Java applets are designed to run in a restricted environment known as Sandbox. This confinement helps avoid malicious activities and breach of security from intentionally harmful applets. Therefore, an applet cannot access or communicate with any outside-the-sandbox resource unless granted permission by the user.
The trustworthiness of an applet is showcased by signing it with a security certificate. Any unsigned applet will seem to be unsafe and insecure in the eye of an end-user. Unsigned applets are restricted to execute only a limited set of operations which are considered safe.
An unsigned applet will be blocked from executing the following operations:
- Access a computer’s local file system.
- Access clipboard data.
- Access external computer peripherals like CD drives, DVD drives, microphones, speakers, or printers.
- Access any kind of executable files.
- Access computer’s system properties and settings.
- Access connectivity to an external server, network or hard drive.
Looking at the above restrictions, it seems an unsigned applet cannot really be used effectively for any kind of problem solving. Signing disables all these restrictions. Thus, it becomes quite important to sign an applet with a genuine security certificate.
Let’s look at ways and steps of signing an applet with a security certificate.
It’s quite simple to sign a Java applet on your own using the Java Keytool.
- Create a JAR file of your applet.
- Generate a keystore database with keytool. Execute the following commands.
keytool -genkey -keystore <keystore-name> -alias <alias-name> -validity <number-of-days>
keytool -selfcert -keystore <keystore-name> -alias <alias-name> -validity <number-of-days>
- Sign your JAR file with jarsigner. Execute the following command.
jarsigner -keystore <keystore-name> <your-jar-file.jar> <alias-name>
WARNING: Self signed applets are mostly signed by the developers only. This showcases that the genuineness of that applet is approved by the developer only, and not any other independent party. Such applets display a warning while seeking permissions. Self signing is usually considered healthy while developing or testing an applet, but not while releasing it to the target user base.
If you don’t want to sign an applet yourself, you can purchase a security certificate from an independent third-party vendor like VeriSign [Symantec Code Signing Certificates for Java].
Once you get the certificate, execute the following command to generate a file containing your certificate information.
keytool -genkey -alias <alias-name> -keystore <keystore-name> -keypass <key-password> -dname <unique-name> -storepass <store-password> -validity <number-of-days>
An example of the above command will be:
keytool -genkey -alias techFaqFiles -keystore faqstore -keypass NtLQB9tV -dname “TF-MySignedApplet” -storepass nrHkpE0Q -validity 7300
Your certificate will stay valid for 20 years.
Were you able to sign your Java applet? If you faced any problem, please share in the comments below.