов не исключение. Ом по роду своей деятельности приходится сталкиваться со всевозможными разновидностями клиент банков, которые очень часто работают с помощью Java технологий и очень часто встречается ошибка: Java Application Blocked. Давайте смотреть, что не так.

        Что такое Java Application Blocked и как это выглядит

        Я уверен, что рядовой пользователь, слегка испугается красных предупреждающих значков и иностранного языка, в момент, когда у него появится окно с ошибкой:

        Application Bloked by Java Security. For security, applications must now meet the requorements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run. Your security settings have blocked a self-signed application from running

        Java Application Blocked-2

        После чего вы можете, только закрыть окно и все, нужный вам сервис не откроется. Очень часто, такое бывает и на серверах имеющие дополнительные порты управления, работа с которыми так же строиться на Java. Тут все дело состоит в Java, она очень часто подвергается всевозможным атакам хакеров, и логично, что разработчики с этим борются и закручивают гайки по максимуму.

        Итак начиная с Java 7 Update 51, настройки безопасности сильно увеличили требования к приложениям и сайтам, особенно тем у кого приложения без подписи или с самоподписным сертификатом. Без описанного ниже решения он не даст вам запускать приложения с формулировкой: Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running.

        Java Application Blocked-3

        Исправляем application blocked by java security

        Теперь поняв причину этой ошибки мы можем ее исправить, для этого от вас потребуется два действия.

        Обновить Java на компьютере

        Чтобы обновить Java в Windows, вам необходимо сделать следующее. Нажимаем WIN+R и вводим control panel. В результате чего у вас откроется панель управления, данный метод я показал, так как на Windows 10 в новом релизе Redstone 2, Microsoft запихало панель управления в самые дебри, отказываясь от нее все интенсивнее.

        application blocked by java security-1

        Далее выбираете пункт Java (32 бита), у вас может стоять и 64 битная.

        application blocked by java security-2

        Переходим на вкладку Update и проверяем, чтобы стояла галка Check for Updates Automatically и нажмем кнопку Update Now. Начнется проверка наличия более свежей версии Java.

        Java Application Blocked-4

        Если ее нет, то вы получите сообщение: You already have the latest Java Platform on the system. Это хорошо, вы используете последнюю версию.

        Java Application Blocked-5

        Если же есть более свежая версия, то вас перекинет на сайт https://www.java.com/ru/download/, скачиваете свежую версию и обновляетесь.

        application blocked by java security-3

        Настройка белого листа

        И делаем вторую настройку, которая решит ошибку application blocked by java security. Так же в панели управления > Java. Открываем вкладку Security и нажимаем в ней кнопку Edit Site List, для внесения нужного ресурса в белый лист.

        application blocked by java security-4

        Далее кнопка Add и перечисляете все нужные вам ресурсы.

        application blocked by java security-5

        По завершении жмем continue.

        application blocked by java security-6

        Теперь открываю вновь приложение работающие на java и о чудо все загрузилось и ошибка Java Application Blocked не появилась, я спокойно нажал I accept.

        Java Application Blocked-6

        Все в итоге открылся нужный мне KVM, как видите все очень просто.

        Java Application Blocked-7

        Еще есть нюансы с браузером Internet Explore, там некоторые сайты могут не работать, пока не включить режим совместимости. Делается это очень просто, открываете IE, нажимаете кнопку Alt, в итоге у вас откроется дополнительное меню. В нем открываем пункт Сервис > Параметры просмотра в режиме совместимости.

        ошибка java application blocked-1

        И добавляем тут нужный ресурс, после чего браузер обязательно нужно перезапустить, думаю на этом все.

        ошибка java application blocked-2

        Популярные Похожие записи:

        • Приложению Excel не удалось вставить данные, 100% решениеПриложению Excel не удалось вставить данные, 100% решение
        • Как скрыть программу в списке установленных, за минуту
        • Как вручную изменить сервер администрирования Kaspersky в агенте
        • Ошибка ID 356: Failed to register notification to the SQL database with the connection string Data Source
        • Smata.Ru сервер лицензий недоступенSmata.Ru сервер лицензий недоступен
        • Ошибка Unable to apply DRS resource settings on host

        Источник

Оцените статью