Skip to main content

SecureClassLoader subclass to show Certificate dialogs ?

5 replies [Last post]
davidnouls
Offline
Joined: 2008-05-05

Hi,

Its good to see that Applets are finally revised since in some cases we really need signed code to do things in a browser without any need of extra software installation.

There is something missing in the JRE for many years. I found a workaround in JRE 5 and 6, but with the latest update 10 this no longer works. It was a hack so I can not put the blame on SUN... but there is a void that needs to be filled in.

Our applet is signed but it needs to download additional jarfiles from somewhere else. Now once an applet is accepted by the user, it has AllPermissions. So downloading other code, from somewhere else is allowed.

The problem is that we need to make sure that the jar downloaded from somewhere else is also trusted by the user.

The problem is that we don't have a public API that allows us to popup the certificate dialog or to check the certificate of the applet downloaded from another location.

Until now I used a little hack in URLClassLoader, that would delegate the getPermissions call from our custom ClassLoader to the classloader that loaded the original applet. The side effect was that if the certificate on the jar was not trusted, then the dialog would popup.

Is there new functionality available that allows me to let the user check the codebase (and add the certificate to the trusted store if accepted) ???

David

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
andrewherron
Offline
Joined: 2008-04-03

Delegating getPermissions() to the applet in order to display a security dialog for custom jar files still works for me in b23. How are you initialising your custom ClassLoader? Are you passing in the applet ClassLoader as the parent of your custom ClassLoader?

davidnouls
Offline
Joined: 2008-05-05

Hi,

No, the parent of my custom classloader is null, so it will be the system classloader. It's only when getPermissions is called that I use introspection to call the getPermissions of the Applet classloader. I know this is a hack, but until now it looked like the only solution.

The reason for this approach: If I do not do it this way, I never see any dialog to accept a certificate for the jars loaded by my custom classloader. Once an applet is trusted, it can just download untrusted jars (signed or not) and its executed as if the code was trusted.

David

davidnouls
Offline
Joined: 2008-05-05

Haha I found the cause!

It turns out I had some code in my custom classloader that uses introspection to gain access to the getPermissions method of the applet classloader. It used to be this:
final Method permMethod = pluginClass.getDeclaredMethod("getPermissions", new Class[] { CodeSource.class } );
permMethod.setAccessible( true );
return (PermissionCollection)permMethod.invoke(mParent, new Object[] { pCodesource }

But this no longer works, I now replaced it with the following:

method = SecureClassLoader.class.getDeclaredMethod("getPermissions", new Class[] { CodeSource.class });
method.setAccessible(true);
return (PermissionCollection)method.invoke(mParent, new Object[] { pCodesource }

Did something change in introspection in this latest release ?

It would ofcourse be much nicer if there would be an official way of gaining the same interaction possibilities with the browser keystore from a signed applet in order to make sure that code loaded from somewhere else can be verified by the user as well.

David

andrewherron
Offline
Joined: 2008-04-03

The getPermissions method you want to call has always been on SecureClassLoader, that's the way we did it and is why our code didn't break in 6u10. Sun probably moved some stuff around in whatever you're referencing via the pluginClass variable; static class references are always better for reflection than dynamic ones IMHO :)

davidnouls
Offline
Joined: 2008-05-05

The problem seems to be that the update now uses a classloader that is not a subclass of SecureClassLoader ?