can I check if a Java applet certificate is trusted before running my applet?_问答_开发者

can I check if a Java applet certificate is trusted before running my applet?

开发者 https://www.devze.com 2023-03-02 17:12 出处：网络

I have a signed applet on a website.Because of this, the Java security dialog appears, and the user needs to grant permission to the applet before it can do it\'s work.What I want to do is this:

I have a signed applet on a website. Because of this, the Java security dialog appears, and the user needs to grant permission to the applet before it can do it's work. What I want to do is this:

I want the website to explain the security dialog box to the user before it comes up. The page will show some explanation text in a div, and after a few seconds, the security dialog will appear.
If the user already allowed the certificate in a previous session, it should just run the applet without any extra dialog.

The problem is that the security dialog appears as soon as the applet is embe开发者_JAVA技巧dded in the page. I can delay embedding, but there's no way to check it's permissions from the applet itself, since it needs to do it before it's loaded.

Perhaps I could load a second, normal applet that runs invisibly, and checks the permissions. But how would I go about doing that? Are there any Java classes that can check if a certificate has been trusted by the client?

Thanks.

You can check the certificate and signature of a JAR file programmaticly, just as the JVM would when loading the applet. It's not gonna be easy, but, at least at first glance, you're going to have to do this:

Use a hidden applet to download your JARs and verify their certificates, like the applet viewer would. You can do this manually using the java.security.cert package. The best way to figure out how to do that was the JarSigner source code, especially the verifyJar(). Something like:

// download the JAR
URL url = new URL("jar:http://mywebsite.com/myjar.jar!/");
JarURLConnection jarConnection = (JarURLConnection)url.openConnection();
// get the certificates and other security stuff
CodeSigners[] codeSigners = jarConnection.getJarEntry().getCodeSigners();
Certificate[] certificates = jarConnection.getJarEntry().getCertificates();
// verify the signatures
// don't know the code, but you can analyze JarSigner example at http://download.oracle.com/javase/tutorial/security/toolfilex/rstep2.html

Use LiveConnect (maybe something else?) to set a cookie so you know "if the user already allowed the certificate in a previous session".
Launch your applet, possibly depending on the results of (1) stores in cookies created in (2).

I haven't give this that much thought, so there might be a better way. Good luck, and post back!