Re: Problem with JSS on Ubuntu
Marcin T wrote: Hi I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider You need to spend your time on signing the applet correctly. You really don't want to get unsigned applets working by modifying your java.policy for the long term, as this grant permission to all applets. Now when you surf the web any applet that is executed has the extra permissions that you configured: As a workaround I have set up the following policies using Policy Manager: grant { permission java.security.SecurityPermission putProviderProperty.SunJCE; }; grant { permission java.lang.RuntimePermission getProtectionDomain; }; grant { permission java.lang.RuntimePermission accessClassInPackage.sun.security.*; }; I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS. Security - Signed Applets forum: http://forums.sun.com/forum.jspa?forumID=63start=0 http://java.sun.com/javase/6/docs/technotes/guides/plugin/ http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html -glen Feel free to send me your ideas how to fix this issue in more elegant way. Best, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
Hi I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider which contains most of the ciphers used by SSL protocol. This means that a session with SSL server is broken and effectively applet is not initialised. So nothing to do with JSS, unless it requires SunJCE. This problem is related to configuration of JRE under linux due to export control restrictions. Unfortunately I don't know how to make JRE to use SunJCE by default. As a workaround I have set up the following policies using Policy Manager: grant { permission java.security.SecurityPermission putProviderProperty.SunJCE; }; grant { permission java.lang.RuntimePermission getProtectionDomain; }; grant { permission java.lang.RuntimePermission accessClassInPackage.sun.security.*; }; I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS. Feel free to send me your ideas how to fix this issue in more elegant way. Best, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
The security policy of the JRE might prohibit running unsigned applets, as well. I don't know how to check on Ubuntu. -Kyle H On Wed, Sep 3, 2008 at 10:15 PM, Nelson B Bolyard [EMAIL PROTECTED] wrote: Marcin T wrote However when I try to run a test java applet over SSL connection, I get ClassNotFound exception: https://www.java.com/en/download/help/testvm.xml You get an exception trying to view THAT page? If so, something's wrong with your JRE installation. Or is it another page (of your own) that has this problem with https? If so, can you give us the URL for that page? Just want to mention that this page works ok: https://jogl-demos.dev.java.net/applettest.html (applet is signed) Yes, that works well and looks nice. But as I said if applet is not signed and page is authenticated then I get ClassNotFound exception. I'm wondering what you thought JSS would do for that problem. In any case, the problem you describe, about the apparent requirement that an applet be signed to run in an https page, is a problem that I doubt JSS would help any. Are some classes missing, perhaps, from the unsigned jar? Are they perhaps in the Jar (that is, in the zip file) but not in the Jar's manifest file? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
The security policy of the JRE might prohibit running unsigned applets, as well. I don't know how to check on Ubuntu. I am using standard Sun JRE 1.6 32bit along with FF3 32 bit, to be able to run applets in 64 bit environment. I can't find any options in Java console which would alter behaviour of unsigned applets. Windows version of JRE works ok tho. Woud you know where else I could get help on this topic (i.e. how to alter security polcies for unsigned applets ) ? Best Regards, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
hi Martin, As this is not a JSS/NSS/NSPR issue. Please read: http://java.sun.com/javase/6/docs/technotes/guides/plugin/ If you have more questions on signing applets I believe your best source expert information is to ask in this forum: http://forums.sun.com/forum.jspa?forumID=63start=0 Woud you know where else I could get help on this topic (i.e. how to alter security polcies for unsigned applets ) ? I don't understand why you want to pursue how to get unsigned applets working? learn how to sign your applet correctly. http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html * All unsigned applets are run under the standard applet security model. * If usePolicy is not defined in the java.policy file, then a signed applet has the AllPermission permission only if Java Plug-in can verify the signers, and the user agrees to granting the AllPermission permission when prompted. * If usePolicy is defined, then a signed applet has only the permissions defined in java.policy and no prompting occurs. note: I rarely work with applets, but when I do, for debugging an applet on my local system only rather than signing the applet I modify my local java.policy file and add permission java.security.AllPermission; permission java.lang.RuntimePermission loadLibrary.*; -glen Best Regards, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Problem with JSS on Ubuntu
Hello I am trying to solve a problem with java applet authentication on Ubuntu AMD64 in Firefox 3.0 32bit with Java 1.6 32bit. This distro doesn't come with JSS package (it took a lot of googling to actually understand this issue), so I had to install files by hand. I can see that installation was ok as command runs fine: LD_LIBRARY_PATH=/usr/local/firefox32-3/ CLASSPATH=/usr/local/ firefox32-3/jss4.jar java org.mozilla.jss.tests.SSLClientAuth . passwords However when I try to run a test java applet over SSL connection, I get ClassNotFound exception: https://www.java.com/en/download/help/testvm.xml This is log from console: security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Checking if certificate is in Deployment denied certificate store network: Cache entry not found [url: https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class, version: null] network: Connecting https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class with proxy=DIRECT security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Checking if certificate is in Deployment denied certificate store load: class testvmDynamicJavaComPopUp819.class not found. java.lang.ClassNotFoundException: testvmDynamicJavaComPopUp819.class at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:194) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:127) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:640) at sun.applet.AppletPanel.createApplet(AppletPanel.java:786) at sun.plugin.AppletViewer.createApplet(AppletViewer.java:2108) at sun.applet.AppletPanel.runLoader(AppletPanel.java:715) at sun.applet.AppletPanel.run(AppletPanel.java:369) at java.lang.Thread.run(Thread.java:619) Any help will be much appreciated Best Regards, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
