Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Self-signed security certificates.. (oh, the evil)

11 views
Skip to first unread message

Andrew Thompson

unread,
Sep 9, 2005, 9:53:20 PM9/9/05
to
There are a number of ways to get a security certificate that
will (if accepted by the end user) allow applets and other
projects to gain extended privileges.

However, signing an applet or application can be a daunting
task, especially in regards to acquiring a valid security
certificate. As a result of this, a lot of developers are
discouraged from taking that route.

The developer might be prepared to pay for a fully verified
certificate, but they generally would want to see the process
work before they lay down $, right?

Some of the ways of getting a certificate *for* *testing*
purposes are expensive, while others are quite obtuse
or difficult.

Are there any IDE's that will do this stuff* for you?
* Create a self signed certificate and sign a jar with it.

Is my assumption that 'people want to see it work
before paying money' valid?

Most specifically, can anybody here attest that they
*paid* for a code signing certificate before they had
seen it work for a project?

[ This is all leading to "Does it make sense to issue a
'self-signed' certificate for all to use, in the name of
'!!Danger!! - Developer Only!'..."? ]

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Power and priviledge cannot move a people, who know where they stand, and
stand in the law."
Paul Kelly 'From Little Things, Big Things Grow'

Roedy Green

unread,
Sep 9, 2005, 11:10:58 PM9/9/05
to
On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>Are there any IDE's that will do this stuff* for you?
>* Create a self signed certificate and sign a jar with it.

Once you see it done and you can it in a bat file, it is so simple you
wonder what all the fuss was about.

One the cert exists you jar and sign in ant like this:

<!-- J A R -->
<!-- Make genjar known to ant -->
<!-- See http://mindprod.com/jgloss/genjar.html for details -->
<taskdef resource="genjar.properties" />

<target name="jar" depends="compile">
<genjar jarfile="${jar.file}">
<!-- include main class and all its dependencies -->
<class name="${main.class}" />
<!-- define the manifest -->
<manifest>
<attribute name="Main-Class" value="${main.class}" />
</manifest>
</genjar>
<!-- S I G N -->
<!-- get password from set jarsignerpassword=sesame -->
<property environment="env" />
<signjar jar="${jar.file}"
alias="mindprodcert2005dsa" storepass="${env.jarsignerpassword}"/>
</target>

to generate your cert:

REM DSA for JDK 1.2 compatibility, private-public pair.
REM However RSA is what most modern certs use.
rem see http://docs.sun.com/source/816-5539-10/app_dn.htm for
construction of distinguished name

REM generate private/public key pair
keytool -genkey -storepass %jarsignerpassword -keyalg DSA -alias
mindprodcert2005dsa -dname "CN=mindprod.com, OU=Java Code, O=Canadian
Mind Products, L=Victoria, ST=British Columbia, C=CA,
EMAILADDRESS=roe...@mindprod.com DC=mindprod, DC=com" -validity 999

REM generate the self-signed certificate containing public key
keytool -selfcert -storepass %jarsignerpassword -alias
mindprodcert2005dsa -validity 999

REM export the self-signed certificate in x.509 printable format,
public key only.
keytool -export -storepass %jarsignerpassword -alias
mindprodcert2005dsa -rfc -file mindprodcert2005dsa.cer


for details of cert generation see
http://mindprod.com/jgloss/keytool.html
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Again taking new Java programming contracts.

Roedy Green

unread,
Sep 9, 2005, 11:24:54 PM9/9/05
to
On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>Most specifically, can anybody here attest that they

>*paid* for a code signing certificate before they had
>seen it work for a project?

Think "What is a certificate from Thawte for?". They are helping
someone determine if a program they found on the net was indeed truly
written by Canadian Mind Products, all without checking back to the
CMP website.

Thawte vouches : yes it was him. They are also indirectly vouching
that Roedy Green and Canadian Mind Products really exist . CMP is a
real company. They are in the phone book. Roedy has a passport. They
are also vouching that CMP is flush enough to part with $400 US a year
for the cert, no little fly by night. :-)

Let us say I am too cheap or poor to buy a cert and use a self signed
one. Well, it is obvious that whomever created the cert is the
person who created the CMP website. People trust whomever runs that
website just as much as they trust the company Canadian Mind Products.

So there really should not be an issue of trusting the identity of
that cert ON MY WEBSITE. Now elsewhere, there is nothing to stop
someone form taking one of my downloads, screwing with the code, and
resigning with a fake certificate using my name.

The problem is people don't realize this and are overly afraid of my
phony cert on my website.

I have been creating ASP PAD XML file descriptors for all my code
which invites people to download and redistribute my downloads.
Ideally I would like to sign those with a real certificate.

Andrew Thompson

unread,
Sep 10, 2005, 12:11:40 AM9/10/05
to
On Sat, 10 Sep 2005 03:10:58 GMT, Roedy Green wrote:

> On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
>>Are there any IDE's that will do this stuff* for you?
>>* Create a self signed certificate and sign a jar with it.
>

> Once you see it done ..

Thanks Roedy. That looks (at a glance) like the answer
to my question. A couple of bat files and the Ant task,
would be the way to go.

Would you (consider doing)/(have done) a page devoted to it?

"He thinks he can run, it's a matter of pride. But he keeps coming back,
like a cork on the tide."
Paul Kelly 'Deeper Water'

Andrew Thompson

unread,
Sep 10, 2005, 12:11:37 AM9/10/05
to
On Sat, 10 Sep 2005 03:24:54 GMT, Roedy Green wrote:

> CMP is a real company.

Do you mean that CMP is actually a *registered* comany?
It had never occured to me. I understood that registering
a company was a relatively expensive business, in just
about any country.

> ..They are in the phone book.

[ I would prefer not to be, but could not be bothered
paying the extra to have the phone company suppress
the number! ]

>..Roedy has a passport.

..I am *trying* to get one at the moment! ;-)

> Let us say I am too cheap or poor to buy a cert and use a self signed
> one. Well, it is obvious that whomever created the cert is the
> person who created the CMP website. People trust whomever runs that
> website just as much as they trust the company Canadian Mind Products.
>
> So there really should not be an issue of trusting the identity of
> that cert ON MY WEBSITE.

That is probably the only reason I am prepared to use a self-signed
certificate. My software comes from my site only, so if the user trusts
me, they should be willing to trust a self-signed certificate coming
directly off my site - if they don't trust me, the rest is moot.

"When you believe in things that you don't understand, you suffer.
Superstition ain't the way"
Stevie Wonder 'Superstitious'

Roedy Green

unread,
Sep 10, 2005, 12:15:27 AM9/10/05
to
On Sat, 10 Sep 2005 04:11:40 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>Would you (consider doing)/(have done) a page devoted to it?

The cert part is already done. ANT is on my todo list.

Roedy Green

unread,
Sep 10, 2005, 12:18:24 AM9/10/05
to
On Sat, 10 Sep 2005 04:11:37 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>Do you mean that CMP is actually a *registered* comany?


>It had never occured to me. I understood that registering
>a company was a relatively expensive business, in just
>about any country.

I am registered in that I have DUNS number and the Canadian equivalent
of the IRS knows about it. I am not incorporated. That means all
debts my company incurs are my personal debts. I can't just fold the
company if something goes wrong.

There is almost no paperwork at all to start a company in Canada, only
to incorporate.

Roedy Green

unread,
Sep 10, 2005, 12:20:39 AM9/10/05
to
On Sat, 10 Sep 2005 04:11:37 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>That is probably the only reason I am prepared to use a self-signed


>certificate. My software comes from my site only, so if the user trusts
>me, they should be willing to trust a self-signed certificate coming
>directly off my site - if they don't trust me, the rest is moot.

The problem is people don't understand certs. But then again I have
people afraid of unsigned Applets. There was even a twit afraid to
look at a totally vanilla html page on my site.

It is primarily a matter of familiarity not actual risk.

