An applet is a program written in the Java programming language that can be induced in an HTML page, in the same way an image is included in a page. Applets are used to provide interactive features to web applications, which aren't native to HTML. Most of the time, Java applets security totally bans access to resources from a machine (hard disk, the registry, etc..) And network (applet can only communicate with its server origin.)
If you want to create an applet that exceeds these securities, it is required:
- To create a cryptographically signed applet
- That the user explicitly allows the applet to access the system
(This is a voluntary action by the user who cannot be exceeded.)
Once these two conditions are met, you can read / write to disk, launch programs (Runtime.getRuntime ().exec ("...")), download things (url connection) or use the eval ( ) command.
Compile your applet
As usual create a .jar
- Your encryption key will sign you in your applets.
- Type: keytool-genkey-alias (your alias name)
and enter the necessary information. Remember the password you entered to protect this key.
- You do need to generate your key once. Once your key, you can use it to sign all the applet you want.
- (Note that your key can optionally have an expiration date.)
- Note: On Windows, the key is placed in the user profile.
- (\Documents and Settings\yourlogin\.Keystore)
- You must protect at all costs this keystore.
- ( someone could create malicious applets signed by you!)
Sign your applet with your Key
- Type: jarsigner -verbose monapplet.jar votreNomdAlias
- Enter your Key password.
- So now, your applet is signed.
Test your Applet
- Place your applet on the server (this is important), and test.
- You will see a window for Security Warning that asks the user if he allows this applet.
- The popup message saying that the cryptographic signature is invalid is actually false:
- The applet has an cryptographic signatures (yours), but this signature was not validated by a certification authority (Thawte, VeriSign, etc.).
- This validation third (PKI) is charged.
- But technically, it is not absolutely necessary and does not diminish the safety operation of your applet.
- It's just that giving money to some PKI (whose keys are installed by default in browsers) you can get rid of this warning.
- To see if it is worth paying for it.
Published by jad05
Latest update on May 23, 2010 at 09:34 AM by aakai1056.