Last modified December 6, 1999
Java applets can't read, write, delete or execute anything on local computers. This security is provided by the Java Sandbox deployed with the JDK and adopted by the Java-enabled web browsers. You can see the sandbox has a restricted area of the Java Virtual Machine where code can be executed with limited privileges. By default Java applets are not allowed to run outside the sandbox.
However, an applet can be granted permission to run outside the sandbox. There is three possible way to achieve this:
- Signing the applet using the tools provided by the JDK
- Running the applet on a secure server
- Signing the applet using a Digital ID issued by a Certificate Authority
The best solution is to sign the code with a Digital ID issued by a Certificate Authority like VeriSign. The problem is that it costs US$400 for one Digital ID Certificate and it's only valid for one year. Furthermore you need a different Certificate for Internet Explorer and Netscape Communicator, so you need to spend US$800 to be compatible with both browsers.
On this page you will find information about the first two solutions.
1. Signing the applet using the tools provided by the JDK
I wrote a simple signed applet to demonstrate how it's possible to gain access to a local computer by running an applet outside the sandbox. This applet is not malicious. It simply creates a text file named SignedApp.txt on the C: drive. Take a look at the source code.
How to run the applet
The applet needs the Java Plug-in to run. If it's not currently installed on your machine you will be ask to download it. Once the plug-in is installed you will see an error in the applet. This is normal since you never told your computer to trust the applet's signature key. To do this you need to download the certificate and the policy file. Then follow these instructions to set up your system to grant the required permission:
- Copy the .java.policy file to the C:\windows directory if the file doesn't already exist. You may have to rename it in DOS using ren .java.policy.txt .java.policy. If you already have a policy file just add the grant statement to your file.
- Open an MS-DOS Prompt window and go to C:\Program Files\JavaSoft\JRE\1.2\bin by typing cd "C:\Program Files\JavaSoft\JRE\1.2\bin"
- Type keytool -import -alias Erik -file <PATH>Erik.x509 and replace <PATH> with the path of the certificate. At this point, you will be prompt to enter your password for the keystore. If you don't have one, just enter a password of your choice.
You will need to exit and restart your browser before running the applet. Please note that this example was created and tested on the windows platform. Some minor modifications would be necessary for this example to run on Solaris or other platform.
How the applet was signed
- Create a trusted identity named Erik.
javakey -cs Erik true
- Generate a keypair for the trusted identity Erik and store the public key in a file named Erik_pub and the private key in a file named Erik_priv
javakey -gk Erik DSA 512 Erik_pub Erik_priv
- Generate an x509 certificate for Erik and store it in the file named Erik.x509. This file's name is given in the directive file named cert_directive_Erik.txt.
javakey -gc cert_directive_Erik.txt
- Create the archive.
jar cf SignedApp.jar SignedApp.class
- Sign the archive using the parameters given in sign_directive_Erik.txt.
javakey -gs sign_directive_Erik.txt SignedApp.jar
- Rename the file SignedApp.jar.sig to SignedApp.jar.
ren SignedApp.jar.sig SignedApp.jar (Dos/Windos)
mv SignedApp.jar.sig SignedApp.jar (Unix)
2. Running the applet on a secure server
This is a another example of an applet running outside the sandbox. Just like the previous example, it simply creates a text file named FileApp.txt on the C: drive (for Windows users) or /tmp/FileApp.txt (for Unix users).
The applet uses the Netscape Capabilities API to request more privileges, so it doesn't work with Internet Explorer. Netscape users will be ask to grant privileges to the applet so it can run outside the sandbox.
Take a look at the source code.
How to run an applet on a secure server
For example, if the page containing the java applet is http://www.your-domain.com/applet.html, you can run the applet thru the secure server by:
Accessing the page thru the secure server.
Accessing only the source of the java applet thru the secure server.
<APPLET CODE="YourApplet.class" CODEBASE="https://your-secure-server.com/your-domain"></APPLET>
These methods are valid for my secure server but may not work for others.
3. Signing the applet using a Digital ID issued by a Certificate Authority
Netscape has a page containing information and links to Certificate Authorities like VeriSign and others.
If you have comments or suggestions, please e-mail me.