Why signing an applet? By default, a Java applet is running inside a restricted environment called sandbox.

The sandbox isolates the applet outside the browser environment and users computer, preventing maliciously coded applets from running without users granted permission. Applets are considered to be untrusted if they are not signed with a security certificate. Untrusted applets are also referred to as unsigned applets. Being inside the security sandbox, unsigned applets are limited to execute only a set of safe operations. The following operations that unsigned applets are prevented from executing:

Accessing the local file system, executable files, system clipboard, and printers on clients computer. Connecting to any server other than the server where they are hosted. Loading native libraries. Altering the SecurityManager. Creating a ClassLoader. Reading some of system properties.

So if you wish to write an applet that needs to do some of the above operations, you need to sign your applet using a security certificate. For example, you write an applet that reads local file system, enumerates printers or uploads files via FTP A signed applet can only run outside the security sandbox if the user grants permission by accepting the applets security certificate. If the user denies, the applet will run within the security sandbox as an unsigned applet. There is another way to give permissions to applets, it is the applets policy file. However, the policy file approach is not convenience for end users since it requires users intervention to manually store the file on their computer in the right location. The policy file is suitable for development and testing purpose only. Requirement To sign an applet, you need to have:

A signing tool. The Java SDK provides a tool called jarsigner. The tool is located at your_java_home_folder\bin directory. An RSA keypair of public key and private key. The Java SDK provides a tool called keytool to generate the keypair. The applet and all its class files, bundled as a JAR file.

Getting RSA Certificates

You can purchase for RSA certificates from a Certificate Authority (CA), such as VeriSign and Thawte. To obtain a certificate from a CA, you need to provide the certificate signing request (CSR). The steps are as follow:

Use keytool to generate an RSA keypair. Use keytool to generate the certification signing request, then submit the CSR to the CA. The CA will send you a certificate reply (chain) by email. Import the chain into your keystore. Use jarsigner to sign applets JAR file.

You should follow all the steps above to get your certificate validated by the CA. However, for the simplicity of testing purpose, you can skip the second and third steps. That means the certificate generated by the keytool can be used to sign the applet without validation from the CA, as long as the user accepts the security certificate signed for the applet. This article will guide you with the first and last steps. For full steps, refer to the reference links at the end of this article. The syntax to generate a keypair is as follow:
keytool -genkey -alias <alias_name> -keystore <keystore_name> -keypass <key_pass> -dname <distinguished name> -storepass <store_pass> -validity <days_will_expired>

For example:
keytool -genkey -alias signFiles -keystore compstore -keypass kpi_100626 dname "CN=MyApplet" -storepass a8b6c5 -validity 1825

will generate a keypair with an alias signFiles, the key pair is stored in a file named compstore with a password a8b6c5, password for the key is kpi_100626, distinguished name is CN=MyApplet means the certificate represents for an entity named MyApplet, and the validity of the certificate is up to 5 years (1825 days). After the command is executed, a file compstore is created and it contains your certificate information. Bundling Java Applets as JAR Files To use jarsigner to sign applets with RSA certificates, the applets must be bundled as JAR files. The Jar tool (command jar ...), which comes with the Java 2 SDK, can be used for that

purpose. For example, to create a JAR file MyApplet.jar containing all the files under the current directory and its sub-directories:
jar cvf MyApplet.jar

After the JAR file is created, you should verify its content using the jar tool again, for example:
jar tvf MyApplet.jar

This ensures that the class files are stored with the proper path within the JAR file.

Signing Java applet The syntax to sign the applets JAR file is as follow:

jarsigner -keystore <keystore_name> -storepass <store_pass> -keypass <key_pass> -signedjar <signed_jar_file_path> <original_jar_file_path> <alias_name>

The following command will sign the MyApplet.jar file with the certificate stored in compstore file:

jarsigner -keystore compstore -storepass a8b6c5 -keypass kpi_100626 signedjar SMyApplet.jar MyApplet.jar signFiles

The command outputs a signed jar file named SMyApplet.jar. Your applet has been signed and you are now ready to deploy it on your server. When a signed applet is loaded in a browser for the first time, a security dialog says that the applets certificate is not validated and asks you to accept or deny. Once you accepted the certificate, your applet is able to do the restricted operations which are not allowed for normal applets.

Figure: The security dialog appears when a signed applet is loading for the first time and needs users acceptance.

Signing reference libraries If your applet is using external libraries, you need to sign all of them as well. Otherwise, the code of the external libraries is considered as untrusted.

References

What Applets Can and Cannot Do: http://download.oracle.com/javase/tu.../security.html How to Sign Applets Using RSA-Signed Certificates: http://download.oracle.com/javase/1....a_signing.html

http://docs.oracle.com/javase/tutorial/security/apisign/gensig.html

http://www.developer.com/java/other/article.php/3303561/Creating-a-Trusted-Applet-with-Local-FileSystem-Access-Rights.htm