Andrew Thompson

unread,
Sep 10, 2005, 1:09:58 AM9/10/05
to
On Sat, 10 Sep 2005 04:18:24 GMT, Roedy Green wrote:

> On Sat, 10 Sep 2005 04:11:37 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
>>Do you mean that CMP is actually a *registered* comany?
>>It had never occured to me. I understood that registering
>>a company was a relatively expensive business, in just
>>about any country.
>
> I am registered in that I have DUNS number and the Canadian equivalent
> of the IRS knows about it. I am not incorporated. That means all
> debts my company incurs are my personal debts. I can't just fold the
> company if something goes wrong.
>
> There is almost no paperwork at all to start a company in Canada, only
> to incorporate.

Oh right, in Australia you can ..
- trade under your own name with no paperwork (barring Tax)
- a 'registered business name', with a small amount of
paperwork and a nominal yearly fee, or a *
- company for a stupendous amount of paperwork and *enormous* fees.

I would say that the 'registered business name' is the
closest Aus. equivalent to what you are describing.

Andrew Thompson

unread,
Sep 10, 2005, 1:12:46 AM9/10/05
to
On Sat, 10 Sep 2005 04:20:39 GMT, Roedy Green wrote:

> On Sat, 10 Sep 2005 04:11:37 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
>>That is probably the only reason I am prepared to use a self-signed
>>certificate. My software comes from my site only, so if the user trusts
>>me, they should be willing to trust a self-signed certificate coming
>>directly off my site - if they don't trust me, the rest is moot.
>
> The problem is people don't understand certs. But then again I have
> people afraid of unsigned Applets.

Some nong wrote to me imploring me to 'stop using Flash'(?!?).
Since I use no Flash, I could not even be bothered replying...

> There was even a twit afraid to
> look at a totally vanilla html page on my site.

..but that takes the cake!

Did you manage to help that poor sod?

"If no one out there understands, start your own revolution and cut out the
middle man."
Billy Bragg 'Waiting For The Great Leap Forward'

Roedy Green

unread,
Sep 10, 2005, 1:39:02 AM9/10/05
to
On Sat, 10 Sep 2005 05:12:46 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>..but that takes the cake!

>
>Did you manage to help that poor sod?

I suggested he look at it a library. He was convinced somehow I would
insert a virus into his computer.

Chris Berg

unread,
Sep 10, 2005, 7:42:50 AM9/10/05
to
On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote:

....


>Is my assumption that 'people want to see it work
>before paying money' valid?

.....

I have signed applet for many years now (6 years, i guess). I have
used certs from Thawte and have been satisfied with their service - I
even got some free technical assistance once.

It takes some work to figure out exactly how to sign an applet - I've
done it both for MS .cab type applets and for SUN .jar type.
Completely different stories. But Roedy has a point: as soon as you
get it right, you create a .bat file and forget about the details.
That is, until you renew the cert, which you have to do once a year!!
Then for some reason your .bat file doesn't work anymore because you
installed a new key or a new VM. So, you have to adjust the .bat file
which is not so easy as you have completely forgotten how it worked a
year ago.

Buy the cert, you WILL be able to use it. In Java2, it has become much
easier, as you no longer have to write special code to ask for
privileges, which you had to do in IE/MS-VM and in Netscape. That was
REALLY a nuissance.

By the way, I always found that applet code-signing has one major
weakness: If the user doesn't acknowledge the security dialog (and you
really can't blame him, with all the malicious code that websites
these days try to persuade you to run), then the browser simply
rejects the applet. I cannot understand why this is so. Why can't the
browser just run the applet in the sandbox with normal applet
privileges?. Every time the code does 'illegal' things, a
SecurityException will occur, and your code could react, perhaps
telling the user why it cannot save data on disk or whatever.

Chris

Andrew Thompson

unread,
Sep 10, 2005, 8:46:28 AM9/10/05
to
On Sat, 10 Sep 2005 13:42:50 +0200, Chris Berg wrote:

> On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote:
>
> ....
>>Is my assumption that 'people want to see it work
>>before paying money' valid?
> .....
>
> I have signed applet for many years now (6 years, i guess).

[1]

> By the way, I always found that applet code-signing has one major
> weakness: If the user doesn't acknowledge the security dialog (and you
> really can't blame him, with all the malicious code that websites
> these days try to persuade you to run), then the browser simply
> rejects the applet.

Roedy's WassUp applet can work just fine in both signed
and unsigned modes. I have seen it do so on a number
of occasions.

> I cannot understand why this is so.

The only thing I can guess without an URL is that you are
doing it differently to Roedy, and I further guess (from
the fact that Roedy's works - whereas yours doesn't) wrong.

Try it for yourself, visit the URL and *refuse* permission.
<http://mindprod.com/applets/wassup.html>

So, got an SSCCE and URL that shows the problem?

[1] In all those words you do not seem to have answered the
basic question you quoted - would you mind?

"In a B-52 I come across the horizon - Drop my love on you"
Underworld 'Underneath The Radar'

Roedy Green

unread,
Sep 10, 2005, 12:38:13 PM9/10/05
to
On Sat, 10 Sep 2005 12:46:28 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>The only thing I can guess without an URL is that you are
>doing it differently to Roedy, and I further guess (from
>the fact that Roedy's works - whereas yours doesn't) wrong.

you have to catch the Security exceptions and do something else.

Raymond DeCampo

unread,
Sep 10, 2005, 1:45:18 PM9/10/05
to
Andrew Thompson wrote:
> On Sat, 10 Sep 2005 03:24:54 GMT, Roedy Green wrote:
>>Let us say I am too cheap or poor to buy a cert and use a self signed
>>one. Well, it is obvious that whomever created the cert is the
>>person who created the CMP website. People trust whomever runs that
>>website just as much as they trust the company Canadian Mind Products.
>>
>>So there really should not be an issue of trusting the identity of
>>that cert ON MY WEBSITE.
>
>
> That is probably the only reason I am prepared to use a self-signed
> certificate. My software comes from my site only, so if the user trusts
> me, they should be willing to trust a self-signed certificate coming
> directly off my site - if they don't trust me, the rest is moot.
>

The problem is not one of trusting you; it is trusting that there has
not been a "man in the middle" attack. By using a third party, the end
user is assured that the third party is confident that you actually
signed the code.

Ray

--
XML is the programmer's duct tape.

Darren

unread,
Sep 10, 2005, 1:58:29 PM9/10/05
to

"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:1ak3ew06bzw2f.2katyvu4qyhs$.dlg@40tude.net...

> There are a number of ways to get a security certificate that
> will (if accepted by the end user) allow applets and other
> projects to gain extended privileges.
>
> However, signing an applet or application can be a daunting
> task, especially in regards to acquiring a valid security
> certificate. As a result of this, a lot of developers are
> discouraged from taking that route.
>
> The developer might be prepared to pay for a fully verified
> certificate, but they generally would want to see the process
> work before they lay down $, right?
>
> Some of the ways of getting a certificate *for* *testing*
> purposes are expensive, while others are quite obtuse
> or difficult.
>
> Are there any IDE's that will do this stuff* for you?
> * Create a self signed certificate and sign a jar with it.
>
> Is my assumption that 'people want to see it work
> before paying money' valid?
>
> Most specifically, can anybody here attest that they
> *paid* for a code signing certificate before they had
> seen it work for a project?
>
> [ This is all leading to "Does it make sense to issue a
> 'self-signed' certificate for all to use, in the name of
> '!!Danger!! - Developer Only!'..."? ]
>

I found this on google
http://www.suitable.com/docs/signing.html
The question is there any legal, moral reason why should not be able to
produce code signitures for own web sites? After all my applet is not
accessing a users own harddrive in fact its only testing a socket connection
to my own website on port 80. Completely harmless.

Roedy Green

unread,
Sep 10, 2005, 5:26:15 PM9/10/05
to
On Sat, 10 Sep 2005 17:45:18 GMT, Raymond DeCampo
<nos...@twcny.rr.com> wrote or quoted :

>The problem is not one of trusting you; it is trusting that there has
>not been a "man in the middle" attack.

By this you mean somebody interfering with the transmission from your
site to the end user in real time, which is much less likely than the
sort of attack of somebody downloading your code meddling with it,
then reposting it elsewhere.

