Deploying Signed Applets

Deploying Signed Applets - HTML Tags

HTML tags used with Applets

Depending on the broswer environment which an applet is run it a different HTML tag must be used. The use of the <APPLET> tag will result in very different behaviors in different browser environments. For Windows MSIE and Netscape different internal Java Virtual Machines will be used. Futhermore, MSIE and Netscape under Windows use different security schemes. Windows Netscape requires additional code to added to the application to request and enable privileges. Windows MSIE requires the java class files to be put in a CAB file and that CAB file needs to be signed.
On Macintosh MSIE and iCab, the <APPLET> tag will use the installed version of MRJ. As of MRJ 2.2, the security is handled very nicely with dialog box. However, the way in which the JAR files are signed is not secure as the certificates are no issued from a Certificate Authority. It would be very easy to "spoof" an identity. This is less of a problem on a Intranet than on an Internet.
Macintosh Netscape, while it uses the currently installed version of MRJ, you must use the <EMBED> tag in order to involke the MRJ plug-in.
To support all of these browser one needs to deploy the Java classes in three archives, 1) a JAR file signed with 'javakey' for browsers using MRJ, 2) a JAR file signed with a certificated issued by a CA, and 3) a CAB file also signed with a certificate issued by a CA. (Authors note: it seems possible that files 1 and 2 could be combined. Although I have not attemped this.)
Using a JavaScript to detect the current broswer environment, use the appropriate tag and reference the correct file seems to be the most universal solution,with the single exception of Macintosh iCab. (The Macintosh iCab browser doesn't support enough JavaScript at this writing but this should change very soon.)
The following table gives a break down of the various tags which can be used when deploying Java applets via web browsers. The links under "JavaScript" demonstrate how the HTML tags can be dynamically built and which of the three archive files selected.

OS
Platform Browser Java
Script? Java Plug-in Internal JVM Comments

Netscape
Navigator
4.76 Yes - MRJ Java Plug-in 1.0b1
- Uses installed MRJ
- "javakey" JAR signing
- invoked via <APPLET> tag - JDK 1.0.2 support only.
- Upgrade outlook uncertain.
- invoked via <APPLET> tag. The current (Nov 2000) release of MRJ is 2.2.3, which is equivalent to the Sun JDK 1.1.8.

This release supporst reading certificates from "javakey" signed JAR files and will put up a dialog asking the user to accept, reject, or remember this certificate.

The signing tool, "javakey" DOES NOT use certificates issued by a CA (Certificate Authority), as such, all certificates are self-signed. This not the best of security schemes as certificates can be easily spoofed.

MSIE 5.0
Macintosh
Edition Yes Not
Available - Uses installed MRJ.
- "javakey" JAR signing.
- invoked via <APPLET> tag.

iCab No Not
Available - Uses installed MRJ.
- "javakey" JAR signing.
- invoked via <APPLET> tag.

Apple
Applet Runner No Not
Applicable - Uses installed MRJ.
- "javakey" JAR signing.
- Ignores all HTML except the
<APPLET> tag.

Netscape
Navigator Yes - Java Plug-in 1.1.3 (JDK 1.1.8).
- "javakey" JAR signing.
-invoked via <EMBED> tag. Netscape Object Signing
- Netscape VM (JDK 1.1.5).
- invoked via <APPLET> tag. - Netscape object signing requires changes to the Java source code in order to use Netscape capabilities classes.
- Requires a certificate from Thawte, Verisign or other Certificate Authority, annual renewel.
- JAR files are signed with a Windows or UNIX software tool (signtool.exe).

Microsoft
Internet
Explorer Yes - Java Plug-in 1.1.3 (JDK 1.1.8).
- "javakey" JAR signing.
- invoked via <OBJECT> tag. Microsoft Authenticode Signing
- Microsoft JVM.
- Modification of HTML to
access CAB files
- invoked via <APPLET> tag. - Requires a certificate from Thawte, Verisign or other Certificate Authority, annual renewel.
- The class files must be packaged into a CAB file.
- Uses Windows only software tool for packaging and signing.

Netscape
Navigator Yes - Java Plug-in (JDK 1.1.8)
- invoked via <EMBED> tag Netscape Object Signing
- Netscape JVM.
- invoked via <APPLET> tag. See Notes for Netscape for Windows above.

For details on creating signable JAR files with CodeWarrior click here.

OS Platform	Browser	Java Script?	Java Plug-in	Internal JVM	Comments

	Netscape Navigator 4.76	Yes	- MRJ Java Plug-in 1.0b1 - Uses installed MRJ - "javakey" JAR signing - invoked via `<APPLET>` tag	- JDK 1.0.2 support only. - Upgrade outlook uncertain. - invoked via `<APPLET>` tag.	The current (Nov 2000) release of MRJ is 2.2.3, which is equivalent to the Sun JDK 1.1.8. This release supporst reading certificates from "javakey" signed JAR files and will put up a dialog asking the user to accept, reject, or remember this certificate. The signing tool, "javakey" DOES NOT use certificates issued by a CA (Certificate Authority), as such, all certificates are self-signed. This not the best of security schemes as certificates can be easily spoofed.
	MSIE 5.0 Macintosh Edition	Yes	Not Available	- Uses installed MRJ. - "javakey" JAR signing. - invoked via `<APPLET>` tag.
	iCab	No	Not Available	- Uses installed MRJ. - "javakey" JAR signing. - invoked via `<APPLET>` tag.
	Apple Applet Runner	No	Not Applicable	- Uses installed MRJ. - "javakey" JAR signing. - Ignores all HTML except the `<APPLET>` tag.

	Netscape Navigator	Yes	- Java Plug-in 1.1.3 (JDK 1.1.8). - "javakey" JAR signing. -invoked via `<EMBED>` tag.	Netscape Object Signing - Netscape VM (JDK 1.1.5). - invoked via `<APPLET>` tag.	- Netscape object signing requires changes to the Java source code in order to use Netscape capabilities classes. - Requires a certificate from Thawte, Verisign or other Certificate Authority, annual renewel. - JAR files are signed with a Windows or UNIX software tool (signtool.exe).
	Microsoft Internet Explorer	Yes	- Java Plug-in 1.1.3 (JDK 1.1.8). - "javakey" JAR signing. - invoked via `<OBJECT>` tag.	Microsoft Authenticode Signing - Microsoft JVM. - Modification of HTML to access CAB files - invoked via `<APPLET>` tag.	- Requires a certificate from Thawte, Verisign or other Certificate Authority, annual renewel. - The class files must be packaged into a CAB file. - Uses Windows only software tool for packaging and signing.
	Netscape Navigator	Yes	- Java Plug-in (JDK 1.1.8) - invoked via `<EMBED>` tag	Netscape Object Signing - Netscape JVM. - invoked via `<APPLET>` tag.	See Notes for Netscape for Windows above.