Signed jar files

Signed jar files
The policy file technique does not apply to Web browsers. Before you can execute FileIO in a Web browser, you first store that applet's classfiles in a jar file and digitally sign that jar file.

Signing a jar file requires a certificate. Although you can purchase a certificate when you want to distribute an applet commercially, I will show you how to create a free self-signed certificate (which you only use for testing). Complete the following steps to create a jar file, to create a self-signed certificate, and to sign that jar file with the certificate:

1. Create the jar file: Execute jar cvf FileIO.jar *.class. You end up with a FileIO.jar jar file.
3. Create a new key in a new keystore: Execute keytool -genkey -keystore myKeyStore -alias me. Alias "me" is arbitrary. It reminds you that the certificate based on the keystore is self-signed so you don't accidentally put it into production.

   The keytool prompts you for information about the new key: It asks you for a password to protect the keystore. Then it asks you for your name, department, organization, city, region, and country. This information will go into the new keystore file—myKeyStore, in this example.

4. Create a self-signed test certificate based on the keystore: Execute keytool -selfcert -alias me -keystore myKeyStore. Enter the keystore password when prompted.
6. Sign the jar file with the testing certificate: Execute jarsigner -keystore myKeyStore FileIO.jar me. Enter the keystore password when prompted.

   The jarsigner program updates the jar file's META-INF directory to contain certificate information and digital signatures for each entry in the archive. If all goes well, you end up with a signed FileIO.jar file.

Note
I recommend studying the tools documentation section of the J2SE documentation to learn more about jar, keytool, and jarsigner.

Before executing the applet in a Web browser via the signed jar file, create an appropriate HTML file whose <applet> tag includes an archive attribute identifying the jar file. Listing 4's FileIO2.html should do nicely.

Listing 4. FileIO2.html

<applet archive=FileIO.jar code=FileIO.class width=250 height=250>
</applet>

It's time to execute the applet. Assuming FileIO.jar and FileIO2.html are located in the c:/temp directory on a Windows machine, start the Web browser and enter c:/temp/FileIO2.html into that browser's address bar. After a few moments, a dialog box should appear. That dialog box, as shown in Figure 2, presents a security warning and asks you to grant permission to run the applet.

Figure 2. The Java Security Warning dialog box identifies a signed applet. Click on thumbnail to view full-sized image.

Click either the Grant This Session button or the Grant Always button to proceed. If you're curious, click the View Certificate button to view the details of the self-signed certificate that you previously created. Figure 3 shows the applet embedded in the Firefox browser.

Figure 3. The Web browser alternative to running FileIO in appletviewer

Review
Get ready for a journey into my world of Java-based entertainment. Each installment of Java Fun and Games focuses on a specific topic that I've found to be entertaining, and presents one or more Java programs I created while exploring that topic. Those programs take the form of applets. Some of the applets will need to access the filesystem (to read/save game stats, for example). Because filesystem access is forbidden by the JVM's security manager, policy files and signed jar files are required to circumvent security concerns. Use policy files to run file-access applets with appletviewer. But to run them in a Web browser, used signed jar files.