RSS feed for blog Linkin Skype Mail Me Twitter


Applet security: a blast from the past

A was asked to solve a little problem the other day (a website that can detect if processes are running on the underlining operating system in a major corporation).

It presented a bit of a quandary, we are so used to the power of modern UI frameworks supplanting the rich client frameworks of the previous web generation, that when you come across something that cant be done in the browser sandbox you have to sit back and have a scratch.

In the end the only practical solution was a Java applet (the client has internal root certificates on their machines that would grant the power necessary to run the commands). not a problem I have written tons of them ….. years ago

When it came to signing everything to do the testing my mind came up a blank and google was not much help, so when I figured it out, I thought perhaps a little aide memoire would not hurt in case I need it again

So the security is quite rightly heavy on the applet sandbox for browsers and you have to sign Jar files that you use in applets (you cant just sign class files you have to export them into a Jar), if they are unsigned then you CANT get them to run, if they are self signed then you can get them to run after the browser has warned you.

The following is me building my self cert so you can do internal testing

1) First I want to build my self a keystore (which will name appletkey), for that I will need a copy of the java JDK installed

D:\MyAppletProject\WebContent>"C:\Program Files\Java\jdk1.7.0_25\bin\keytool" -genkey -keystore appletkey

Enter keystore password: password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Jo Bloggs
What is the name of your organizational unit?
  [Unknown]:  stickfight
What is the name of your organization?
  [Unknown]:  stickfight
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:  London
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Jo Blogs, OU=stickfight, O=stickfight, L=London, ST=London, C=GB correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password):

2) Now I have a keystore ( you will see a file called ‘appletkey’ created in the directory you ran the last command in, now I want to generate a self cert.

D:\MyAppletProject\WebContent>"C:\Program Files\Java\jdk1.7.0_25\bin\keytool" -selfcert -keystore appletkey
Enter keystore password: password

3) Hooray we now have a certificate, you can check its OK (if you want) by entering

D:\MyAppletProject\WebContent>"C:\Program Files\Java\jdk1.7.0_25\bin\keytool" -list -v -keystore appletkey

4) Now let’s sign the jar files we are using in our applet (yes you have to sign them all not just the one that contains the initial class you are calling)

D:\MyAppletProject\WebContent>"C:\Program Files\Java\jdk1.6.0_45\bin\jarsigner" -keystore appletkey process.jar mykey
Enter Passphrase for keystore: password

The signer certificate will expire within six months.

Now you can see that I’m using jdk1.6 for this as the 1.7 goes mad about the alias (the mykey in the previous command), its been driving people and me potty on the internet and the safest way seem to just use the last version of 1.6 to do the sign.

Once this is done you will just be able to run the applet on any web server and as long as you agree to the warnings you can run any code you want.

I think I’ll go and listen to some 80’s rock now.

Leave Your Comments

blog comments powered by Disqus

Related Entries

Missing A Conference

Salesforce: Same Code Different Triggers

Remote Desktop while away

MWLug 2016 Round-Up

To Find The Perfect Office

A Little Thing Done Right

SalesForce for Domino Dogs 3: Web Query Save Agents

Presenting at MWLUG

SalesForce for Domino Dogs 2: Scheduled Agents

SalesForce for Domino Dogs 1: Profile Documents

Editable salesforce templates

New Platform Type New Client Type

Engage 2016

LDCVia Webinar

Current Android Software 2015

Salesforce read mode hide-when hack

Classic Domino and multi country dates with Bootstrap

C3 charts on Saleforce Winter16

Updating Statamic on AWS

Icon UK 2015

Quiet Isnt it

Engage 2015

Conditional Checking in AngularJs using Restangular

IBM ConnectED2015 All work and no play

Learning A Lesson About Security from other People

2014 A Year In Review

IBM Connections Dev Update to V5

W.T.F. they made me an IBM Champion and a C-API tip

Bloody Android Kit-Kat and SD Cards

LDC Via Cross Post: Why oh why oh why (Part One)

UK ICON 2014

jQuery UK 2014 Day 2

jQuery UK 2014 Day 1

London Node.js User Group April 2014

Listen while you work

SQuirrel SQL For IBM Connections

Living Document: Connections Db Schema Versions

Connections Db Schema Tip2: Finding the UserID

Working from anywhere

Connections Db Tip1: getting the Connections db Schema version

CSC Event No.1

Engage 2014

IBM Connections Dev Links

Collaboration Stack Community Agenda and Stuff

Connections aide memoire 02: Backing Up Websphere Config

Inserting HTML into word documents

Connections aide memoire 01: Changing XML config

IBM Connect 2014 Slide Decks

IBM Connect 2014 Round up

Finding Me at IBM Connect 2014

Collaboration Stack Event

Commuting tip for Developers

My IBM Connect 2014 Sessions

IBM Connect 2014 session

Best USB Cable

The Perfect Consultant

First Tuesday Club November 2013

Latest Blogs