"Java Plug-In Security Warning" dialog gone / broken under

Christian M. Forster (cforster@i-review.com)
Wed, 21 Jul 1999 16:13:43 -0500

Message-Id: <2.2.32.19990721211343.00d490c8@postoffice.i-review.com>
Date: Wed, 21 Jul 1999 16:13:43 -0500
To: java-security@java.sun.com
From: "Christian M. Forster" <cforster@i-review.com>
Subject: "Java Plug-In Security Warning" dialog gone / broken under

--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
X-Sun-Content-Length: 2789

I've just subscribed to this list, so could any replies also CC me directly.
Thanks! I've also searched the list archive for info.

I submitted this to JDC -> Bugs (review ID: 88143, 3-week backlog?!), but I
need to deliver a commercial beta applet/JAR that relies on 1.2.2 & the Java
Plug-In Security Warning dialog by the end of this August & this is a
show-stopper! I've also EMailed one member of the Plug-In Team directly,
but I'm deperate for a confirmation or response! I know Jan L. sees this
list and has been very responsive.

The problem: My Class 3 Verisign Netscape Object Signing cert - signed JARs
work fine under the 1.2.2 RC1 plugin (Plug-In jre 1.2.2 pu) showing the
security dialog and allowing the user to grant rights, but fail to show the
dialog at all on clean machines with 1.2.2 production plugin (Plug-In jre
1.2.2 px).

The steps I took:
1) Compile 1.2 code to a classes directory,
2) Use Netscape's signtool (w/Verisign class 3 cert) to JAR (ZIP) the class
files & sign the resultant JAR like this:
signtool -da: -k "Our Co. Name" -Z Jarname.jar classdir
3) In a separate test, tried signing the directory & using pkzip to package
the JAR. Same problem.

The JAR is signed by my company's new Class 3 Verisign cert, no security
dialog is presented under 1.2.2 FCS and if I press the "Show Dialog" button
in the presented JInternalFrame (see sample code attached), an option dialog
shows with the yellow banner at the bottom (untrusted).

If I try the same JAR on Win95 machines with JRE 1.2.2 RC1 (pu), they
properly show the security dialog... machines with JRE 1.2.2 FCS (px) do
not.... . The JAR was compiled with jdk 1.2.2FCS and JARed/signed with
Netscape's signtool. If I install 1.2.2 RC1 (plug-in ver. 1.2.2 pu) over
1.2.2 FCS (plug-in ver. 1.2.2 px) on the machines, the Security Dialog shows
and all is well, but obviously I cannot ship under a RC release.

Perhaps the required signing procedure has changed from 1.2.2 RC -> 1.2.2
FCS or I'm overlooking something, but I've read & tried everything I can
think of and can't get the dialog to show under 1.2.2 FCS. I checked the
cacerts (identical under RC1 & FCS) and my browsers certs DB (IE 4, NN 4).
All the relevant Versign CA certs are enabled.

Again, any suggestions would be appreciated. I can send along the signed JAR
file to anyone that wants to try it.

Has anyone seen the "Java Plug-In Security Warning" dialog presented by the
1.2.2 FCS plugin? I'd appreciate hearing the creation & environment details.

I've read & followed
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html and
http://java.sun.com/products/plugin/1.2/docs/netscape.html and I'm worried
that the addition of the new "usePolicy" runtime permission may have broken
the facility.

Thanks,
Chris

--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="JApplet1.java"
X-Sun-Content-Length: 984

import java.awt.*;
import javax.swing.*;

/**
* A basic extension of the javax.swing.JApplet class
*/
public class JApplet1 extends JApplet {
static JApplet1 thisApp;

public void init() {
thisApp = this;

JDesktopPane desktop = new JDesktopPane();
JInternalFrame jif = new JInternalFrame("1.2.2 Signed JAR test");
JButton jbutt = new JButton("Show a Dialog Window");

jbutt.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent event) {
JOptionPane.showMessageDialog(thisApp.getContentPane(),
"This window should NOT have a yellow warning banner!!!");
}
});
jif.getContentPane().add(jbutt,BorderLayout.CENTER);
desktop.add(jif);
getContentPane().add(desktop,BorderLayout.CENTER);
desktop.setSize(500,500);
jif.setBounds(250,50,250,100);

getContentPane().validate();
getContentPane().setVisible(true);
}
}

--=====================_932609623==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="JApplet1.htm"
X-Sun-Content-Length: 853

JApplet Signed JAR test </COMMENT> alt="Your browser understands the tag but isn't running the applet, for some reason (Java Plug-In 1.2.2 not available?)." Your browser is completely ignoring the applet tag!

--=====================_932609623==_--