The Thawte style cert will protect you from both. A self-signed cert
will protect you from neither.

The self signed cert does almost nothing but add a fancy checksum to
the download.

Roedy Green

unread,
Sep 10, 2005, 5:41:33 PM9/10/05
to
On Sat, 10 Sep 2005 17:58:29 GMT, "Darren" <D...@devslashnul.net> wrote
or quoted :

>The question is there any legal, moral reason why should not be able to
>produce code signitures for own web sites? After all my applet is not
>accessing a users own harddrive in fact its only testing a socket connection
>to my own website on port 80. Completely harmless.

Let's up the ante here by assuming you are a terrorist organisation
and the combined resources of all branches of the US government are
out to thwart you.

The job of the government is to meddle with terrorist code to insert
spyware.

Let's say the terrorists are on a budget and decide to use a self
signed cert.

During the download, the government can rejar the app as it goes by
adding spy code, using their OWN self signed cert which they
conveniently include in the Jar, signing it "Terrists' R US" just like
the original.

How do the terrorists detect this? The jar seems perfectly normal.
Some one gets suspicious ands says, lets download the public key from
the cert to be sure.

The CIA is on the ball, and intercept the request and delivers the
public key of THEIR phony cert.

Now if the terrorists were very clever, they would phone and ask the
fingerprint of the cert and compare that. However the fingerprint
displaying program was long ago compromised in a supposed Windows
update.

Another band of terrorists would use a Thawte Cert. For the CIA to
pull the same stunt they would have to guess the private key of the
terrorist cert. Thawte does not know it.

To avoid the expense of code cracking, the CIA would insist that the
instructions for buying certs be complicated. Then when naive
terrorists came along to buy one, they could be easily duped into
revealing their private key as part of the install or key creation
procedures.

Clever terrorists would use one-time pad encryption, and would never
allow their crucial computers to be attached to the net. They would
use linux not windows so that they could check out all updates. They
would never trust certificates which are effectively under government
control.

Darren

unread,
Sep 10, 2005, 10:09:22 PM9/10/05
to

"Roedy Green" <loo...@mindprod.com.invalid> wrote in message
news:btj6i1d5tcv5f93e6...@4ax.com...

That's the extreme and fair enough but as there appears to be a way (less
i'm not reading this right) of producing a cert yourself then is there a
legal or moral reason why i shouldn't? Surely these things are encrypted
with a one way enryption etc, blah .

Andrew Thompson

unread,
Sep 10, 2005, 10:14:47 PM9/10/05
to
On Sat, 10 Sep 2005 16:38:13 GMT, Roedy Green wrote:

> On Sat, 10 Sep 2005 12:46:28 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
>>The only thing I can guess without an URL is that you are
>>doing it differently to Roedy, and I further guess (from
>>the fact that Roedy's works - whereas yours doesn't) wrong.
>
> you have to catch the Security exceptions and do something else.

I suspected it was something along those lines, but did not
have time to check. WassUp is a great little applet.

"We are about to attempt a crash landing. Please extinguish all
cigarettes.."
Laurie Anderson 'From The Air'

Andrew Thompson

unread,
Sep 10, 2005, 10:27:05 PM9/10/05
to
On Sat, 10 Sep 2005 17:58:29 GMT, Darren wrote:

There is lots of stuff on Google, of varying quality.
Those pages tend towards the 'crap'.

<http://www.suitable.com/docs/signingoverview.html#CAs>
This states "Your last option is to create test
certificates[1]. These are free (good), but won't be
recognized unless you prepare your browser
(inconvenient, and perhaps unsecure). "

[1] For 'test' read 'self-signed'

Rubbish.

The end user is presented with a dialog asking them
if they want to aceppt the code. If they click 'yes',
it has full priviliges, End Of Story.

That same advice is echoed in the document to which
the first links.

> The question is there any legal, moral reason why should not be able to
> produce code signitures for own web sites?

Nobody has suggested otherwise until now.

..This makes me wonder if you really understand the nature
and purpose of these certificates. Nobody cares if you (or
I) want to produce 1000, or 10,000, self-signed certificates,
or any number of certificates verified by a CA (at phenomenal
cost).

The only issue would be if someone managed to find a way
to issue digital certificates that *claimed* to have been CA
verified, but were *not*. That would both ruin the perception
of security that the digital identities are supposed to ensure,
and be very bad for the CA from a business POV.

"Everybody's groovin' to their own song."
Josh Abrahams/Amiel Daemion 'Addicted to Bass'

Darren

unread,
Sep 10, 2005, 11:34:08 PM9/10/05
to

"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:e28cxi4jzz5l.x...@40tude.net...

> On Sat, 10 Sep 2005 17:58:29 GMT, Darren wrote:
>
> > I found this on google
> > http://www.suitable.com/docs/signing.html
>
> There is lots of stuff on Google, of varying quality.
> Those pages tend towards the 'crap'.

I bow to your experience on this one.


>
> <http://www.suitable.com/docs/signingoverview.html#CAs>
> This states "Your last option is to create test
> certificates[1]. These are free (good), but won't be
> recognized unless you prepare your browser
> (inconvenient, and perhaps unsecure). "

Especially if other people access the page that uses the applets signed with
them.


>
> [1] For 'test' read 'self-signed'
>
> Rubbish.
>
> The end user is presented with a dialog asking them
> if they want to aceppt the code. If they click 'yes',
> it has full priviliges, End Of Story.

again not precicely what I'm after.


>
> That same advice is echoed in the document to which
> the first links.
>
> > The question is there any legal, moral reason why should not be able to
> > produce code signitures for own web sites?
>
> Nobody has suggested otherwise until now.
>
> ..This makes me wonder if you really understand the nature
> and purpose of these certificates.

In truth, no


>Nobody cares if you (or
> I) want to produce 1000, or 10,000, self-signed certificates,
> or any number of certificates verified by a CA (at phenomenal
> cost).
>
> The only issue would be if someone managed to find a way
> to issue digital certificates that *claimed* to have been CA
> verified, but were *not*. That would both ruin the perception
> of security that the digital identities are supposed to ensure,
> and be very bad for the CA from a business POV.

Well I don't care if they are CA certified. For my purposes ME certified
would do. Can a certificate tell a browser to look at a remote java policy
file (one on my site) rather than the browsers default for example.?

Andrew Thompson

unread,
Sep 10, 2005, 11:58:18 PM9/10/05
to
On Sun, 11 Sep 2005 03:34:08 GMT, Darren wrote:

>> The end user is presented with a dialog asking them
>> if they want to aceppt the code. If they click 'yes',
>> it has full priviliges, End Of Story.
> again not precicely what I'm after.

Can you describe the experience you expect for the end user?
In terms of..
- user follows link.
- user sees page.
- dialog appears asking 'run privileged code?'
- user clicks...
(well - you need to tell me, in your own words)

[ I am beginning to doubt that what you want is possible,
but I am not yet *sure* what you want. ]

>> ..This makes me wonder if you really understand the nature
>> and purpose of these certificates.
> In truth, no

Have you tried installing any applets or projects that
are signed? Going through the process of downloading
a JWS app. may answer a lot of your questions.

> Well I don't care if they are CA certified. For my purposes ME certified

> would do. Can a certificate tell a browser ...

No certificate in existence can *tell* a browser to *do*
anything. It all comes down to *asking* the *user*.

Try to get that distinction clear, as it is fundamental
to understanding what will happen with code signatures
and permissions.

> ..to look at a remote java policy


> file (one on my site) rather than the browsers default for example.?

What is it supposed to do once it 'looks' at that policy file?
Open the end user's machine to anything that is allowed in the
policy file on your site?

Even if JWS were set up that way, it would still be up
to the *end* *user* to say 'Yes - use the other policy file'.

It is *not* down to 'the browser' alone. If it were, I might
surf in to your site only to have my own browser load a (hidden)
applet that, 'picking up' your policy file, now has unrestricted
access to my PC. Not good.

Any which way you go, the user is asked for their permission.
That is both ..
- a good thing
- unavoidable.