hi, You only need to install JSS if your applet or the applet you want to use requires JSS. Getting the following URL (you specified) to display correctly over SSL in FF3 does not require JSS https://www.java.com/en/download/help/testvm.xml The SSL connection and applet do not use JSS, so this problem is not JSS related at all. And if you had JSS installed perfectly, it would not not help the above URL to display correctly. so ignore JSS. I assume that http works? If not start there. http://www.java.com/en/download/help/testvm.xml Since https does not work I would re-read the advice on the page: If your applet is not displaying properly, please check these additional configurations. 1. Enable the JRE through your Web browser 2. Enable the JRE through the Java Plug-in Control Panel 3. Clearing your Web Browser Cache If you are unable to perform any of the steps above due to an error, please reinstall the JRE. Download and installation instructions http://www.java.com/en/download/help/610300.xml --- Note I do not have a working Ubuntu system. Also its not clear to me that you actually want/need to use JSS. I think you just want to get this URL https://www.java.com/en/download/help/testvm.xml working on Ubuntu using FF3. But if you do want to use JSS after getting the above URL working correctly and you are intending to have your own java applet use JSS then here is some tips that may help: http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html For debugging and testing of your applet that uses JSS you can modify your java.policy file permission java.security.AllPermission; permission java.lang.RuntimePermission loadLibrary.*; Which will allow your applet to initialize JSS and allow JSS to load it's dependent NSPR/NSS libraries. When you need to deploy your applet rather than modifying the java.policy file you should sign your applet. http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/rsa_how.html Also if you want to run an applet that uses JSS on windows, understand that Firefox builds the NSPR/NSS binaries for the OS_TARGET=WIN95 which means you would have to first build JSS for the OS_TARGET=WIN95 and then install. hope this helps, glen Marcin T wrote: Hello I am trying to solve a problem with java applet authentication on Ubuntu AMD64 in Firefox 3.0 32bit with Java 1.6 32bit. This distro doesn't come with JSS package (it took a lot of googling to actually understand this issue), so I had to install files by hand. I can see that installation was ok as command runs fine: LD_LIBRARY_PATH=/usr/local/firefox32-3/ CLASSPATH=/usr/local/ firefox32-3/jss4.jar java org.mozilla.jss.tests.SSLClientAuth . passwords However when I try to run a test java applet over SSL connection, I get ClassNotFound exception: https://www.java.com/en/download/help/testvm.xml This is log from console: security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Checking if certificate is in Deployment denied certificate store network: Cache entry not found [url: https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class, version: null] network: Connecting https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class with proxy=DIRECT security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Checking if certificate is in Deployment denied certificate store load: class testvmDynamicJavaComPopUp819.class not found. java.lang.ClassNotFoundException: testvmDynamicJavaComPopUp819.class at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:194) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:127) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:640) at sun.applet.AppletPanel.createApplet(AppletPanel.java:786) at sun.plugin.AppletViewer.createApplet(AppletViewer.java:2108) at sun.applet.AppletPanel.runLoader(AppletPanel.java:715) at sun.applet.AppletPanel.run(AppletPanel.java:369) at java.lang.Thread.run(Thread.java:619) Any help will be much appreciated Best Regards, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
Hi Thanks vm for quick response. An applet works ok when opening not encrypted page (no problems with http) Problems start when page is encrypted and authenticated and applet is not signed (when signed I have noticed that it runs ok) - then I get class not found exception. I've tried to switch on and off Use certificates and keys in browser keystore but this has no effect on applet running over https. This can be internal JRE issue on Ubuntu but I never had any problems with applets over SSL in Windows. Would you happen to know what's the best way to debug applet loading process in sun jre ? It looks like I didn't read properly what jss is for - apologies if this is not a right forum for these type of questions. Best Regards. Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
Just want to mention that this page works ok: https://jogl-demos.dev.java.net/applettest.html (applet is signed) But as I said if applet is not signed and page is authenticated then I get ClassNotFound exception. Best, Marcin ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem with JSS on Ubuntu
Marcin T wrote However when I try to run a test java applet over SSL connection, I get ClassNotFound exception: https://www.java.com/en/download/help/testvm.xml You get an exception trying to view THAT page? If so, something's wrong with your JRE installation. Or is it another page (of your own) that has this problem with https? If so, can you give us the URL for that page? Just want to mention that this page works ok: https://jogl-demos.dev.java.net/applettest.html (applet is signed) Yes, that works well and looks nice. But as I said if applet is not signed and page is authenticated then I get ClassNotFound exception. I'm wondering what you thought JSS would do for that problem. In any case, the problem you describe, about the apparent requirement that an applet be signed to run in an https page, is a problem that I doubt JSS would help any. Are some classes missing, perhaps, from the unsigned jar? Are they perhaps in the Jar (that is, in the zip file) but not in the Jar's manifest file? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto