How to Bypass Security Popup with Signed JAR files
We are running a third party Java application for our main navigation menu. We use IE 6, and currently we use the Microsoft VM. To get around any problems, I have signed the CAB file for the menu and I have automatically added myself as a Trusted Publisher in IE, and the root CA that I got the certificate from is also already trusted. These two things need to be in place in order to prevent everyone who opens the browser from getting a popup asking if they trust me to sign the nav menu, and this process works.
Now we are moving to JRE 1.4.2_08, and the Microsoft VM is going to be out of the picture. I have signed the JAR file that is also associated witht he nav menu, and the JRE uses it, and I get the popup from the JRE asking if I am a trusted publisher.
I need to know how I can force all users in my environment to trust the certificate, which will hopefully prevent the popup from showing up when they start their browsers.
One of the ways we were looking at to do this was to copy a keystore out to each user that already contained the certificate used to sign the nav menu, which hopefully would bypass the popup.
A second way was to run a logon script that would execute teh keystore import for each user when they logged into their PC's.
I'm not sure if either of these would work, or if they are totally unacceptable solutions, which is why I am asking this forum. any help will be appreciated. Thanks in advance.
[1472 byte] By [
spicoli7a] at [2007-10-1 23:01:29]
IE security can be adjusted with a cab file on the Intranet.
Sun jre is an ActiveX control or a netscape plugin that has nothing to do with the browser.
Luckily you can configure the jre as wel by providing policy (and optionally a
keystore) on the Intranet.
You have to change the default jre installation by changing the msi file or log in scripts:
Java security configuration (according to me):
1. Signing, good for Internet published applets. The user will be asked if he or she trusts
the applet and when yes or allways is clicked the applet can do whatever it wants. This
is the default setting of the SUN jre and can be compared with IE setting that askes the
user about downloading and running ActiveX controls from the Internet security zone.
2. Setting up a policy. Good for people who disabled asking the user about signed
applets (like companies that are worried this could cause a problem). it is possible
to provide multiple java.policy files in the java.security, a company could put a .policy file
on the Intanet and have all jre's use this by adding this URL to the java.security.
When a policy needs to be changed the admin only has to do this in the file on the
Intranet.
A specific user can have a policy in their user.home to set up personal policies (to be
done by Administrators).
A policy file can use a keystore to be used in a signed by policy. For example "applets
that are signed by SUN can access some files on my machine). It can allso be used
to identify yourselve, when making an SSL connection the keystore can be used as
the source of your public key.
http://forum.java.sun.com/thread.jsp?forum=63&thread=409341
4th post explaining how to set up your own policy with your own keystore
using authentication
http://forum.java.sun.com/thread.jspa?threadID=614462&tstart=0