"He was a missing person who nobody missed at all"
Dixie Chicks 'Goodbye Earl'

Roedy Green

unread,
Sep 11, 2005, 4:34:14 AM9/11/05
to
On Sun, 11 Sep 2005 02:27:05 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>The end user is presented with a dialog asking them

>if they want to aceppt the code. If they click 'yes',
>it has full priviliges, End Of Story.

Not quite true. The dialog for a self-signed cert tends to discourage
the user from hitting grant more than one from Thawte.

To get your cert accepted on equal footing, you have to import it as a
trusted authority.

Roedy Green

unread,
Sep 11, 2005, 4:35:10 AM9/11/05
to
On Sun, 11 Sep 2005 03:58:18 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>No certificate in existence can *tell* a browser to *do*

>anything. It all comes down to *asking* the *user*.

But a policy file can.

Andrew Thompson

unread,
Sep 11, 2005, 5:28:42 AM9/11/05
to
On Sun, 11 Sep 2005 08:35:10 GMT, Roedy Green wrote:

> On Sun, 11 Sep 2005 03:58:18 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
>>No certificate in existence can *tell* a browser to *do*
>>anything. It all comes down to *asking* the *user*.
>
> But a policy file can.

Thank you for adding that piece of information that will
probably assist in further confusing the OP.

You cannot *install* a policy file off a web site
automatically therefore it is utterly irrelevant
to this thread.

Roedy Green

unread,
Sep 11, 2005, 5:50:23 AM9/11/05
to
On Sun, 11 Sep 2005 09:28:42 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>You cannot *install* a policy file off a web site

>automatically therefore it is utterly irrelevant
>to this thread.

You can with ONE grant which then can completely change the rules
subsequently.

Think about how you might legitimately go about installing policy
files, installing self-signed certs as official etc.

Chris Berg

unread,
Sep 11, 2005, 6:13:34 AM9/11/05
to
On Sun, 11 Sep 2005 02:14:47 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote:

>> you have to catch the Security exceptions and do something else.

Heureka!

In IE/MS-VM and old Netscape id doesn't load, so I simply imagined
that would be the situation forever, But I now see that it is
different with the SUN plugin. I just didn't try it until now.

Happiness prevails!.

Chris Berg

unread,
Sep 11, 2005, 6:30:27 AM9/11/05
to
On Sun, 11 Sep 2005 08:34:14 GMT, Roedy Green
<loo...@mindprod.com.invalid> wrote:

I'm tempted to try a self-signed certificate after all this talk, but
is not so that the browser won't allow you to 'Always grant'
permission, that is, install the cert and never ask again? That would
be my good reason to stick to a purcased one.

Andrew Thompson

unread,
Sep 11, 2005, 7:34:21 AM9/11/05
to

An extra tip. Old NN might throw a different flavor of
Exception*, if you need to support it, run your code in
it to check what it throws.

* I am pretty sure the code will still load if you can
catch the Exception it throws.

> Happiness prevails!.

Cool. :-)

"Seen you on Aldebaran, safe on the green desert sand"
The Rolling Stones '2000 Light Years From Home'

Andrew Thompson

unread,
Sep 11, 2005, 7:39:39 AM9/11/05
to
On Sun, 11 Sep 2005 12:30:27 +0200, Chris Berg wrote:
..

> I'm tempted to try a self-signed certificate after all this talk, but
> is not so that the browser won't allow you to 'Always grant'
> permission,

Is that a question, Chris?

Try my PhySci project*. I just (retried) the download link
this moment and it opened without word or whisper of 'Do you Accept'?
Self signed certificate - fully privileged code.

* <http://www.physci.org/install/download.jsp>

Seems from this, that if you click 'Always Accept' when installing
from a self-signed certificate, it works jsut as well.

[ Oh, ..and I now have complete control of your machine. ;-) ]

"They carry news that must get through. To build a dream for me and you"
Led Zeppelin 'No Quarter'

Roedy Green

unread,
Sep 11, 2005, 8:32:24 AM9/11/05
to
On Sun, 11 Sep 2005 11:39:39 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote or quoted :

>Seems from this, that if you click 'Always Accept' when installing


>from a self-signed certificate, it works jsut as well.

Over time Sun has been upping the legitimacy of self-signed certs.

I think originally they saw them for use only in testing while you
waited for your real one to arrive.

Darren

unread,
Sep 11, 2005, 9:01:24 AM9/11/05
to

"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:1c5b6p9itpzlx.6qiyw8jol8gb$.dlg@40tude.net...

> On Sun, 11 Sep 2005 03:34:08 GMT, Darren wrote:
>
> >> The end user is presented with a dialog asking them
> >> if they want to aceppt the code. If they click 'yes',
> >> it has full priviliges, End Of Story.
> > again not precicely what I'm after.
>
> Can you describe the experience you expect for the end user?
> In terms of..
> - user follows link.
> - user sees page.
> - dialog appears asking 'run privileged code?'
> - user clicks...
> (well - you need to tell me, in your own words)
>
> [ I am beginning to doubt that what you want is possible,
> but I am not yet *sure* what you want. ]
Ok now i have my own server which i own. I have a members only web site
which i occasionally bring down for maintenance. My public non members site
is hosted on my isp's free web space in is up 24/7 i want a little link in
the corner that says "member's area" now theis should only be visible,
clickable whatever when the members are (my own private box) is up

>
> >> ..This makes me wonder if you really understand the nature
> >> and purpose of these certificates.
> > In truth, no
>
> Have you tried installing any applets or projects that
> are signed? Going through the process of downloading
> a JWS app. may answer a lot of your questions.

Well some sites install flash player and i have aquired a yahoo toobar in IE
but other than that, no. Can you give me some examples?


>
> > Well I don't care if they are CA certified. For my purposes ME certified
> > would do. Can a certificate tell a browser ...
>
> No certificate in existence can *tell* a browser to *do*
> anything. It all comes down to *asking* the *user*.
>
> Try to get that distinction clear, as it is fundamental
> to understanding what will happen with code signatures
> and permissions.

Fair enough, well then can an appllet get the browser (with the users
permission) to temporarily set it's policy file to the one on my members
only box for the duration that the user is on either my public area or my
members area?

>
> > ..to look at a remote java policy
> > file (one on my site) rather than the browsers default for example.?
>
> What is it supposed to do once it 'looks' at that policy file?
> Open the end user's machine to anything that is allowed in the
> policy file on your site?

No. Just open a socket connection to my mebers only site on port and check
if it is up by accessing a dummy page and returns a result on whether the
site is up or down.


>
> Even if JWS were set up that way, it would still be up
> to the *end* *user* to say 'Yes - use the other policy file'.
>

I'm not trying to avoid asking the user. #If that's what must be then that's
what must be but if the user says yes then what i want is explained above.
Please note, in no way am I trying to get acess to the end users hard drive.

> It is *not* down to 'the browser' alone. If it were, I might
> surf in to your site only to have my own browser load a (hidden)
> applet that, 'picking up' your policy file, now has unrestricted
> access to my PC. Not good.

Again fair enough but the applet will be located on my public site and not
my members only site so security restrictions apply. If it were located on
my members only site it would not be an issue but as you can see, the point
is that the applet is not on my members only site.


>
> Any which way you go, the user is asked for their permission.
> That is both ..
> - a good thing
> - unavoidable.

Again that's not the problem

Darren

unread,
Sep 11, 2005, 9:02:50 AM9/11/05
to

"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:1g6qm5grmx8vi$.iry7mjsjfpu8$.dlg@40tude.net...

> On Sun, 11 Sep 2005 08:35:10 GMT, Roedy Green wrote:
>
> > On Sun, 11 Sep 2005 03:58:18 GMT, Andrew Thompson
> > <SeeMy...@www.invalid> wrote or quoted :
> >
> >>No certificate in existence can *tell* a browser to *do*
> >>anything. It all comes down to *asking* the *user*.
> >
> > But a policy file can.
>
> Thank you for adding that piece of information that will
> probably assist in further confusing the OP.

