This tutorial explains necessary steps to sign a Java applet, either by using a self-signed certificate (self-signing) or by using a trusted certificate issued by a certificate authority like VeriSign or Thawte. Signing a Java applet is not difficult task, and it should be done correctly. First, let’s take a look why sometimes we need to have a Java applet signed.

 

1. Why need to sign Java applet?

When running inside web browser, Java applets are living in a restricted environment so called “sandbox” – which prevents the applets from accessing system resources and devices such as files, network connections, printers, cameras, microphones, etc – without user-granted permission. This tight security is designed to make users safe from malicious code which always tries to execute automatically without user’s intervention.

The following picture illustrates how such restriction is applied for unsigned applet and signed applet within the sandbox:

To access system resources and devices, the applet must be signed with a digital certificate which is issued by a trusted Certificate Authority (CA). Thus the user can trust this applet and grant permission.

For example, you are developing applets that read/write files system, capture video from camera, or record audio from microphone… then you must sign your applets, definitely.

Though there is another way to grant permission for applets through the usage of .java.policy file, but this method is for development only. It’s not suitable for deploying applets on production environment because it requires the user manually put the .java.policy file on their computer. Thus signing the applet is the convenient way.

 

2. A Sample applet for signing

To illustrate the process of signing an applet, this tutorial will work with a sample Java applet that shows an open dialog for browsing files on user’s computer. Here is code of the applet:

package net.codejava.applet;

import java.awt.*;
import java.awt.event.*;
import javax.swing.*;

public class FileBrowseApplet extends JApplet {

	private JButton button = new JButton("Browse");

	public void init() {
		getContentPane().setLayout(new FlowLayout());
		getContentPane().add(button);

		button.addActionListener(new ActionListener() {
			public void actionPerformed(ActionEvent evt) {
				JFileChooser fileChooser = new JFileChooser();
				fileChooser.showOpenDialog(FileBrowseApplet.this);
			}
		});
	}
}

 And here is the HTML page that shows the applet:

<html>
<head><title>File Browse Applet Demo</title></head>
<body>
<center>
	<applet id="FileApplet"
			code = "net.codejava.applet.FileBrowseApplet.class"
			archive="FileApplet.jar"
			width="200"
			height="60">
	</applet>
</center>
</body>
</html>

 Opening the FileApplet.html will show up the applet as following screenshot:

When hitting the Browse button, an exception of type java.security.AccessControlException is thrown:

 

It is because the open dialog needs permission to access file system resources, but an unsigned applet is denied this permission by default. So, to overcome this, the applet must be signed.

 

3. Requirement to sign Java applet

Before signing an applet, it requires packaging all applet classes into a single jar file. This can be done by using jar tool which comes with JDK. For example:

jar cfv FileApplet.jar net

That will add all classes under package net.codejava into FileApplet.jar file.

And two programs are required:

• • keytool.exe: A key and certificate management tool. We use this tool for generating a RSA public/private key pair associates with a certificate - called self-signed certificate, or reading a trusted certificate.
  • jarsigner.exe: A signing tool that creates a digital signature of a jar file using a provided certificate.

These tools come with JDK and are installed under JDK_HOME\bin directory.

The following diagram illustrates the signing process:

Now, let’s dive into the signing process using two types of certificate: self-signed certificate and trusted certificate.

 

4. Sign a Java applet using self-signed certificate

A certificate which is created and signed by a same entity is called self-signed certificate. This self-signing method is simple and quick because we can use our own certificate which is generated by the keytool program; don’t have to spend time on requesting and obtaining certificate from a certificate authority; and it does not cost any bucks. However, its drawback is that the user may not accept the certificate since it is not trusted by any public authority. So this method is suitable for development and testing purpose only.

Syntax of the command to generate a self-signed certificate is as follows:

keytool -genkey -alias <alias> -keystore <filename> -keypass <keypass> -dname <dname> -storepass <storepass> -validity <days>

Where:

• • <alias>: a unique identifier of the certificate. Note that alias is case-insensitive.
  • <filename>: name of the file which stores the certificate.
  • <keypass>: password to protects the key pair.
  • <dname>: distinguished name of the certificate.
  • <storepass>: password of the certificate store.
  • <days>: number of days after which the certificate will expire.

For example, the following command generates a self-signed certificate called “myAlias” and stores it in a file named as “myCert”:

keytool -genkey -alias myAlias -keystore myCert -keypass myKeyPass -dname "CN=FileApplet" -storepass myStorePass -validity 1825

The –validityparameter specifies that this certificate will expire after 5 years (1825=5x365).

Now we use the jarsigner tool to sign the applet’s jar file. Syntax of this command is as follows:

jarsigner -keystore <keystore_file> -keypass <keypass>-storepass <storepass> <jar_file> <alias>

For example, the following command signs the FileApplet.jar using the self-signed certificate stored in the file myCert:

jarsigner -keystore myCert -keypass myKeyPass -storepass myStorePass FileApplet.jar myAlias

The jarsigner tool signs the applet by creating digital signature for all classes of the applet and put it into META-INF directory inside the jar file.

Run the applet again by refreshing the browser, this time a Security Warning dialog shows up:

Note that the Publisher field is set to UNKNOWN because this certificate is self-signed.

Click More Information, then Certificate Details… to see information about the certificate, like the following screenshot:

To grant permission for the applet, check the option “I accept the risk and want to run this application” in the Security Warning dialog, then click Run.

Now click the Browse button in the applet again, the Open dialog is now displayed:

That’s the process of signing a Java applet using a self-signed certificate. Let’s switch to second approach.

 

5. Sign aJava applet using trusted certificate

A trusted certificate is one which is signed by a public trusted certificate authority, such as Verisign, Thawte, Entrust…This process is similar to self-signing, except that we don’t create our own certificate using the keytool tool. Instead, we have to purchase and obtain a certificate issued by the certificate authority – which takes more time and cost. However, this method increases degree of trust to our application, because no one can fake a trusted certificate.

Suppose we have our trusted certificate stored in a .pfx file format, CompanyCert.pfx and we know the password to access the certificate. Use the following command syntax to obtain alias name of the certificate:

keytool -list -storetype pkcs12 -keystore <filename> -storepass <password>

For example:

keytool -list -storetype pkcs12 -keystore CompanyCert.pfx -storepass myStorePass

We got the output like the following screenshot:

The alias name is shown in the yellow-marked section (for security purpose, other information is blurred in this screenshot). Copy the alias name, and using the following command to sign the applet’s jar file:

jarsigner -storetype pkcs12 -keystore CompanyCert.pfx -storepass myStorePass FileApplet.jar myAlias

Replace the “myStorePass” and “myAlias” by real value correspond to your certificate.

Now run the applet again, a warning dialog appears as following screenshot:

We can notice that, this time, the warning dialog is slightly different than the one for a self-signed certificate. Obviously the publisher name has a specific value rather than UNKNOWN. Check “Always trust content from this publisher” then click Run. We have granted permission for an applet signed by a trusted certificate.

NOTES:

• • If the applet requires external libraries, we should sign all the required jar files as well.
  • You can find a list of trusted certificates for all Java applets in the Java Plug-in control panel, under Security tab.
  • You can use the command jarsigner –verify <jar_file> to verify if a jar file is signed or not.

 

Other Java Applet Tutorials:

• Java Applet Tutorial for beginners
• How to show Java applet in HTML page
• How to call Javascript function from Java applet
• How to call Java applet's methods and variables from Javascript
• How to resize Java applet to fit browser's window
  
• How to submitt HTML form in Java applet
• LiveConnect - The API for communication between Java applet and Javascript