1

I've googled lots of links like oracle and velocity review and stackoverlow too, but still no success.

The point is simple. Jar is signed using:

keytool -genkey -alias signFiles -keystore compstore -keypass bca321 -dname "cn=test" -storepass abc123
jarsigner -keystore compstore -storepass abc123 -keypass bca321 -signedjar SignedJar.jar UnsignedJar.jar signFiles

And it runs perfectly on local machine. But when SignedJar.jar is used like an applet via HTTP(S), even if user accepts certificate (IE or FF or Chrome - no difference), it stops working with:

java.security.AccessControlException: access denied (javax.smartcardio.CardPermission Broadcom Corp Contacted SmartCard 0 connect)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at sun.security.smartcardio.TerminalImpl.connect(Unknown Source)

Yes, it tries to read from smartcard inserted in terminal, and gets an exception on calling connect.

Yes, I've tried this approach too:

AccessController.doPrivileged(new PrivilegedAction() {
...

But with no luck. So where is the catch?

Thanks in advance, Kirill

kosa
  • 65,990
  • 13
  • 130
  • 167
Kirill Linnik
  • 91
  • 2
  • 9
  • Maybe you need to create a policy file that includes the following permission grant (this is just my guess for its entry, you need to investigate further on how to grant a permission for CardPermission...): `grant { permission javax.smartcardio.CardPermission "Broadcom Corp Contacted SmartCard 0", "connect"; }; ` See [link](http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html#know) – ee. Jan 17 '12 at 02:16
  • Have you signed all the code, including libraries? (With the same signature, and adding `Trusted-Only: true` to the manifest.) – Tom Hawtin - tackline Jan 17 '12 at 12:49

2 Answers2

0

I ran into this problem today, java 1.7.0_11, applet jars signed with self-signed certificate added to the list of trusted certificates. It went away when I removed the section in my policy file that granted my applet's codebase all permissions.

flup
  • 26,937
  • 7
  • 52
  • 74
0

After creating public/private keys, creating the associate certificate and signing which one of your applet jars with the certificate you should create a hash for each file in the JAR and sign them with the private key. These hashes, the public key, and the certificate must be added to the META-INF directory of the JAR file alongside the JAR’s manifest.

Here is the command line:

$ jar -tf SignedApplet.jar

See link

Saralou
  • 63
  • 4