A was asked to solve a little problem the other day (a website that can detect if processes are running on the underlining operating system in a major corporation).
It presented a bit of a quandary, we are so used to the power of modern UI frameworks supplanting the rich client frameworks of the previous web generation, that when you come across something that cant be done in the browser sandbox you have to sit back and have a scratch.
In the end the only practical solution was a Java applet (the client has internal root certificates on their machines that would grant the power necessary to run the commands). not a problem I have written tons of them ….. years ago
When it came to signing everything to do the testing my mind came up a blank and google was not much help, so when I figured it out, I thought perhaps a little aide memoire would not hurt in case I need it again
So the security is quite rightly heavy on the applet sandbox for browsers and you have to sign Jar files that you use in applets (you cant just sign class files you have to export them into a Jar), if they are unsigned then you CANT get them to run, if they are self signed then you can get them to run after the browser has warned you.
The following is me building my self cert so you can do internal testing
1) First I want to build my self a keystore (which will name appletkey), for that I will need a copy of the java JDK installed
2) Now I have a keystore ( you will see a file called ‘appletkey’ created in the directory you ran the last command in, now I want to generate a self cert.
3) Hooray we now have a certificate, you can check its OK (if you want) by entering
4) Now let’s sign the jar files we are using in our applet (yes you have to sign them all not just the one that contains the initial class you are calling)
Now you can see that I’m using jdk1.6 for this as the 1.7 goes mad about the alias (the mykey in the previous command), its been driving people and me potty on the internet and the safest way seem to just use the last version of 1.6 to do the sign.
Once this is done you will just be able to run the applet on any web server and as long as you agree to the warnings you can run any code you want.
I think I’ll go and listen to some 80’s rock now.