Posted by gkbrown
on June 23, 2008 at 3:08 PM PDT
What dictates which JAR files need to be signed in order for an applet to perform a secure operation?
For example, I have an applet that wants to make a network connection to a host other than that from which it was downloaded. The applet is deployed in a JAR file, and has dependencies on code defined in several additional JAR files. All of the JAR files are specified in the "archive" attribute of my tag.
I know I need to sign the JAR file that contains the applet, but I'm not sure which other JAR files need to be signed. Via experimentation, I've verified that they don't all need to be signed, but I don't understand why.
Can anyone provide any insight or point me to documentation that explains in detail how JAR signing works for applets?