Hot questions for Using Applets in jar

Question:

I've been looking around for the solution but no one can solve the question I have.

I have an applet created by using eclipse and I would like to export it as a jar file so that others can use it easily.

The way I used for generating .jar file is in the following steps:

right click the project --> select export --> select JAR file --> next....

The jar file can be generated, however, when I use the command line to execute this jar

java -jar xxxx.jar

I got the error

no main manifest attribute, in test.jar

in the applet, I have no

public static void main(String args[])

while it should start with init().

And from what I've found so far, it seems like I have to add a manifest myself.

Please let me know how to fix this.


Answer:

Applets are expected to run within an applet container, which is commonly supported by browsers (and the applet plugin). You can't run them from the command line, at least not without modifying the code to support a window based solution.

Take a look at:

Question:

I want to know what is the securitypack.jar in Java installation? What is it for?

I found that Java downloads this file automatically from: https://javadl-esd-secure.oracle.com/update/securitypack.jar and saves inside:

C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

FIY: I'm using Windows 7 and latest Java 8 (u144). And in my case, this file was updated during Java Applet execution (or maybe initialization).


Answer:

That's part of Oracle's blacklist jar feature. The information about blacklisted jars and certificates is automatically updated by downloading securitypack.jar file

Question:

I have a program in Java (NetBeans IDE) that accepts as Dataset a folder named "Data" with .zip files, then makes some major compares for Plagiarism and extracts the results in a .txt file in folder "Results" (there is no GUI in program).I created a .jar file with Clean and Build and if i double click on it, it runs without problems.Also it runs normally in CMD.How can i embed this in HTML?I tried with without a result.chkSubmission is the main class.I tried almost all public classes in my program.I included the dist folder of Netbeans into my folder of HTML pages .


Answer:

(there is no GUI in program) .. How can i embed this in HTML?

You can't. The only Java classes that can be embedded in HTML are java.applet.Applet and javax.swing.JApplet. Both are GUIs.

Question:

I actually jarsign a java applet with this command :

jarsigner -storetype pkcs12 -keystore my_real_certificate.pfx my_applet.jar my_alias_certificate -storepass my_password

When I launch my applet, I get the following error :

Your security settings have blocked a self-signed application from running

When I want to verify the jar, the result appears as following :

jar verified.

Warning: This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing. This jar contains entries whose certificate chain is not validated. This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-05-22) or after any future revocation date.

For this warning :

This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing

I guess my certificate is not proper for jarsigning code. Could you tell me if this kind of warning would get me that kind of error on the client ? Or could I still use this certificate ?

For this warning :

This jar contains entries whose certificate chain is not validated.

I don't understand because my certificate was really validated by a CA (Thawte). Should I indicate to Java or into my Windows certificate manager the complete certificate chain (with CA Root and intermediate) ? If so, what happens for the users of this applet ? Should they also do this ?

Thanks in advance for your answers.


Answer:

I guess my certificate is not proper for jarsigning code.

Correct.

Could you tell me if this kind of warning would get me that kind of error on the client ?

Yes.

Or could I still use this certificate ?

Not for code signing. (It could be valid for other purposes though.)

I don't understand because my certificate was really validated by a CA (Thawte).

That doesn't seem to be the problem.

Should I indicate to Java or into my Windows certificate manager the complete certificate chain (with CA Root and intermediate) ?

I don't think that would work. And even if it did ...

If so, what happens for the users of this applet ?

They will still find that the JAR that won't run >>for them<<.

Should they also do this ?

Bad idea. You are effectively telling them to compromise their security to run your software ... because you haven't used a valid JAR signing key.

Question:

I have a very basic Java Applet signed with my own certificate. When I try it out on my website I get the message that the application is blocked by security settings.

This is what I did. I signed the jar file using the jarsigner tool:

jarsigner -keystore keystore.p12 -storetype pkcs12  -tsa http://timestamp.comodoca.com/rfc3161 TestApplet1.jar codesign

When I verify the jar it all looks fine to me:

$ jarsigner -verify -verbose -certs TestApplet1.jar

s k      415 Thu Oct 09 12:19:18 CEST 2014 META-INF/MANIFEST.MF

      [entry was signed on 9-10-14 12:19]
      X.509, EMAILADDRESS=test@test.nl, CN=codesigning 2014, OU=Test, O="Test BV ", L=Stad, ST=ZH, C=NL (codesign)
      [certificate is valid from 11-8-14 11:19 to 11-8-15 11:29]
      X.509, CN=CA-TEST (ca-test)
      [certificate is valid from 23-2-11 9:37 to 23-2-16 9:46]

         496 Thu Oct 09 12:19:18 CEST 2014 META-INF/CODESIGN.SF
        4666 Thu Oct 09 12:19:18 CEST 2014 META-INF/CODESIGN.RSA
smk      226 Tue Oct 07 16:31:54 CEST 2014 .classpath

      [entry was signed on 9-10-14 12:19]
      X.509, EMAILADDRESS=test@test.nl, CN=codesigning 2014, OU=Test, O="Test BV ", L=Stad, ST=ZH, C=NL (codesign)
      [certificate is valid from 11-8-14 11:19 to 11-8-15 11:29]
      X.509, CN=CA-TEST (ca-test)
      [certificate is valid from 23-2-11 9:37 to 23-2-16 9:46]

smk      370 Tue Oct 07 16:31:54 CEST 2014 .project

      [entry was signed on 9-10-14 12:19]
      X.509, EMAILADDRESS=test@test.nl, CN=codesigning 2014, OU=Test, O="Test BV ", L=Stad, ST=ZH, C=NL (codesign)
      [certificate is valid from 11-8-14 11:19 to 11-8-15 11:29]
      X.509, CN=CA-TEST (ca-test)
      [certificate is valid from 23-2-11 9:37 to 23-2-16 9:46]

smk      792 Tue Oct 07 16:34:30 CEST 2014 nl/test/applet/TestApplet1.class

      [entry was signed on 9-10-14 12:19]
      X.509, EMAILADDRESS=test@test.nl, CN=codesigning 2014, OU=Test, O="Test BV ", L=Stad, ST=ZH, C=NL (codesign)
      [certificate is valid from 11-8-14 11:19 to 11-8-15 11:29]
      X.509, CN=CA-TEST (ca-test)
      [certificate is valid from 23-2-11 9:37 to 23-2-16 9:46]

           0 Tue Oct 07 16:33:50 CEST 2014 nl/
           0 Tue Oct 07 16:33:50 CEST 2014 nl/test/
           0 Tue Oct 07 16:33:50 CEST 2014 nl/test/applet/

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

I created a very basic html file with the tag:

<body>
    <p>Test page TestApplet1</p>

    <applet code="nl.test.applet.TestApplet1.class"
        archive="TestApplet1.jar"
        id="TestApplet1"
        height="0" width="0">
    </applet>

    <script type="text/javascript">
        alert(document.getElementById("TestApplet1").helloWorld());
    </script>
</body>

But when I deploy it on my test website and try to run the applet the applet is blocked by security settings. The message I get is: "Your security settings have blocked an untrusted application from running".

When I set the security level to "Medium", using the Java Control Panel, and then I open the webpage again I get the security warning: "An unsigned application from the location below is requested permission to run."

What is wrong with my approach?

By the way, I already imported my CA certificate to the trusted root CA's in both the IE certificate store and the certificates managed in the Java Control Panel.

Any suggestion is welcome.


Answer:

You need do following steps:

  • sign all jars by your key
  • make sure you using https.
  • if you using http or self signed ssl cert for https you need add you host into security exceptions list(jcontrol -> Security tab -> Edit Site list)