1. Package the applet into a JAR file:
The applet must be in a JAR file before a certificate can be attached to it. Use the jar JDK utility. If the applet was previously referenced with the help of a codebase attribute in <applet> tag, replace the codebase attribute with the archive attribute. The value of the archive attribute is a URL of a JAR file.
$ jar -cvf SignedApplet.jar *.class2. Create a public/private key pair. The command for this is
$ keytool -genkey -alias signFiles
-keystore compstore
-keypass kpi135 -dname "cn=jones"
-storepass ab987c
Verify your keystore:
keytool is another SDK utility. It will prompt you for a password to your keystore and for the remaining parameters, one of which is alias, whose value is the name of the key. The keystore is a file that contains your public/private key-pairs, and the public-keys of others with whom you exchange information. See the documentation in the above link.
$ keytool -list -keystore compstore
-storepass ab987c
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
signfiles, May 21, 2009, keyEntry,
Certificate fingerprint (MD5): 20:3D:6D:A0:20:71:2D:85:7D:72:6C:23:B5:2F:16:D7
$
3. Create a certificate for the key you created in the previous step.
$ jarsigner -keystore compstoreAgain, keytool will prompt you for a keystore password and remaining parameters. This certificate is now self-signed by you, meaning that it has not been validated by any third party. This is suitable for demo purposes, and may be acceptable to yourself and those who know you because if there is any doubt that the certificate is really yours they can always call you up and ask you for the digest to verify that it is really you and not some impostor that created the certificate. However, if this applet were to be widely distributed, and you wanted it to be accepted by those who do not know you personally, you would certainly want to pay a modest fee to obtain a certificate that is validated by a trusted certificate authority. The procedure for this is straightforward, but beyond the scope of this simple tutorial.
-storepass ab987c
-keypass kpi135
-signedjar SSignedApplet.jar SignedApplet.jar signFiles
4. Run jarsigner associate this certificate with the JAR file that contains your applet.
You will need to give the name of the public key of the certificate you just created. This creates a digest for each file in your JAR and signs them with your private key. These digests or hashes, the public key, and the certificate will all be included in the "WEB-INF" directory of the JAR.
Verify your signed applet jar file:
$ jar -tvf SignedApplet.jar
25 Thu May 21 14:56:42 MST 2009 META-INF/MANIFEST.MF
141 Thu Sep 25 02:11:08 MST 2008 java.policy.applet
776 Thu May 21 14:09:50 MST 2009 appletexample/Welcome.class
2005 Thu May 21 14:49:22 MST 2009 appletexample/SignedAppletDemo.class
$ jar -tvf SSignedApplet.jar
265 Thu May 21 15:00:56 MST 2009 META-INF/MANIFEST.MF
432 Thu May 21 15:00:56 MST 2009 META-INF/SIGNFILE.SF
762 Thu May 21 15:00:56 MST 2009 META-INF/SIGNFILE.DSA
141 Thu Sep 25 02:11:08 MST 2008 java.policy.applet
776 Thu May 21 14:09:50 MST 2009 appletexample/Welcome.class
2005 Thu May 21 14:49:22 MST 2009 appletexample/SignedAppletDemo.class
5. Update your html files to use the signed applet jar file:
Welcome.html: within your applet tag6. Deploy the html and jar files to Apache HTTP server:
code="appletexample/Welcome.class"
archive="SSignedApplet.jar"
width="500" height="400"
SignedApplet.html: within your applet tag
code="appletexample/SignedAppletDemo.class"
archive="SSignedApplet.jar"
param="" name="file" value="/"
width="400" height="400"
Copy Welcome.html, SignedApplet.html, and SSignedApplet.jar (not the SignedApplet.jar) to Apache's htdocs/applet directory (I create a folder called "applet" under htdocs folder).
C:\Apache\Apache2.2\htdocs\applet>dir
Volume in drive C has no label.
Volume Serial Number is 588C-3312
Directory of C:\Apache\Apache2.2\htdocs\applet
05/22/2009 10:24 AM <DIR> .
05/22/2009 10:24 AM <DIR> ..
05/22/2009 10:21 AM 247 SignedApplet.html
05/21/2009 03:00 PM 3,794 SSignedApplet.jar
05/22/2009 10:24 AM 173 Welcome.html
3 File(s) 4,214 bytes
2 Dir(s) 25,086,658,560 bytes free
C:\Apache\Apache2.2\htdocs\applet>
7. Test your Signed Applet from localhost:
Your applet is now signed. The next time you or someone else downloads it in it's page the browser will present a dialog box displaying the credentials you just created for it and asking the user permission to run it. If he/she chooses not to, the applet will throw the same AccessControlException that we saw in the Java Console window the first time we tried to run it in our browser. The difference is that now the user gets to make an informed decision as to whether or not they trust your applet to not harm his/her system.
References/Links:
1. <a href="http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html">Signed Applet Tutorial by Larry Siden</a>
2. <a href="http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html">Tutorials: Chapter 10: Signed Applets from Sun Developer Network</a>
