Home > Archive > Java Security > October 2006 > Signed Applets and different JVMs
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Signed Applets and different JVMs
|
|
| phil@philhooper.net 2006-10-30, 7:33 pm |
| Folks,
Apologies in advance if I'm asking stupid questions here but Java is
way outside my area of expertise and I really need some help.
We provide web-based applications that, in a few cases include a small,
signed Java applet to allow information to be posted across domains.
The applet code is really quite simple (even for me!) but one of our
clients is asking us to guarantee that the applet will work across The
Mircosoft JVM and Sun JVMs 13., 1.4 and 1.5 - I'm really not sure if we
can say this and am trying to avoid having to go through the pain of
testing it on all environments.
We have signed the applet using jarsigner for Sun (a .jar file) and
using signcode for Microsoft (a .cab file) but I'm not sure if this
enough to do the trick.
Spedific questions:
* When did the Java Plug-in switch from the JDK 1.1 security model to
JDK 2.0 security model?
* Will the signed .jar file work in all of these versions of the Sun
JVM?
* If not, can we ude JavaScript to determine which version of the
pulg-in is being used and then include a different applet tag for each
version?
I'm really a bit at a loss here so any information at all on how to do
all this would be greatly appreciated.
Thanks, in advance for your help,
Phil (Java newbie!)
| |
|
| > one of our
> clients is asking us to guarantee that the applet will work across The
> Mircosoft JVM and Sun JVMs 13., 1.4 and 1.5 - I'm really not sure if we
> can say this and am trying to avoid having to go through the pain of
> testing it on all environments.
How do you intend to assure you customer it works without testing ?
>
> We have signed the applet using jarsigner for Sun (a .jar file) and
> using signcode for Microsoft (a .cab file) but I'm not sure if this
> enough to do the trick.
Microsoft VM will be out of support by the end of 2007
(http://www.microsoft.com/mscorp/java/), so you'll probably want to limit
investment on this technology.
For discussion of Authenticode vs. Java signature, see the "Potential
Upgrade Issues" at
http://java.sun.com/j2se/1.5.0/docs...ide/index.html.
>
> Spedific questions:
>
> * When did the Java Plug-in switch from the JDK 1.1 security model to
> JDK 2.0 security model?
The product archive is here: http://java.sun.com/products/archive/.
The readme of 1.1.1_006 says it's designed for JDK 1.1 and 1.2. So I assume
using one or the other specification depends on what the developer
advertises as JVM requirement in its page.
> * Will the signed .jar file work in all of these versions of the Sun
> JVM?
I assume signature verification would work. That the applet would work is
another story: if the developer uses features only present in a certain
release, then it won't. So, ask the developer to assess this.
> * If not, can we ude JavaScript to determine which version of the
> pulg-in is being used and then include a different applet tag for each
> version?
The developer advertises its requirements in the HTML page and the Java
Plug-in can download and install a newer release if necessary.
See object/embed tag usage in
http://java.sun.com/j2se/1.5.0/docs...sing_tags.html.
>
> I'm really a bit at a loss here so any information at all on how to do
> all this would be greatly appreciated.
I think the Java Plug-in FAQs answers all questions above and much more:
http://java.sun.com/products/plugin...aqs/index.html.
Microsoft's Transition Guide will also prove helpful
(http://www.microsoft.com/mscorp/java).
>
> Thanks, in advance for your help,
>
> Phil (Java newbie!)
>
|
|
|
|
|