Signed Java Applet for IE and Netscape
M. Gallant 05/09/2002
This page demonstrates how to deploy a privileged Java applet which will run
in either Internet Explorer or Netscape Communciator using the browser's own
internal Java Virtual Machine. Privileged Java code is any code which executes beyond
the JVM "security sandbox", for example accessing the client's local file system, executing
native applications, making arbitrary network connections to servers other than the host
sourcing the original applet.
For basic demonstration purposes here, this signed Java applet will attempt to launch the standard Win32 notepad.exe
application (if present at the default install paths). If the application is not found, an exception
is caught and status is displayed to the Java console System.out PrintStream:
C:\windows\notepad.exe (Win95)
C:\winnt\notepad.exe (WinNT, Win2000, WinXP)
Java Applet Source Code
The code can be easily extended to launch any Win32 native application
providing a very powerful web-programming paradigm, with desktop continuity.
The applet is signed using an enterprise code-signing certificate and, for the applet to start properly
with the appropriate security dialog,
the associated WebConnector
root CA certificate must be imported into the Netscape Communicator or IE4+ browser CA certificate store.
The html code for this page enables either browser (IE or Netscape) to use
its corresponding archive, as described in
Microsoft Java Documentation:
This is the simplest form of tag supporting both browsers. For IE, versioning
control and client-installation is also possible using Distribution Units
and the
Java Package Manager
technology.
[Another approach which enables
running fully privileged code uniformly in both browsers with Java 2 functionality uses
the JavaPlugin approach with
RSA-signing.]
Details of Compiling and Code-Signing:
There is one Java class file, with multiple try/catch blocks to handle
the security classes relevant to either Netscape or Microsoft browser JVMs; the
Microsoft Visual J++ compiler jvc.exe Version 6.00.8424 was used with the
Microsoft SDK for Java V4. The classpath must include the Netscape security classes
(either Java40.jar from Netscape install directory, or the
Netscape Capabilities classes (capsapi_classes.zip archive).
There are security statements in the init() method, which force the Netscape security dialog
to display on first loading the page. The security statements for IE are included, but are only
required if some privileged code runs in the init() method ("call-stack tracing"), as described in detail
in the interesting KB article
SecurityExceptionEx Exception Running a Java Applet
-
For Microsoft IE browser (IE4+), the following batch file was used with
Microsoft SDK for Java 4.0 tools
to compile, archive, sign and time-stamp the java class file into a .cab archive:
jvc /cp:p capsapi_classes.zip RunApp.java
cabarc -p n runappIE.cab RunApp.class
signcode -j javasign.dll -jp LOW -cn "Michel I. Gallant" -n "Native Application Launcher" -t "http://timestamp.verisign.com/scripts/timstamp.dll" runappIE.cab
The signature in the cab file can be verified/viewed by right-clicking the cab file
and selecting Properties CAB archive. Contents of the cab
file can also be displayed using the cabarc.exe utility.
-
For Netscape Communicator 4.5+, the
Netscape Signtool1.3 utility
was used with the following command:
signtool -k "keynickname" -d cacertdb -Z runappNN.jar signdir
Any standard archiving tool will display the contents of the JAR archive showing
the signature file (sf) and signature block (rsa) components.
The unusual "nickname" for the code-signing certificate is a result of importing the
pkcs#12 certificate object from the Win32 cryptoAPI cert database into the Netscape certificate
database file as
discussed by a certificate vendor.