How to Deploy RSA-Signed Applets in Java Plug-in



This section covers the following topics:

How to Deploy RSA Signed Applets

To deploy RSA signed applets:

  1. Reference the JAR from the HTML page using archive, cache_archive, or cache_archive_ex format. See Applet Caching.
  2. Place the JAR file and HTML page on the web server.

When users of Java Plug-in encounter an RSA signed applet, the Plug-in will verify whether:

  1. the applet is correctly signed
  2. the RSA certificate chain and root CA are valid

If both verify positive, the Plug-in will pop-up a security dialog telling the user and providing four options:

  1. Grant always: If selected, the applet will be granted the AllPermission permission. Any applet signed with the same certificate will be trusted automatically in the future, and no security dialog will pop up when the certificate is encountered again. This option selection can be changed from the Java Plug-in Control Panel.
  2. Grant this session: If selected, the applet will be granted the AllPermission permission. Any applet signed with the same certificate will be trusted automatically within the same browser session.
  3. Deny: If selected, the applet will be treated as untrusted.
  4. View Issuer: If selected, the user can examine the attributes of each certificate in the certificate chain in the JAR file.

Once the user selects the options from the security dialog, the applet will be run in the corresponding security context. Note that all options are selected on the fly; no preconfiguration is required.

Certificate Management

The Java Plug-in Control Panel provides a Certificates Panel for managing RSA signed applets. This panel contains a list of certificates that received "Grant always" permission when the Java Plug-in security dialog (pop-up) ran. Users can remove any certificate from the list, and if an applet signed by a removed certificates is encountered again, a security dialog pop-up will appear asking for permission. Users can also export and view certificates through the control Panel.

Disabling RSA Signed Applet Support

RSA signed applets can be entirely disabled in Java Plug-in by specifying the usePolicy permission in the policy file. If the usePolicy permission is among the permissions granted to the given codesource (by the configured security policy), user prompting will not take place, and only permissions specified in the security policy will be granted to the codesource. By default, RSA signed applets are enabled in the Java Plug-in.