This tutorial explains necessary steps to sign a Java applet, either by using a self-signed certificate (self-signing) or by using a trusted certificate issued by a certificate authority like VeriSign or Thawte. Signing a Java applet is not difficult task, and it should be done correctly. First, let’s take a look why sometimes we need to have a Java applet signed.

Why need to sign Java applet

When running inside web browser, Java applets are living in a restricted environment so called “sandbox” – which prevents the applets from accessing system resources and devices such as files, network connections, printers, cameras, microphones, etc – without user-granted permission. This tight security is designed to make users safe from malicious code which always tries to execute automatically without user’s intervention.

The following picture illustrates how such restriction is applied for unsigned applet and signed applet within the sandbox:

java applet sandbox

To access system resources and devices, the applet must be signed with a digital certificate which is issued by a trusted Certificate Authority (CA). Thus the user can trust this applet and grant permission.

For example, you are developing applets that read/write files system, capture video from camera, or record audio from microphone… then you must sign your applets, definitely.

Though there is another way to grant permission for applets through the usage of .java.policy file, but this method is for development only. It’s not suitable for deploying applets on production environment because it requires the user manually put the .java.policy file on their computer. Thus signing the applet is the convenient way.

Download this file ([Sample applet with self-signing script]2 kB