Deploying as a Java Applet

---

You can deploy an application containing the ICEbrowser SDK as an applet in two ways:

• As an unsigned jar, running inside the default applet security sandbox.
• As a signed jar, requesting special permissions from the user to gain system access beyond what is permitted in the default applet security sandbox.

Deploying as an Unsigned Applet

If you do not sign your applet jar files, your applet must live within the constraints of the default applet security sandbox. This sandbox is quite restrictive and is intentionally designed to ensure that untrusted or potentially hostile applets cannot harm the host computer.

Some significant restrictions to be aware of are:

• It cannot make network connections except to the host that it came from.
• It cannot load libraries or define native methods.
• It cannot read or write files on the host that is executing it.
• It cannot start any program on the host that is executing it.
• It cannot read certain system properties.

In particular, the limitation of only being able to make network connections to the same host that the applet was deployed from is important for any application that includes the ICEbrowser, because it is likely to be loading HTML content via network connections. If you would like to deploy your application as an unsigned applet and your application requires loading content from one or more host servers other than the one the applet is served from, you may be able to configure an HTTP proxy in the applet to have all content be provided by a proxy-server residing on the same host that the applet was served from. This configuration would allow the required content to be delivered to the applet while still living within the single-host applet sandbox security restriction.

Note: For more information on the default Java applet security sandbox, see: http://java.sun.com/docs/books/tutorial/applet/overview/security.html

Deploying as a Signed Applet

Signed applets are a technique of adding a digital signature to an applet to prove that it came untampered from a particular trusted author. Signing your applet will allow it to perform operations that are not permitted in the default applet security sandbox.

You can run your application as a signed applet by following these general steps:

Note: These steps are only a general approach to signing JAR files. For more detailed information, see http://java.sun.com/docs/books/tutorial/jar/sign/signing.html or http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html.

1. Compile the applet.
2. Create a JAR file.
3. Generate the keys.

   For example, enter the following command and respond to the prompts:

   keytool -genkey -keyalg rsa -alias tstkey
    
        Enter keystore password: *******
   
        What is your first and last name?[Unknown]: Your Name
   
        What is the name of your organizational unit?[Unknown]: ICEsoft 
   
        What is the name of your organization?[Unknown]: ICEsoft
   
        What is the name of your City or Locality?[Unknown]: Calgary
   
        What is the name of your State or Province?[Unknown]:AB
   
        What is the two-letter country code for this unit?[Unknown]:CA
   
        Is CN=Your Name, OU=ICEsoft, O=ICEsoft, L=Calgary, ST=AB, C=CA
   
           correct?[no]:yes
    
       (wait...)
    
       Enter key password for tstkey(RETURN if same as keystore password):
   
        (press [enter])
    
   

4. Sign the JAR file.

   For example, enter and respond to the following command:

   jarsigner  tst.jar tstkey
   
        Enter Passphrase for keystore: *******
    
   

5. Export the Public Key Certificate.

   For example, enter and respond to the following command:

   keytool -export -alias tstkey -file tstcert.crt
    
       Enter keystore password: *******
   
       Certificate stored in file tstcert.crt
    
   

Copyright 2005. ICEsoft Technologies, Inc. http://www.icesoft.com