Re: Problem using SunJCE in an applet

Jan Luehe (luehe@laguna.eng.sun.com)
Thu, 26 Aug 1999 13:30:16 -0700 (PDT)

Message-Id: <199908262030.NAA20880@laguna.eng.sun.com>
Date: Thu, 26 Aug 1999 13:30:16 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Problem using SunJCE in an applet
To: java-security@java.sun.com, abhay@cobra.brass.com

Abhay:

> I would appreciate if you would look into the problem I am facing
> using SunJCE with a browser plugin.
>
> I'm trying to use SunJCE-classes in my applet. But the browser plugin
> (jdk1.2) of windows-95 is unable to recognise SunJCE as the provider
> even if I change the java.security file on the client machine (the
> machine on which I am running the applet ).
>
> As a result, I get "algorithm not available" exception in my applet.
>
> Note that I can not use Security.addProvider call within my applet as
> my applet is not signed.
> ( calling this would give me security execption ).
>
> A typical use on client machine is like this :
>
> (a) The client loads the applet and the jce1_2-doc.jar from our web
> server.
> (b) The client machine has the provider SunJCE added
> in c:\windows\system\lib\security\java.security file.
>
> But the browser is picks up only Sun as the provider.
>
> I modified the applet to print the providers list from Security class.
> It prints only Sun as the provider.
>
> Is there anything wrong / missing that I am doing ?

Providers listed in the "java.security" file of the client
must be supplied on the application classpath (this corresponds to
CLASSPATH ), extensions directory, or bootstrap classpath of the
client's JRE, in order for the client's JRE to be
able to find, load, and install them.

If a provider listed in the client's "java.security" file
is not configured in any of those places, but instead is
bundled with an applet (as in your case), the client's JRE won't
be able to load and install that provider, because the applet's
classloader is not included in the client's classloader delegation
chain.

This means that in order for your applet to use the services
of the SunJCE provider, it itself has to install it - requiring the
appropriate permission, as you pointed out.

We are thinking of overloading the getInstance() methods, which
currently take an algorithm name (and optionally a provider
name), to also be able to take an instance of java.security.Provider.
In that case, the provider would not have to be registered with the
JRE (i.e., it would not be shared by all applets/applications running
in that JRE), avoiding the need for any security checks.
This will not happen in the Kestrel (JDK 1.3) timeframe, though.

Jan