All geek questions in one place

Can I check if the Java applet certificate is verified before running my applet?

I have a signed applet on a website. Because of this, the Java security dialog box appears, and the user must be granted permission to the applets before they can do this. I want to do the following:

  • I want the site to explain the security dialog to the user before it appears. The page will show some explanation text in a div, and after a few seconds the security dialog box will appear.
  • If the user has already allowed the certificate in the previous session, he should just run the applet without any additional dialog box.

The problem is that the security dialog box appears as soon as the applet is embedded in the page. I can postpone the attachment, but there is no way to check its permissions from the applet itself, as it must do this before it is downloaded.

Perhaps I could download a second, regular applet that runs invisibly and checks permissions. But how am I going to do this? Are there any Java classes that can check if a certificate has been trusted by a client?

Thanks.

+6
source share
1 answer

You can verify the certificate and signature of the JAR file programmatically, just like the JVM when loading the applet. It will not be easy, but at least at first glance you will have to do this:

  • Use the hidden applet to load your JARs and verify their certificates, for example, an applet viewer. You can do this manually using the java.security.cert package. The best way to figure out how to do this is with JarSigner source code , especially verifyJar() . Sort of:

     // download the JAR URL url = new URL("jar:http://mywebsite.com/myjar.jar!/"); JarURLConnection jarConnection = (JarURLConnection)url.openConnection(); // get the certificates and other security stuff CodeSigners[] codeSigners = jarConnection.getJarEntry().getCodeSigners(); Certificate[] certificates = jarConnection.getJarEntry().getCertificates(); // verify the signatures // don't know the code, but you can analyze JarSigner example at http://download.oracle.com/javase/tutorial/security/toolfilex/rstep2.html

  • Use LiveConnect (maybe something else?) To set a cookie so that you know "if the user already allowed the certificate in a previous session."

  • Launch the applet, possibly depending on the results of (1) stores in the cookies created in (2).

I have not thought much about this, so there may be a better way. Good luck and come back!

0
source

Source: https://habr.com/ru/post/887305/

More articles:


All Articles