Hi all, I'm facing a problem with using signed javascript and signed applets with the sun java plugin (1.3.1) and Mozilla release build 0.9.8
We have a frameset consisting of two frames. One frame is dedicated to holding an applet. This applet is signed, to enable it to do stuff that needs to break out of the applet sandbox. The second frame contains the user-interactive elements of the site. Utilising javascript and liveconnect, these elements interact with the signed applet. For convenience, let's say we want to do a file open dialog. The applet has the method 'public String locateFile()', which launches a FileDialog and returns the location of the file selected. In the user-interactive frame, we have a form consisting of a textfield and a button. The button's onClick method calls the applet's locateFile() method and sets the text of the textfield to the value returned. In order to do all of this, we need both the applets to be signed, and for the javascript to be signed. I have tried this, and it fails. Below are the attempts I have made, and the setups and results for each individual attempt. Note that in all the attempts where the applet class files are in a jar, that jar is signed using the sun jarsigner utility. This is because I am using the Sun Java Plugin, which does not understand the netscape signing methods. Attempt 1 --------- Setup: All the html files, javascript files and jar files are contained in a netscape-signed jar file. The page with the applet on references the applets using a jar file in the same directory (e.g. ARCHIVE="myjar.jar"). Result: The applets are not initialised. On the java console is an error stating that the signature block for the jar file could not be verified, so the applet could not be initialised. It seems that the java plug-in is attempting to verify the outer jar - perhaps the url is being given as jar:http://192.168.2.1/netscapejar.jar!/sunjar.jar the plugin is cutting off at the exclamation mark? Attempt 2 --------- Setup: All html and javascript files are in the netscape signed jar. The applets are unpacked and placed into the netscape jar. Result: The applets are not initialised. Again, we have the error stating that the signature block for the jar file could not be verified. Proof that the sun plugin cannot understand the netscape signed jars, any ideas of signing the applet jars with the netscape signtool are proved to be futile. Attempt 3 --------- Setup: All html files and javascript files in the netscape signed jar. The applets are held on the same server outside of the netscape jar, and are referenced using an absolute reference (e.g. ARCHIVE="http://192.168.2.1/applet/sunjar.jar";). Result: Applet is not loaded or initialised. On java console is an Access Denied exception on a Java Socket call to open up the address 192.168.2.1. - it seems that the security restrictions are regarding the absolute reference as going to a different host and as such are disallowing it. Attempt 4 --------- Setup: Most html and javascript files in the netscape signed jar. The page containing the applet tags is placed outside of the netscape jar, as are the applet jars. The applet reference is a relative reference (e.g. ARCHIVE="../../applet/sunjar.jar") Result: Applet is loaded and initialised. The button on the user-interactive page is clicked, but then nothing happens. Checking on the javascript console reveals that the enablePrivilege was not granted. This, I think, is because this is now a mixed signed/unsigned view, so the security model intervenes and stops the call. I think that these are all the permutations that are not blatantly obviously going to fail. Feel free to disagree and suggest other options with a good likelihood of working ^_^ Anyway, from this, I think that one of a number of things could be done to resolve the situation: - an update to the java plugin to handle the jar:http://<location>/<jar>!/<sub-jar> url syntax properly - an update to the java plugin to handle the netscape signing process and see those jars as being valid - an update to mozilla to allow the javascript/html bundles to be signed using the jarsigner tool as well / instead of the netscape method - a change so that the java plugin gets a more appropriate host base (to enable it to connect to the same host in the same protocol as the netscape signed jar is being accessed) - modify mozilla to use the netscape 4.x signing model... if this is chosen then the signtool needs to be re-done, as it seems to want to verify the applets referenced on the applet page as well, but fails to find them even when given as a relative url. - enable the netscape 4.x idea of making all scripts given on ssl connections signed status... this would remove the need for making the netscape-signed jar I think that's about all of it... lol! If any more information is needed, either reply to the post or reply to my email address <[EMAIL PROTECTED]> Thanks all, -- Lloyd Colling
