5

In the previous months I developed a sandbox Java applet for an academic project. I wasn't able to sign it with a trusted Certificate Authority because of the restricted budget. With the release of Java 1.7.51 I found that the new security restrictions forbid the execution of the applet, because of the lack of signature.

Until now, I have found two rough solutions to this problem:

  1. ask the user to include the applet page on his/her exception lists;
  2. ask the user to set the Java security level to "Medium" (which, of course, is a risky manoeuvre).

Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?

I would deeply thank you for your answers, since the option to buy a trusted certificate remains an expensive one.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
Carlos
  • 71
  • 1
  • 7
  • I think it cannot be done. The security restriction is there for a reason. – NeplatnyUdaj Jan 20 '14 at 15:50
  • Put the `permission:sandbox` into manifest.mf – Grim Jan 20 '14 at 15:56
  • Is it for an intranet? Can it run only in the sandbox? Or does it need other special permissions? – jalopaba Jan 20 '14 at 15:56
  • Check http://stackoverflow.com/questions/19440354/is-oracle-killing-intranet-applets-on-jre-7-update-51 and http://stackoverflow.com/questions/18914650/can-you-sign-a-java-applet-but-keep-it-in-the-sandbox-not-give-it-full-access-t – jalopaba Jan 20 '14 at 15:57
  • @jalopaba He developed a sandbox applet. – Grim Jan 20 '14 at 15:57
  • Thank you for your kind replies. Please, allow me to share some answers with you: @PeterRader I already set the Permissions to sandbox to the manifest file, but no luck. – Carlos Jan 20 '14 at 16:20
  • @jalopaba It has to be available on the internet for public use (it is an interface for language analysis). I doesn't use any restricted features, only an extension, which is JGraph.jar – Carlos Jan 20 '14 at 16:20
  • @jalobapa Thank you for the links you shared with me! The second one, entitled "security . can you sign a Java applet..." was a valuable one to realize that the part of the html is well done (I have already set the permissions value) and also the manifest permissions. I chose the applet approach because of some difficulties inherent to the problem I am attacking. – Carlos Jan 20 '14 at 16:26

2 Answers2

2

Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?

Short answer, no. Long answer, nope.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
  • 1
    Thank you for your reply! I read about your expertise on applets, and, sadly, your argument leads me to consider the options to buy a code certificate. – Carlos Jan 21 '14 at 04:55
  • If the use-case really needs an applet, then buying a certificate is what I would recommend. – Andrew Thompson Jan 21 '14 at 05:01
  • Thank you for your suggestion and your feedback! I'll search for certificate options. Do useful ones exist that are both for free and trusted by Oracle? – Carlos Jan 21 '14 at 16:25
  • 1) [certum.pl](http://www.certum.eu/certum/179898.xml) offered free certificates a while ago, .. 2) But given the spate of problems causing people to seek certificates, they might be considering putting a price on them. 3) I don't know whether they are considered trusted according to the Java chain of trusted certificates. – Andrew Thompson Jan 21 '14 at 16:41
  • Thank you once again for your feedback! Yesterday, thanks to one question posted on Stackoverflow, I reached Certum page, which is located in Poland. As you say, they remain a useful option but I'm concerned with the documentation they ask (copy of a personal id card with a signature) and the risk that, at the end, it might prove unuseful. Thank you very much for your attention! – Carlos Jan 21 '14 at 20:30
  • @Carlos That information is to be expected. A Certification Authority cannot 'certify' your identity unless they get proof of ID. If they certified people or organizations without that, the malware makers would be rushing to their doorstep, and their certificates would become useless! – Andrew Thompson Jan 22 '14 at 04:24
  • Once again, thank you very much for your reply! I shared with you this doubts because I remain a little bit suspicious about the security of my personal information. Certum represents an enterprise that, from the point of view of my country, is overseas, and I'm concerned about the possible misuses of my data. But, as always, thank you very much for your insights! – Carlos Jan 22 '14 at 04:46
  • @Carlos You're welcome. I also am not in their country (I'm in Australia) and applied for and gained a certificate through them. I have no reason to believe they have shared my information with anyone, and given they are a CA who *depends* on their trustworthiness as a business necessity, feel they would take extra precautions to protect their DB from hacking etc. But that is just my personal experience and view, I am not affiliated with them, nor have had the opportunity to personally examine or test their security. – Andrew Thompson Jan 22 '14 at 05:15
  • Thanks a lot for sharing with me your experience and point of view! I will check out their information and Oracle's trusted CA's to take a decision, and will let the community know the result. With my best regards, – Carlos Jan 22 '14 at 16:46
  • BTW - it seems you have the rep. to up-vote answers. An up-vote is a community standard way to show appreciation. ;) – Andrew Thompson Jan 22 '14 at 16:58
2

Its not a real solution but maybe a bit more convenient for the enduser: Write a small programm (as jar file, or batch) which adds your site to the exception list. This tiny programm you offer to the user which can't execute your applet. It only has to be executed once. How this can be done is described here.

The file controlling the Exception Site List is stored in the user’s deployment location as described in the deployment configuration. On Windows 7 the location is C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites. The format is one site per line.

If you think that is not really trustworthy to the user you are probably right ;-) who executes a file downloaded from the internet? You can also just add a small description to your page and a user could execute it from commandline. For windows it would like that:

mkdir %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security
echo http://www.carlos.com >> %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites

The more I read my post I think the best solution is the certificate but still wanted to share this option.

Lonzak
  • 9,334
  • 5
  • 57
  • 88
  • Thank you very much for your suggestive reply! I have already read the information on the link you shared with me about the new exception lists. The possibility to offer the visitor a file that sets my project page on his/her exception lists is a really good one (except, as you say, because of the usual practices we have when surfing the web). If you allow me, my question would be: can I develop this strategy so my applet would work on Windows, Linux, and MacOS? That is to say, can I make a batch-like file for each OS to add my project site to the exception list? How to do it? Thank you a lot! – Carlos Jan 21 '14 at 22:18