Actually, he didin't but thak you for your concern. :)

Darren

unread,
Sep 11, 2005, 9:12:47 AM9/11/05
to

"Roedy Green" <loo...@mindprod.com.invalid> wrote in message
news:89v7i1h4aff0m3r88...@4ax.com...

> On Sun, 11 Sep 2005 09:28:42 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote or quoted :
>
> >You cannot *install* a policy file off a web site
> >automatically therefore it is utterly irrelevant
> >to this thread.
>
> You can with ONE grant which then can completely change the rules
> subsequently.

Well that is one method i see for solving my problem now bear in mind that i
know very little of java security and policies other than what you good
people have told me and what i have found on google but if either i can get
a web client to temorarily use my own policy file where it can get
permission to open a socket to my web site and read from it or find another
way to do like a self signed sertificate it then that would be cool.

Andrew Thompson

unread,
Sep 11, 2005, 9:25:32 AM9/11/05
to
On Sun, 11 Sep 2005 13:01:24 GMT, Darren wrote:

> "Andrew Thompson" <SeeMy...@www.invalid> wrote in message
> news:1c5b6p9itpzlx.6qiyw8jol8gb$.dlg@40tude.net...
>> On Sun, 11 Sep 2005 03:34:08 GMT, Darren wrote:
>>

>>>> The end user is presented..
..


>>> again not precicely what I'm after.
>>
>> Can you describe the experience you expect for the end user?

..
> Ok now i have my own server which i own. ..

I was not quite clear enough. But..

>> Have you tried installing any applets or projects that
>> are signed? Going through the process of downloading
>> a JWS app. may answer a lot of your questions.

> Well some sites install flash player and i have aquired a yahoo toobar in IE

> but other than that, no. Can you give me some examples..

I'm sure this was mentioned on another thread in this group, but..
<http://www.physci.org/install/download.jsp>
Try that. See see how you go.

Also, Roedy's WassUp applet at mindprod.

Roedy's applet is signed using a CA verified certificate,
mine is a self-signed certificate.

"I don't wanna' be like other people are. Don't wanna' own a key, don't
wanna' wash my car.."
New Order 'Turn My Way'

Chris Berg

unread,
Sep 11, 2005, 12:00:25 PM9/11/05
to
On Sun, 11 Sep 2005 11:34:21 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote:

>An extra tip. Old NN might throw a different flavor of
>Exception*, if you need to support it, run your code in
>it to check what it throws.

Yes, I remember clearly. It was a p... in the a.. ! Absolutely no way
I will continue to support old Netscape!!! There is propably less than
1% of Win users who runs Netscape's old VM today. Well, plus maybe
some Apple OS9 users?

Andrew Thompson

unread,
Sep 11, 2005, 12:37:23 PM9/11/05
to
On Sun, 11 Sep 2005 18:00:25 +0200, Chris Berg wrote:

> On Sun, 11 Sep 2005 11:34:21 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote:
>
>>An extra tip. Old NN might throw a different flavor of
>>Exception*, if you need to support it, run your code in
>>it to check what it throws.
>
> Yes, I remember clearly. It was a p... in the a.. ! Absolutely no way
> I will continue to support old Netscape!!!

(chuckle) I reached that point some time ago..

X-Browser/X-plat compatibility is one thing (OK 2), but
largely, users of *old* *browsers* can either upgrade
or take their chances.

(Fortunately most of my technically oriented users have
up-to-date browsers.)

"What was it you wanted? Tell me again, I forgot."
Bob Dylan 'What Was It You Wanted'

Andrew Thompson

unread,
Sep 11, 2005, 12:40:54 PM9/11/05
to
On Sun, 11 Sep 2005 12:13:34 +0200, Chris Berg wrote:

> On Sun, 11 Sep 2005 02:14:47 GMT, Andrew Thompson
> <SeeMy...@www.invalid> wrote:
>
>>> you have to catch the Security exceptions and do something else.
>
> Heureka!

..
> Happiness prevails!.

Oh, and FTR, you quoted Roedy there, but 'attributed' it to me.

"The rich getting richer, the poor get the picture."
Midnight Oil 'Read About It'

David Alex Lamb

unread,
Sep 11, 2005, 12:47:58 PM9/11/05
to
In article <btj6i1d5tcv5f93e6...@4ax.com>,

Roedy Green <loo...@mindprod.com.invalid> wrote:
>Let's up the ante here by assuming you are a terrorist organisation
>and the combined resources of all branches of the US government are
>out to thwart you.

Not only informative, but amusing as well.
--
"Yo' ideas need to be thinked befo' they are say'd" - Ian Lamb, age 3.5
http://www.cs.queensu.ca/~dalamb/ qucis->cs to reply (it's a long story...)

Darren

unread,
Sep 11, 2005, 12:51:45 PM9/11/05
to

"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:w9any2b1dbaw$.1awtj6w8ew73d.dlg@40tude.net...

> On Sun, 11 Sep 2005 13:01:24 GMT, Darren wrote:
>
> > "Andrew Thompson" <SeeMy...@www.invalid> wrote in message
> > news:1c5b6p9itpzlx.6qiyw8jol8gb$.dlg@40tude.net...
> >> On Sun, 11 Sep 2005 03:34:08 GMT, Darren wrote:
> >>
> >>>> The end user is presented..
> ..
> >>> again not precicely what I'm after.
> >>
> >> Can you describe the experience you expect for the end user?
> ..
> > Ok now i have my own server which i own. ..
>
> I was not quite clear enough. But..

Ok a linux box with apache among other things but i want to open a a socket
to port 80. Someone had a good idea of sending a http get requset and that
should do it if imy applet can get the privelidges


>
> >> Have you tried installing any applets or projects that
> >> are signed? Going through the process of downloading
> >> a JWS app. may answer a lot of your questions.
>
> > Well some sites install flash player and i have aquired a yahoo toobar
in IE
> > but other than that, no. Can you give me some examples..
>
> I'm sure this was mentioned on another thread in this group, but..
> <http://www.physci.org/install/download.jsp>
> Try that. See see how you go.

Easy enough. nice interface btw :) and i see you used a *cough* self signed
*cough* certificate .


>
> Also, Roedy's WassUp applet at mindprod.

yes i used that.


>
> Roedy's applet is signed using a CA verified certificate,
> mine is a self-signed certificate.
>

Nice one but as most of this thread is no longer visible (expired whatever)
can you recoomend a site that accurately instructs me on writing self
signing certificates for applets is Mozilla and IE?
Incidently I never said before this but I am very grateful for all your
input on this.

Chris Berg

unread,
Sep 11, 2005, 2:52:29 PM9/11/05
to
On Sun, 11 Sep 2005 16:40:54 GMT, Andrew Thompson
<SeeMy...@www.invalid> wrote:

>On Sun, 11 Sep 2005 12:13:34 +0200, Chris Berg wrote:
>
>> On Sun, 11 Sep 2005 02:14:47 GMT, Andrew Thompson
>> <SeeMy...@www.invalid> wrote:
>>
>>>> you have to catch the Security exceptions and do something else.
>>
>> Heureka!
>..
>> Happiness prevails!.
>
>Oh, and FTR, you quoted Roedy there, but 'attributed' it to me.

Sorry, Roedy :-)


Andrew Thompson

unread,
Sep 11, 2005, 6:55:33 PM9/11/05
to
On Sun, 11 Sep 2005 16:51:45 GMT, Darren wrote:

> Nice one but as most of this thread is no longer visible (expired whatever)
> can you recoomend a site that accurately instructs me on writing self
> signing certificates for applets is Mozilla and IE?

I don't have much time to go into it at the moment, but..

The JDK has the tools in it, you need to create a self-signed certificate.
<http://java.sun.com/j2se/1.5.0/docs/tooldocs/index.html#security>

The certificate is the same one used in all
modern Java's (modern Sun Java running in any browser).

Perhaps Roedy has a page on making the certificate, but I don't,
and don't know of any good ones off the top of my head.

> Incidently I never said before this but I am very grateful for all your
> input on this.

You're welcome.

