Create an applet to access the hardrive

December 2016




Intro


An applet is a program written in the Java programming language that can be induced in an HTML page, in the same way an image is included in a page. Applets are used to provide interactive features to web applications, which aren't native to HTML. Most of the time, Java applets security totally bans access to resources from a machine (hard disk, the registry, etc..) And network (applet can only communicate with its server origin.)


If you want to create an applet that exceeds these securities, it is required:

- To create a cryptographically signed applet
and
- That the user explicitly allows the applet to access the system
(This is a voluntary action by the user who cannot be exceeded.)



Once these two conditions are met, you can read / write to disk, launch programs (Runtime.getRuntime ().exec ("...")), download things (url connection) or use the eval ( ) command.

Intructions:

Compile your applet


As usual create a .jar file.

Generate Key

  • Your encryption key will sign you in your applets.
  • Type: keytool-genkey-alias (your alias name)

and enter the necessary information. Remember the password you entered to protect this key.
  • You do need to generate your key once. Once your key, you can use it to sign all the applet you want.
  • (Note that your key can optionally have an expiration date.)
  • Note: On Windows, the key is placed in the user profile.
    • (\Documents and Settings\yourlogin\.Keystore)
  • You must protect at all costs this keystore.
  • ( someone could create malicious applets signed by you!)

Sign your applet with your Key

  • Type: jarsigner -verbose monapplet.jar votreNomdAlias
  • Enter your Key password.
  • So now, your applet is signed.

Test your Applet

  • Place your applet on the server (this is important), and test.
  • You will see a window for Security Warning that asks the user if he allows this applet.


Example:

.


===Note that==
  • The popup message saying that the cryptographic signature is invalid is actually false:
  • The applet has an cryptographic signatures (yours), but this signature was not validated by a certification authority (Thawte, VeriSign, etc.).
  • This validation third (PKI) is charged.
  • But technically, it is not absolutely necessary and does not diminish the safety operation of your applet.
  • It's just that giving money to some PKI (whose keys are installed by default in browsers) you can get rid of this warning.
  • To see if it is worth paying for it.

Related :

This document entitled « Create an applet to access the hardrive » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.