Re: Problem with JSS on Ubuntu

[Glen Beasley]

Marcin T wrote:
 Hi

 I finally discovered what is the issue here. In appears that in case
 of unsigned applets, the code is unable to access SunJCE provider

You need to spend your time on signing the applet correctly.

You really don't want to get unsigned applets working by modifying your 
java.policy
for the long term, as this grant permission to all applets. Now when you 
surf the web any
applet that is executed has the extra permissions that you configured:

 As a workaround I have set up the following policies using Policy
 Manager:

 grant {
permission java.security.SecurityPermission
 putProviderProperty.SunJCE;
 };

 grant {
permission java.lang.RuntimePermission getProtectionDomain;
 };

 grant {
permission java.lang.RuntimePermission
 accessClassInPackage.sun.security.*;
 };

 I don't know how insecure my actions are, but this definitely fixed
 problems with applets under SSL / HTTPS.


Security - Signed Applets forum:
http://forums.sun.com/forum.jspa?forumID=63start=0

http://java.sun.com/javase/6/docs/technotes/guides/plugin/
http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html
 


-glen

 Feel free to send me your ideas how to fix this issue in more elegant
 way.

 Best,
 Marcin
 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Marcin T]

Hi

I finally discovered what is the issue here. In appears that in case
of unsigned applets, the code is unable to access SunJCE provider
which contains most of the ciphers used by SSL protocol. This means
that a session with SSL server is broken and effectively applet is not
initialised.

So nothing to do with JSS, unless it requires SunJCE.

This problem is related to configuration of JRE under linux due to
export control restrictions. Unfortunately I don't know how to make
JRE to use SunJCE by default.

As a workaround I have set up the following policies using Policy
Manager:

grant {
  permission java.security.SecurityPermission
putProviderProperty.SunJCE;
};

grant {
  permission java.lang.RuntimePermission getProtectionDomain;
};

grant {
  permission java.lang.RuntimePermission
accessClassInPackage.sun.security.*;
};

I don't know how insecure my actions are, but this definitely fixed
problems with applets under SSL / HTTPS.

Feel free to send me your ideas how to fix this issue in more elegant
way.

Best,
Marcin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Kyle Hamilton]

The security policy of the JRE might prohibit running unsigned
applets, as well.  I don't know how to check on Ubuntu.

-Kyle H

On Wed, Sep 3, 2008 at 10:15 PM, Nelson B Bolyard [EMAIL PROTECTED] wrote:
 Marcin T wrote

 However when I try to run a test java applet over SSL connection, I
 get ClassNotFound exception:

  https://www.java.com/en/download/help/testvm.xml

 You get an exception trying to view THAT page?
 If so, something's wrong with your JRE installation.

 Or is it another page (of your own) that has this problem with https?
 If so, can you give us the URL for that page?

 Just want to mention that this page works ok:
 https://jogl-demos.dev.java.net/applettest.html
 (applet is signed)

 Yes, that works well and looks nice.

 But as I said if applet is not signed and page is authenticated then I
 get ClassNotFound exception.

 I'm wondering what you thought JSS would do for that problem.

 In any case, the problem you describe, about the apparent requirement
 that an applet be signed to run in an https page, is a problem that
 I doubt JSS would help any.

 Are some classes missing, perhaps, from the unsigned jar?
 Are they perhaps in the Jar (that is, in the zip file) but not in the
 Jar's manifest file?
 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Marcin T]

 The security policy of the JRE might prohibit running unsigned
 applets, as well.  I don't know how to check on Ubuntu.

I am using standard Sun JRE 1.6 32bit along with FF3 32 bit, to be
able to run applets in 64 bit environment. I can't find any options in
Java console which would alter behaviour of unsigned applets. Windows
version of JRE works ok tho.

Woud you know where else I could get help on this topic (i.e. how to
alter security polcies for unsigned applets ) ?

Best Regards,
Marcin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Glen Beasley]

hi Martin,

As this is not a JSS/NSS/NSPR issue.

Please read:

http://java.sun.com/javase/6/docs/technotes/guides/plugin/

If you have more questions on signing applets I believe your best source 
expert information is
to ask in this forum:

http://forums.sun.com/forum.jspa?forumID=63start=0


 Woud you know where else I could get help on this topic (i.e. how to
 alter security polcies for unsigned applets ) ?

   
I don't understand why you want to pursue how to get unsigned applets 
working? learn how to sign your applet correctly.

http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html

*  All unsigned applets are run under the standard applet security 
model.
* If usePolicy is not defined in the java.policy file, then a signed 
applet has the AllPermission permission only if Java Plug-in can verify 
the signers, and the user agrees to granting  the AllPermission 
permission when prompted.
* If usePolicy is defined, then a signed applet has only the 
permissions defined in java.policy and no prompting occurs.


note: I rarely work with applets, but when I do, for debugging an applet 
on my local system only rather than signing the applet I
modify my local java.policy file and add

permission java.security.AllPermission;
permission java.lang.RuntimePermission loadLibrary.*;


-glen


 Best Regards,
 Marcin
 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto
   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Problem with JSS on Ubuntu

[Marcin T]

Hello

I am trying to solve a problem with java applet  authentication on
Ubuntu AMD64 in Firefox 3.0 32bit with Java 1.6 32bit.

This distro doesn't come with JSS package (it took a lot of googling
to actually understand this issue), so I had to install files by hand.
I can see that installation was ok as command runs fine:

  LD_LIBRARY_PATH=/usr/local/firefox32-3/ CLASSPATH=/usr/local/
firefox32-3/jss4.jar java
org.mozilla.jss.tests.SSLClientAuth . passwords

However when I try to run a test java applet over SSL connection, I
get ClassNotFound exception:

 https://www.java.com/en/download/help/testvm.xml

This is log from console:

security: Loading certificates from Deployment session certificate
store
security: Loaded certificates from Deployment session certificate
store
security: Checking if certificate is in Deployment denied certificate
store
network: Cache entry not found [url:
https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class,
version: null]
network: Connecting 
https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class
with proxy=DIRECT
security: Loading certificates from Deployment session certificate
store
security: Loaded certificates from Deployment session certificate
store
security: Checking if certificate is in Deployment denied certificate
store
load: class testvmDynamicJavaComPopUp819.class not found.
java.lang.ClassNotFoundException: testvmDynamicJavaComPopUp819.class
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:194)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:127)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:640)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:786)
at sun.plugin.AppletViewer.createApplet(AppletViewer.java:2108)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:715)
at sun.applet.AppletPanel.run(AppletPanel.java:369)
at java.lang.Thread.run(Thread.java:619)

Any help will be much appreciated

Best Regards,
Marcin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Glen Beasley]

hi,

You only need to install JSS if your applet or the applet you want to 
use requires JSS.

Getting the following URL (you specified) to display correctly over SSL 
in FF3 does not require JSS

https://www.java.com/en/download/help/testvm.xml

The SSL connection and applet do not use JSS, so this problem is not JSS 
related at all.
And if you had JSS installed perfectly, it would not not help the above 
URL to display correctly.
so ignore JSS.

I assume that http works? If not start there.

http://www.java.com/en/download/help/testvm.xml

Since https does not work I would re-read the advice on the page:


If your applet is not displaying properly, please check these additional 
configurations.

   1. Enable the JRE through your Web browser
   2. Enable the JRE through the Java Plug-in Control Panel
   3. Clearing your Web Browser Cache

If you are unable to perform any of the steps above due to an error, 
please reinstall the JRE.

Download and installation instructions
http://www.java.com/en/download/help/610300.xml

---

Note I do not have a working Ubuntu system. Also its not clear to me 
that you
actually want/need to use JSS. I think you just want to get this URL

https://www.java.com/en/download/help/testvm.xml working on Ubuntu using FF3.

But if you do want to use JSS after 
getting the above URL working correctly and you are intending to 
have your own java applet use JSS then here is some tips that may
help:

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html

For debugging and testing of your applet that uses JSS you can modify 
your java.policy file

permission java.security.AllPermission;
permission java.lang.RuntimePermission loadLibrary.*;

Which will allow your applet to initialize JSS and allow JSS to load 
it's dependent NSPR/NSS libraries.
When you need to deploy your applet rather than modifying the 
java.policy file you should sign
your applet.

http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/rsa_how.html

Also if you want to run an applet that uses JSS on windows, understand 
that Firefox builds
the NSPR/NSS binaries for the OS_TARGET=WIN95 which means you would have to
first build JSS for the OS_TARGET=WIN95 and then install.

hope this helps,

glen


Marcin T wrote:
 Hello

 I am trying to solve a problem with java applet  authentication on
 Ubuntu AMD64 in Firefox 3.0 32bit with Java 1.6 32bit.

 This distro doesn't come with JSS package (it took a lot of googling
 to actually understand this issue), so I had to install files by hand.
 I can see that installation was ok as command runs fine:

   LD_LIBRARY_PATH=/usr/local/firefox32-3/ CLASSPATH=/usr/local/
 firefox32-3/jss4.jar java
 org.mozilla.jss.tests.SSLClientAuth . passwords

 However when I try to run a test java applet over SSL connection, I
 get ClassNotFound exception:

  https://www.java.com/en/download/help/testvm.xml

 This is log from console:

 security: Loading certificates from Deployment session certificate
 store
 security: Loaded certificates from Deployment session certificate
 store
 security: Checking if certificate is in Deployment denied certificate
 store
 network: Cache entry not found [url:
 https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class,
 version: null]
 network: Connecting 
 https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class
 with proxy=DIRECT
 security: Loading certificates from Deployment session certificate
 store
 security: Loaded certificates from Deployment session certificate
 store
 security: Checking if certificate is in Deployment denied certificate
 store
 load: class testvmDynamicJavaComPopUp819.class not found.
 java.lang.ClassNotFoundException: testvmDynamicJavaComPopUp819.class
   at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:194)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
   at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:127)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
   at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:640)
   at sun.applet.AppletPanel.createApplet(AppletPanel.java:786)
   at sun.plugin.AppletViewer.createApplet(AppletViewer.java:2108)
   at sun.applet.AppletPanel.runLoader(AppletPanel.java:715)
   at sun.applet.AppletPanel.run(AppletPanel.java:369)
   at java.lang.Thread.run(Thread.java:619)

 Any help will be much appreciated

 Best Regards,
 Marcin
 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto
   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Marcin T]

Hi

Thanks vm for quick response.

An applet works ok when opening not encrypted page (no problems with
http)

Problems start when page is encrypted and authenticated and applet is
not signed (when signed I have noticed that it runs ok) - then I get
class not found exception.

I've tried to switch on and off  Use certificates and keys in browser
keystore but this has no effect on applet running over https. This
can be internal JRE issue on Ubuntu but I never had any problems with
applets over SSL in Windows. Would you happen to know what's the best
way to debug applet loading process in sun jre ?

It looks like I didn't read properly what jss is for - apologies if
this is not a right forum for these type of questions.

Best Regards.
Marcin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Marcin T]

Just want to mention that this page works ok: 
https://jogl-demos.dev.java.net/applettest.html
(applet is signed)

But as I said if applet is not signed and page is authenticated then I
get ClassNotFound exception.

Best,
Marcin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

[Nelson B Bolyard]

Marcin T wrote

 However when I try to run a test java applet over SSL connection, I
 get ClassNotFound exception:

  https://www.java.com/en/download/help/testvm.xml

You get an exception trying to view THAT page?
If so, something's wrong with your JRE installation.

Or is it another page (of your own) that has this problem with https?
If so, can you give us the URL for that page?

 Just want to mention that this page works ok: 
 https://jogl-demos.dev.java.net/applettest.html
 (applet is signed)

Yes, that works well and looks nice.

 But as I said if applet is not signed and page is authenticated then I
 get ClassNotFound exception.

I'm wondering what you thought JSS would do for that problem.

In any case, the problem you describe, about the apparent requirement
that an applet be signed to run in an https page, is a problem that
I doubt JSS would help any.

Are some classes missing, perhaps, from the unsigned jar?
Are they perhaps in the Jar (that is, in the zip file) but not in the
Jar's manifest file?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto