- Last Updated on 26 September 2013
This tutorial explains necessary steps to sign a Java applet, either by using a self-signed certificate (self-signing) or by using a trusted certificate issued by a certificate authority like VeriSign or Thawte. Signing a Java applet is not difficult task, and it should be done correctly. First, let’s take a look why sometimes we need to have a Java applet signed.
Why need to sign Java applet
When running inside web browser, Java applets are living in a restricted environment so called “sandbox” – which prevents the applets from accessing system resources and devices such as files, network connections, printers, cameras, microphones, etc – without user-granted permission. This tight security is designed to make users safe from malicious code which always tries to execute automatically without user’s intervention.
The following picture illustrates how such restriction is applied for unsigned applet and signed applet within the sandbox:
To access system resources and devices, the applet must be signed with a digital certificate which is issued by a trusted Certificate Authority (CA). Thus the user can trust this applet and grant permission.
For example, you are developing applets that read/write files system, capture video from camera, or record audio from microphone… then you must sign your applets, definitely.
Though there is another way to grant permission for applets through the usage of .java.policy file, but this method is for development only. It’s not suitable for deploying applets on production environment because it requires the user manually put the .java.policy file on their computer. Thus signing the applet is the convenient way.
- Next >>