Dag Sunde

unread,
Sep 12, 2005, 3:40:13 AM9/12/05
to
"Roedy Green" <loo...@mindprod.com.invalid> wrote in message
news:btj6i1d5tcv5f93e6...@4ax.com...
> On Sat, 10 Sep 2005 17:58:29 GMT, "Darren" <D...@devslashnul.net> wrote
> or quoted :

>
>>The question is there any legal, moral reason why should not be able to
>>produce code signitures for own web sites? After all my applet is not
>>accessing a users own harddrive in fact its only testing a socket
>>connection

>>to my own website on port 80. Completely harmless.
>
> Let's up the ante here by assuming you are a terrorist organisation
> and the combined resources of all branches of the US government are
> out to thwart you.
>
LOL...

Finally an entertaining lecture on security...

That said, Andrews 'problems' with groking code signing and certificates
are all too common. I was there myself 4-5 years ago, and worked, searched
and sweated for weeks before I finally got it. (And yes Andrew, I actually
bought one from Verisign at US$400 before I was able to test that it
worked).

After getting everything up and running, I too did like others in the
thread suggested got it into a .bat file (later an Ant task) before I forgot
the whole thing.

Later I have used both openSSL and KeyTool to make self-signed certificates
for testing purposes and to serve Applets off my own web-site.

This link is a reasonable walk-thru for using keyTool to create a
certificate:
http://www.jensign.com/JavaScience/www/selfsigned/

--
Dag.


Dag Sunde

unread,
Sep 12, 2005, 3:56:27 AM9/12/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:j3WUe.4364$st1....@newsfe3-gui.ntli.net...
>
<snipped>

> Well that is one method i see for solving my problem now bear in mind that
> i
> know very little of java security and policies other than what you good
> people have told me and what i have found on google but if either i can
> get
> a web client to temorarily use my own policy file where it can get
> permission to open a socket to my web site and read from it or find
> another
> way to do like a self signed sertificate it then that would be cool.

Darren...

Let's clear up this once and for all?

Your scenario is that:
* You have two web-servers
* Server A does NOT have server-side scripting available (B Does)
* On a web-page served from server A, you would like to inform
the user if server B is up and running.
* You tried to solve this by writing an Applet on the page from
server A. This Applet tried to open something on Server B.
If this was successful you would know that Server B was running.
* Your applet was stopped by a security-exception because it tried
to do a cross-domain request.
* I think it was I that lead you down the path to the .policy file.
That was wrong of me, and I just did it to verify that you
development machine didn't have any special setup.
* From this piont on, *forget* about .policy files.
* Create a jar file with a manifest from your original applet
* Use the following procedure to create a self-signed certificate
and sign your applet:
http://www.jensign.com/JavaScience/www/selfsigned/
* redeploy the applet, and things should be working.
* No need for any special security or permissino code.

(Or have I completely missed the point here?)

--
Dag.


Andrew Thompson

unread,
Sep 12, 2005, 4:01:17 AM9/12/05
to
On Mon, 12 Sep 2005 07:40:13 GMT, Dag Sunde wrote:

> (And yes Andrew, I actually
> bought one from Verisign at US$400 before I was able to test that it
> worked).

Thanks Dag. That is the first actual evidence I have,
that that happens.

[ I'm guessing you felt a little nervous about it, though. ;-) ]

"Maybe I've gotta' shake my memory again.."
Headless Chickens 'Cruise Control'

Dag Sunde

unread,
Sep 12, 2005, 4:28:32 AM9/12/05
to
"Andrew Thompson" <SeeMy...@www.invalid> wrote in message
news:fncl9e5klsbl.x...@40tude.net...

> On Mon, 12 Sep 2005 07:40:13 GMT, Dag Sunde wrote:
>
>> (And yes Andrew, I actually
>> bought one from Verisign at US$400 before I was able to test that it
>> worked).
>
> Thanks Dag. That is the first actual evidence I have,
> that that happens.
>
> [ I'm guessing you felt a little nervous about it, though. ;-) ]
>

I had read a lot about it up front, and I "thought" i had understood it.

So I showed up at my boss' office, and told him that I absolutely
had to have it, and that there was no way I could make our applet
behave without it. He gave in, and paid the bill.

I can assure you that there was one nervous programmer in the period
following, until I actually signed and tested our applet back then...
($400.- was a lot of money for us back then)

:-)

--
Dag.


Dag Sunde

unread,
Sep 12, 2005, 4:31:29 AM9/12/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:BgZUe.6383$zw1...@newsfe2-gui.ntli.net...
>
<snipped/>

> Nice one but as most of this thread is no longer visible (expired
> whatever)
> can you recoomend a site that accurately instructs me on writing self
> signing certificates for applets is Mozilla and IE?
> Incidently I never said before this but I am very grateful for all your
> input on this.

http://www.jensign.com/JavaScience/www/selfsigned/

(No need to do the last two steps for signing).

--
Dag.


Andrew Thompson

unread,
Sep 12, 2005, 4:42:24 AM9/12/05
to
On Mon, 12 Sep 2005 08:28:32 GMT, Dag Sunde wrote:

(CA certified code signing certificates)

> ..So I showed up at my boss' office, and told him that I absolutely


> had to have it, and that there was no way I could make our applet
> behave without it. He gave in, and paid the bill.

One might also read that as 'the manager saw the sense of
trusting the tech. advice offered by his technical advisor'.

[ I hear a lot of bad things said about managers that AFAIU,
are good at doing what they are supposed to do, I.E.
managing people/projects, and ensuring the right technical
people are in place to handle the details. ]

"Not a word, could I relate. The story was quite clear.."
Led Zeppelin 'Kashmir'

Raymond DeCampo

unread,
Sep 13, 2005, 11:46:11 AM9/13/05
to
Roedy Green wrote:
> On Sat, 10 Sep 2005 17:45:18 GMT, Raymond DeCampo
> <nos...@twcny.rr.com> wrote or quoted :
>
>
>>The problem is not one of trusting you; it is trusting that there has
>>not been a "man in the middle" attack.
>
>
> By this you mean somebody interfering with the transmission from your
> site to the end user in real time, which is much less likely than the
> sort of attack of somebody downloading your code meddling with it,
> then reposting it elsewhere.

I think a more likely strategy for a "man in the middle" attack is to
hijack a router and/or DNS server at an ISP and send people to a mirror
server. I agree that it is not a likely attack. I was just pointing
out that there is a technical purpose to having certificates beyond
self-signed. Whether the cost-benefit-risk calculation makes it worth
it is another story.

>
> The Thawte style cert will protect you from both. A self-signed cert
> will protect you from neither.
>
> The self signed cert does almost nothing but add a fancy checksum to
> the download.

Ray

--
XML is the programmer's duct tape.

Darren

unread,
Sep 14, 2005, 2:10:15 PM9/14/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:LwaVe.5479$qE.12...@juliett.dax.net...
nope. Nail on head. :)
Al goes well until i try implemeting itthen i get a class not found
load: class Helloserver.class not found.
java.lang.ClassNotFoundException: Helloserver.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.FileNotFoundException:
C:\applets\Helloserver.jar\Helloserver\class.class (The system cannot find
the path specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(Unknown Source)
at java.io.FileInputStream.<init>(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(Unknown
Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
Exception in thread "Thread-5" java.lang.NullPointerException
at sun.plugin.util.GrayBoxPainter.showLoadingError(Unknown Source)
at sun.plugin.AppletViewer.showAppletException(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

"C:\applets\Helloserver.jar\Helloserver\class.class "

Something wrong there. the class is called helloserver.class not class.class
and it's located in c:\applets\ not in c:\applets\helloserver.

I tried to open the jar file with winzip and i got "failed to load
main-class manifest attribute from c:\archive\Helloserver.jar"
Am I right in thinking the manifestis something to do with the security of
the signature of the jar?

Also am I right in thinking that once i've created the signiture, I can sign
as many applets as I want with the same signiture?

TIA
>
> --
> Dag.
>
>

Dag Sunde

unread,
Sep 14, 2005, 3:18:32 PM9/14/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:bIZVe.6391$st1....@newsfe3-gui.ntli.net...
<snipped/>

>
> "C:\applets\Helloserver.jar\Helloserver\class.class "
>
> Something wrong there. the class is called helloserver.class not
> class.class
> and it's located in c:\applets\ not in c:\applets\helloserver.
>

C:\... ???

Can you post the html you use to load the applet? Ie. the webpage containing
the applet.


> I tried to open the jar file with winzip and i got "failed to load
> main-class manifest attribute from c:\archive\Helloserver.jar"
> Am I right in thinking the manifestis something to do with the security of
> the signature of the jar?
>

Yes, the Jar file must have a manifest to be signed, but the 'jar' command
will add a default one if you don't specify one manually:

jar cfv test.jar MyClass.class


> Also am I right in thinking that once i've created the signiture, I can
> sign
> as many applets as I want with the same signiture?
>

Yes, that is correct.

--
Dag.


Darren

unread,
Sep 14, 2005, 6:28:06 PM9/14/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:cI_Ve.5603$qE.12...@juliett.dax.net...

Locally tested. I don't want to upload it till its working


>
> Can you post the html you use to load the applet? Ie. the webpage
containing
> the applet.

<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR="000000">
<CENTER>
<APPLET
code = "Helloserver.class"
codebase = "c:\applets"
archive "Helloserver.jar"
width = "500"
height = "300"
>
</APPLET>
</CENTER>
</BODY>
</HTML>
I tried it with c:\\applets as well but it made no difference


>
>
> > I tried to open the jar file with winzip and i got "failed to load
> > main-class manifest attribute from c:\archive\Helloserver.jar"
> > Am I right in thinking the manifestis something to do with the security
of
> > the signature of the jar?
> >
> Yes, the Jar file must have a manifest to be signed, but the 'jar' command
> will add a default one if you don't specify one manually:
>
> jar cfv test.jar MyClass.class

I thought as much :)


>
>
> > Also am I right in thinking that once i've created the signiture, I can
> > sign
> > as many applets as I want with the same signiture?
> >
>
> Yes, that is correct.

It appears i'm beginning to understand this stuff after all. :)

>
> --
> Dag.
>
>


Dag Sunde

unread,
Sep 15, 2005, 1:43:04 AM9/15/05
to

"Darren" <D...@devslashnul.net> wrote in message
news:Wt1We.964$6p....@newsfe4-gui.ntli.net...

>
> "Dag Sunde" <m...@dagsunde.com> wrote in message
<snipped/>

>>
>> C:\... ???
>
> Locally tested. I don't want to upload it till its working
>
>
>>
>> Can you post the html you use to load the applet? Ie. the webpage
> containing
>> the applet.
> <HTML>
> <HEAD>
> </HEAD>
> <BODY BGCOLOR="000000">
> <CENTER>
> <APPLET
> code = "Helloserver.class"
> codebase = "c:\applets"
> archive "Helloserver.jar"
> width = "500"
> height = "300"
> >
> </APPLET>
> </CENTER>
> </BODY>
> </HTML>
> I tried it with c:\\applets as well but it made no difference
>>

Can you try to put the .jar in the same directory as the html,
and use 'codebase = "."'

(I suspect the codebase attribute doesn't like Disk-based paths).

--
Dag.


Darren

unread,
Sep 15, 2005, 7:03:01 AM9/15/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:IR7We.5623$qE.12...@juliett.dax.net...
I tried that, I even removed codebase lltogether. no difference though IE
didn't ask me for permission to run it. Should it have?

> --
> Dag.
>
>


Dag Sunde

unread,
Sep 15, 2005, 9:32:16 AM9/15/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:FxcWe.9344$zw1....@newsfe2-gui.ntli.net...
I have an applet doing exactly what you are trying to do, and it works
perfect
when run from a web-server.

I tried just now to run it from a local drive (the html + jar), and the
Java-console
shows me a permission denied.

I suggest you set up a web-server locally, so you get a proper
test-environment
There are too many differences between running something from disk, and
running
it under the control of a web-server.

--
Dag.


Darren

unread,
Sep 15, 2005, 5:52:47 PM9/15/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:AJeWe.5645$qE.12...@juliett.dax.net...
Do you get a class not found error as well?
> --
> Dag.
>
>


Dag Sunde

unread,
Sep 15, 2005, 8:19:00 PM9/15/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:P2mWe.22005$Aa1....@newsfe5-gui.ntli.net...

>
> "Dag Sunde" <m...@dagsunde.com> wrote in message
<snipped />

>> I have an applet doing exactly what you are trying to do, and it works
>> perfect
>> when run from a web-server.
>>
>> I tried just now to run it from a local drive (the html + jar), and the
>> Java-console
>> shows me a permission denied.
>>
>> I suggest you set up a web-server locally, so you get a proper
>> test-environment
>> There are too many differences between running something from disk, and
>> running
>> it under the control of a web-server.
>>
> Do you get a class not found error as well?

No, but I use Swing and Suns Java-plugin.
That means I use a combination of two <object> tags
instead of the <aspplet> tag. That might be it?

Is your class a member of a package?

<object
id="helloFF"
type="application/x-java-applet"
archive="crossdomain.jar"
codebase="."
data="no.orion.crossdomain.CrossDomain.class"
width="250"
height="150"
class="notieapplet">
<param name="code" value="no.orion.crossdomain.CrossDomain.class" />
<param name="codebase" value="." />
<param name="archive" value="crossdomain.jar" />
<param name = "mayscript" value ="true"/>
<param name = "scriptable" value = "true" />

<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
id="helloIE"
type="application/x-java-applet"
data="no.orion.crossdomain.CrossDomain.class"
archive="crossdomain.jar"
codebase="."
width="150"
height="75">
<param name="code" value="no.orion.crossdomain.CrossDomain.class" />
<param name="codebase" value="." />
<param name="archive" value="crossdomain.jar" />
<param name="codebase" value="crossdomain.jar" />
<param name = "mayscript" value ="true" />
<param name = "scriptable" value = "true" />
</object>
</object>

--
Dag.


Darren

unread,
Sep 16, 2005, 7:09:02 AM9/16/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:UboWe.5672$qE.12...@juliett.dax.net...

> "Darren" <D...@devslashnul.net> wrote in message
> news:P2mWe.22005$Aa1....@newsfe5-gui.ntli.net...
> >
> > "Dag Sunde" <m...@dagsunde.com> wrote in message
> <snipped />
> >> I have an applet doing exactly what you are trying to do, and it works
> >> perfect
> >> when run from a web-server.
> >>
> >> I tried just now to run it from a local drive (the html + jar), and the
> >> Java-console
> >> shows me a permission denied.
> >>
> >> I suggest you set up a web-server locally, so you get a proper
> >> test-environment
> >> There are too many differences between running something from disk, and
> >> running
> >> it under the control of a web-server.
> >>
> > Do you get a class not found error as well?
>
> No, but I use Swing and Suns Java-plugin.
> That means I use a combination of two <object> tags
> instead of the <aspplet> tag. That might be it?
>
I tried putting it on my website but it didn't solve the problem

> Is your class a member of a package?
only a jar but that's not what you mean is it?
Is that what the data and param name = "code" attributes are about?
I notice one is for IE what's the FF mean on the other and "mayscript" and
"scriptable"?

Dag Sunde

unread,
Sep 16, 2005, 8:49:52 AM9/16/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:iJxWe.3609$1A....@newsfe1-gui.ntli.net...

>
> "Dag Sunde" <m...@dagsunde.com> wrote in message
> news:UboWe.5672$qE.12...@juliett.dax.net...
<snipped />

>> No, but I use Swing and Suns Java-plugin.
>> That means I use a combination of two <object> tags
>> instead of the <aspplet> tag. That might be it?
>>
> I tried putting it on my website but it didn't solve the problem
>> Is your class a member of a package?
> only a jar but that's not what you mean is it?

No, I mean: at the top of your source-code file, is there a line like this:
package no.orion.crossdomain;
Where no.orion.crossdomain' is the package name for my class.

When I refere to the class 'Crossdomain.class' in the applet or object
tag, i have to specify the package name as well, so the full name becomes:
'no.orion.crossdomain.Crossdomain.class'


> Is that what the data and param name = "code" attributes are about?
> I notice one is for IE what's the FF mean on the other and "mayscript" and
> "scriptable"?

The double use of object here is a trick Chris Head made up, since it
is only IE that recognize the 'classid=' attribute, so the other object
tag is for anything else that IE. (netscape, opera, FF...)

But for your simple applet, you don't need the complexity of the object
tag, so you should stick with the applet tag.

If you want, I can make an applet for you, that takes a server name and
a file name as parameters, and sign it for you, just as a test.

So you can try to put it on your server to see if it is you that do
anything wrong, or if it is something with your environment...

--
Dag.


Darren

unread,
Sep 16, 2005, 11:24:45 AM9/16/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:QbzWe.5683$qE.12...@juliett.dax.net...

> "Darren" <D...@devslashnul.net> wrote in message
> news:iJxWe.3609$1A....@newsfe1-gui.ntli.net...
> >
> > "Dag Sunde" <m...@dagsunde.com> wrote in message
> > news:UboWe.5672$qE.12...@juliett.dax.net...
> <snipped />
> >> No, but I use Swing and Suns Java-plugin.
> >> That means I use a combination of two <object> tags
> >> instead of the <aspplet> tag. That might be it?
> >>
> > I tried putting it on my website but it didn't solve the problem
> >> Is your class a member of a package?
> > only a jar but that's not what you mean is it?
>
> No, I mean: at the top of your source-code file, is there a line like
this:
> package no.orion.crossdomain;
> Where no.orion.crossdomain' is the package name for my class.

Oh right, no i don't use one of those buti didn't think i would need to for
a single class.


>
> When I refere to the class 'Crossdomain.class' in the applet or object
> tag, i have to specify the package name as well, so the full name becomes:
> 'no.orion.crossdomain.Crossdomain.class'
>
>
> > Is that what the data and param name = "code" attributes are about?
> > I notice one is for IE what's the FF mean on the other and "mayscript"
and
> > "scriptable"?
>
> The double use of object here is a trick Chris Head made up, since it
> is only IE that recognize the 'classid=' attribute, so the other object
> tag is for anything else that IE. (netscape, opera, FF...)

Ha I figures. Bloody browsers. :)


>
> But for your simple applet, you don't need the complexity of the object
> tag, so you should stick with the applet tag.
>
> If you want, I can make an applet for you, that takes a server name and
> a file name as parameters, and sign it for you, just as a test.
>
> So you can try to put it on your server to see if it is you that do
> anything wrong, or if it is something with your environment...

I would appreciate that very much. one thing i'm curious about. As my jar
file is secured and sighned then shouldn't my browser ask my permission to
use it?

>
> --
> Dag.
>
>


Dag Sunde

unread,
Sep 16, 2005, 1:56:54 PM9/16/05
to
"Darren" <D...@devslashnul.net> wrote in message
news:1tBWe.22283$Aa1....@newsfe5-gui.ntli.net...

Yes, it should!

BTW...
The MayScript attribute means that the Applet should be allowed to
access JavaScript code in the page that contains is.
The Scriptable attribute means that Javascript should be allowed to
call public methods in the Applet.

Ok...
I'll modify the CrossDomain Applet I made for testing, then I jar and sign
it
with my self-signed certificate.
Then I put up a sample html-file that uses it, and some kind of testfile to
put on your private server, so the applet have something well-known to ask
for.

I'll try to do it tonight...

--
Dag.


Darren

unread,
Sep 16, 2005, 3:37:12 PM9/16/05
to

"Dag Sunde" <m...@dagsunde.com> wrote in message
news:GHDWe.5694$qE.12...@juliett.dax.net...
Much appreciated. I wonder why my browser didn't aske permission. Do you
think it might be something to do with those last two steps on that page
posted by I can't remember who and my apologies to that poster for not
acknowledging you sooner. I read that the last to steps i didn't have to do.

>
> --
> Dag.
>
>


Darren

unread,
Sep 19, 2005, 8:40:54 PM9/19/05
to

>
I think the problem has something to do with the Jar file. It would load the
class file fine but when i stick it in a self signed jar then it throws a
wobbler. here's what i did


c:\j2sdk1.4.2_06\bin\keytool -genkey -keyalg rsa -alias dazkey
c:\j2sdk1.4.2_06\bin\keytool -export -alias dazkey -file dazsuncert.crt
c:\j2sdk1.4.2_06\bin\jar cvf c:\applets\Helloserver.jar
c:\applets\Helloserver.class
c:\j2sdk1.4.2_06\bin\jarsigner c:\applets\Helloserver.jar dazkey
c:\j2sdk1.4.2_06\bin\jarsigner -verify -verbose -certs
c:\applets\Helloserver.jar

This is what the java console reported
Java Plug-in 1.5.0_04
Using JRE version 1.5.0_04 Java HotSpot(TM) Client VM
User home directory = C:\WINDOWS


----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------

load: class Helloserver.class not found.
java.lang.ClassNotFoundException: Helloserver.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Caused by: java.io.IOException: open HTTP connection failed.


at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more

Exception in thread "Thread-4" java.lang.NullPointerException


at sun.plugin.util.GrayBoxPainter.showLoadingError(Unknown Source)
at sun.plugin.AppletViewer.showAppletException(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.NullPointerException
at sun.plugin.util.GrayBoxPainter.showLoadingError(Unknown Source)

at sun.plugin.AppletViewer.showAppletStatus(Unknown Source)


at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Exception in thread "thread applet-Helloserver.class"


java.lang.NullPointerException
at sun.plugin.util.GrayBoxPainter.showLoadingError(Unknown Source)
at sun.plugin.AppletViewer.showAppletException(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

The source is below

import java.awt.*;
import java.applet.*;
import java.net.*;
import java.io.*;
import java.security.*;
import java.lang.*;

public class Helloserver extends Applet
{
private String hostname = "http://g7wap.dyndns.org/";
private String protocol = "http://";
private String port="80";
private URL location;
private Object content;
private String tmpStr = "GET / HTTP / 1.1\r\n\r\n";//Accept:
*/*\r\n\r\n";//Accept-Language: en-gb\r\n\r\nXXXXXXXXXXXXXXX:
XXXXXXXXXXXXX\r\n\r\nUser-Agent: HelloServer 1\r\n\r\n";
private byte[] getStr = tmpStr.getBytes();

public void init()
{


hello();
}

public void paint(Graphics g)
{

g.drawString(hostname, 50, 60 );
}

/**
* Method hello
*
*
* @return
*
*/
protected boolean hello()
{
String str,buf,server;
byte[] ba = new byte[1024];
int bytesRead;
Socket socket=new Socket();


buf="";


try
{
// O P E N
socket = new Socket();
socket.setSoTimeout(3000);
SocketPermission p1 = new SocketPermission("10.0.0.254:80",
"connect,accept,resolve");
socket.connect(new InetSocketAddress("10.0.0.254", 80),3000 );
}
catch(AccessControlException u)
{
System.err.println(u.getMessage());
}
catch(MalformedURLException u)
{
buf=u.getMessage();
}
catch (UnknownHostException u)
{
return false;
}

catch(SocketTimeoutException u)
{
return false;
}
catch(IOException u)
{

}
try
{

InputStream is = socket.getInputStream();
socket.setSoTimeout(3000);
try
{

OutputStream os= socket.getOutputStream();
try
{
os.write(getStr,0,tmpStr.length());
}
catch(IOException u)
{

}

}
catch(IOException u)
{

}

// R E A D


bytesRead = is.read( ba, 0 /* offset in ba */, ba.length /* bytes to read
*/ );
if (bytesRead!=-1)
{

System.out.println(bytesRead);
buf=new String(ba);
System.out.println(buf);
is.close();
}
}
catch(IOException u)
{

}

// C L O S E
try
{

socket.close();
}
catch(IOException u)
{

}

return true;
}


}

>


0 new messages