Re: RMI Permissions with applets

Christopher.Bennett@steelcase.com
Mon, 16 Aug 1999 15:40:00 -0400

From: Christopher.Bennett@steelcase.com
Date: Mon, 16 Aug 1999 15:40:00 -0400
Subject: Re: RMI Permissions with applets
To: charlie@angeles.eng.sun.com

Charlie,

Thanks for the tip. (see attached). I would like to use your suggestion and
sign my applet (jar). My question stems from the following roadblocks.

1) Verisign , Microsoft Authenticode Certificates require IE4 and applets
stored in a CAB file format .
2) Thawte Developer Certificates for Java Code Signing require Netscape
Navigator and applets stored in JAR files.

Where can I get a certificate that will work with IE 4 using the Java Plug In
and JAR files. (Somehow I blame Microsoft for this confusion). I have not
been successful using CAB files with the Java Plug In (so far) and I can not
use Navigator on our corporate intranet.

Any help would be much appreciated.

Regards
Chris Bennett
CBENNETT@Steelcase.com
------------------( Forwarded letter 1 follows )--------------------
Date: Thu, 12 Aug 1999 12:30:57 -0800 (PDT)
To: cbennett
Cc: java-security@java.sun.com
From: charlie@angeles.eng.sun.com
Subject: Re: RMI Permissions with applets

> I have an excellent working RMI (3 tier) app on a corporate intranet with IE
> 4 and the Java plug-in. My problem is that I have had to modify each new
> client's policy file. I have hundreds of clients. Am I missing something
> or is this really the correct way to allow permissions??? Is there a way to
> prompt the user for permission and have the policy file automatically
> created / modified???

there are two potential solutions:

First, in JDK 1.2.2:

http://developer.java.sun.com/developer/earlyAccess/j2sdk122/index.html

we have added the following new features to the Plug-in, which
will allow you to grant all permissions to an applet whose
signature has been verified and authenticated, without you having to
set up any policy/keystore files:

If your applet is signed, and the permissions granted to it
do not include the "usePolicy" RuntimePermission (note that
this permission is not granted by default),
we will verify the entire applet certificate chain.
Verification will go all the way up to the Root CA of the chain
and check if that Root CA is contained in
your browser's (native) database of trusted Root CAs.

If so, the user will be prompted if they want to grant the special
"AllPermission" (which implies every other single permission)
to the applet. In this case, the policy will be bypassed
altogether (binary policy decision).

Alternatively, you can modify all your client JRE's
lib/security/java.security files, and point them at a single policy URL.
The java.security file has an entry:

policy.url.1=URL

'URL' is the URL for the policy.
If all your clients share the same policy, you can point them
at the same URL. By default there may already be multiple
policy.url entries. If appropriate, you may remove the extra
entries.

Hope this helps.
thanks,
charlie