Signed Java Applets broken on Vista<http://blogs.dekoh.com/dev/2007/11/01/signed-java-applets-broken-on-vista/>
Posted on November 1, 2007 *by terran* Filed Under Technology <http://blogs.dekoh.com/dev/category/technology/>. Reference link<http://blogs.dekoh.com/dev/2007/11/01/signed-java-applets-broken-on-vista/> Having written a pure java (applet) based installer for Dekoh, I had assumed it would work seamlessly on all operating systems. But I was shocked to see support for signed applets is broken on Vista. Why do we need special handling in the Dekoh installer for Windows Vista? The answer is twofold - - The primary Dekoh installer is a hassle-free, one-click web based installer <http://www.dekoh.com/cas> based on a Java applet. (There are other installers like an exe file<http://www.dekoh.com/cas/install/installers>that you can download for Windows, but the web based is the easiest to use. Our installer applet is a signed applet which would download and install the required components on the user's PC.) - The second reason is related to why signed Java applets behave differently on IE 7 protected mode in Windows Vista as opposed to other Windows versions. *What is a Signed Applet? *A signed applet is a jar file containing a Java applet which has been signed with a digital certificate typically issued by an authority like VeriSign <http://www.verisign.com/>. Normal Java applets have very limited permissions. A signed applet however has all the permissions that a Java program that runs from your command line would have, after getting the user's consent. The browser's Java plugin detects signed applets and accordingly shows a message and the signing certificate to the user asking whether to grant permission to the applet. Dekoh uses a signed applet for the installer as it's the easiest way to download, install and start the Dekoh runtime on the computer. Being browser based, there's no need to download anything separately or configure anything, making it especially easy for non-technical users. The Dekoh installer applet is signed with a VeriSign certificate. *What has changed in Windows Vista?* Windows Vista has a new enhanced security model, the most visible part of it being UAC (User Account Control). Internet Explorer 7.0 comes bundled with Vista, and it has something called 'protected mode'. In protected mode IE runs with greatly restricted privileges making it difficult for malicious code to install itself. Note that protected mode is only available on Windows Vista as it is based on Vista specific security features. Processes running in protected mode have restricted access to objects with high integrity levels - such as important files and registry keys. *How does this affect the installer applet?* Operations on the file system and the registry are redirected to virtual stores using virtualization. So, when a process running inside IE (such as a Java applet) tries to create a file called say C:\Users\hrish\test.txt (assuming C is the system root drive) the file would actually get redirected to C:\Users\hrish\AppData\Local\VirtualStore\test.txt. So, File f = new File("C:\\Users\\hrish\\test.txt"); boolean b = f.createNewFile();//Will succeed. boolean e = f.exists();//Is true. String path = f.getAbsolutePath();//path will be C:\Users\hrish\test.txt. But the actual file would be present in C:\Users\hrish\AppData\Local\VirtualStore\test.txt Firefox is not affected by this, because it has no equivalent of protected mode. *What are the options? *IE has a mechanism to allow add-ons to access the file system using the user's normal integrity level as opposed to the low integrity level that the Java plugin runs in right now. It's called a Broker Process. This process would run with a higher integrity level than normal add-ons. The Sun Java plugin does not implement this Broker Process yet (why, I wonder?), but there is an RFE logged for this on Sun's bugzilla - http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6504236. Some add-ons like the Flash plugin already implement it<http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx> . *Relation between UAC and protected mode*. IE's protected mode is automatically off when UAC is turned off. A comprehensive figure with all possibilities is here<http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx> . Dekoh Desktop : Don't upload, Just share! Sign up now <https://login.dekoh.com/signupEA.jsp>. References: 1. http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx 2. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp 3. http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/ 4. http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx 5. http://msdn2.microsoft.com/en-us/library/bb250462.aspx --~--~---------~--~----~------------~-------~--~----~ FOSS Nepal mailing list: [email protected] http://groups.google.com/group/foss-nepal To unsubscribe, e-mail: [EMAIL PROTECTED] Community website: http://www.fossnepal.org/ -~----------~----~----~----~------~----~------~--~---
