Message-Id: <2.2.32.19990721211343.00d490c8@postoffice.i-review.com>
Date: Wed, 21 Jul 1999 16:13:43 -0500
To: java-security@java.sun.com
From: "Christian M. Forster" <cforster@i-review.com>
Subject: "Java Plug-In Security Warning" dialog gone / broken under
--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
X-Sun-Content-Length: 2789
I've just subscribed to this list, so could any replies also CC me directly.
Thanks! I've also searched the list archive for info.
I submitted this to JDC -> Bugs (review ID: 88143, 3-week backlog?!), but I
need to deliver a commercial beta applet/JAR that relies on 1.2.2 & the Java
Plug-In Security Warning dialog by the end of this August & this is a
show-stopper! I've also EMailed one member of the Plug-In Team directly,
but I'm deperate for a confirmation or response! I know Jan L. sees this
list and has been very responsive.
The problem: My Class 3 Verisign Netscape Object Signing cert - signed JARs
work fine under the 1.2.2 RC1 plugin (Plug-In jre 1.2.2 pu) showing the
security dialog and allowing the user to grant rights, but fail to show the
dialog at all on clean machines with 1.2.2 production plugin (Plug-In jre
1.2.2 px).
The steps I took:
1) Compile 1.2 code to a classes directory,
2) Use Netscape's signtool (w/Verisign class 3 cert) to JAR (ZIP) the class
files & sign the resultant JAR like this:
signtool -da: -k "Our Co. Name" -Z Jarname.jar classdir
3) In a separate test, tried signing the directory & using pkzip to package
the JAR. Same problem.
The JAR is signed by my company's new Class 3 Verisign cert, no security
dialog is presented under 1.2.2 FCS and if I press the "Show Dialog" button
in the presented JInternalFrame (see sample code attached), an option dialog
shows with the yellow banner at the bottom (untrusted).
If I try the same JAR on Win95 machines with JRE 1.2.2 RC1 (pu), they
properly show the security dialog... machines with JRE 1.2.2 FCS (px) do
not.... . The JAR was compiled with jdk 1.2.2FCS and JARed/signed with
Netscape's signtool. If I install 1.2.2 RC1 (plug-in ver. 1.2.2 pu) over
1.2.2 FCS (plug-in ver. 1.2.2 px) on the machines, the Security Dialog shows
and all is well, but obviously I cannot ship under a RC release.
Perhaps the required signing procedure has changed from 1.2.2 RC -> 1.2.2
FCS or I'm overlooking something, but I've read & tried everything I can
think of and can't get the dialog to show under 1.2.2 FCS. I checked the
cacerts (identical under RC1 & FCS) and my browsers certs DB (IE 4, NN 4).
All the relevant Versign CA certs are enabled.
Again, any suggestions would be appreciated. I can send along the signed JAR
file to anyone that wants to try it.
Has anyone seen the "Java Plug-In Security Warning" dialog presented by the
1.2.2 FCS plugin? I'd appreciate hearing the creation & environment details.
I've read & followed
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html and
http://java.sun.com/products/plugin/1.2/docs/netscape.html and I'm worried
that the addition of the new "usePolicy" runtime permission may have broken
the facility.
Thanks,
Chris
--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="JApplet1.java"
X-Sun-Content-Length: 984
import java.awt.*;
import javax.swing.*;
/**
* A basic extension of the javax.swing.JApplet class
*/
public class JApplet1 extends JApplet {
static JApplet1 thisApp;
public void init() {
thisApp = this;
JDesktopPane desktop = new JDesktopPane();
JInternalFrame jif = new JInternalFrame("1.2.2 Signed JAR test");
JButton jbutt = new JButton("Show a Dialog Window");
jbutt.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent event) {
JOptionPane.showMessageDialog(thisApp.getContentPane(),
"This window should NOT have a yellow warning banner!!!");
}
});
jif.getContentPane().add(jbutt,BorderLayout.CENTER);
desktop.add(jif);
getContentPane().add(desktop,BorderLayout.CENTER);
desktop.setSize(500,500);
jif.setBounds(250,50,250,100);
getContentPane().validate();
getContentPane().setVisible(true);
}
}
--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="JApplet1.htm"
X-Sun-Content-Length: 853