Applet ClassNotFoundException after signing jar with certified key and all-permissions

Question

I have Java7 update 45. I am testing a small test applet packaged in a jar file that I am trying to load via an HTML page as:

<html>
 <body>
  <applet code="SmallApplet" archive="appTable89Signed.jar" codebase="." width=500 height=500>
    <param name="permissions" value="all-permissions" />
  </applet>
 </body>
</html>

The jar file manifest has the Permission attribute and its value is "all-permissions". When I sign the jar file with a certified key, I get the ClassNotFoundException . Looking at tomcat access log as well as out from Java Console, I see the SmallApplet class is being loaded from the web application URL.

network: Connecting http://xxxxxx:8085/testappletsigning/SmallApplet.class with proxy=DIRECT

Followed by the exception

java.lang.ClassNotFoundException: SmallApplet
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
basic: load: class SmallApplet not found

If I use a self-signed and import it as a trusted certificate then the exception disappears.

The only way I can use a certified key to sign a jar, appears to be by using "sandbox" permissions both in the jar manifest and the applet tag.

Is there an explanation for this behavior?

Answer 1

OP- I had a similar issue with a .jar that had a signature in it. Over the last few months java security has become a major PITA with everything needing to be exactly right. In my case I had number of .jar files, some had signatures in them, others didn't. I created a code signing cert for my domain, then wrote a .bat file to strip out the META-INF folder (which contains the manifest file and signatures for the .class files), re-jar the files then sign them. Mine would not work unless I added the lines below (using jar umf change.txt, change.txt being the five lines I have listed below)

The first thing (which you have probably already tested, but I will say it anyway) is that you will need to trust the cert.

But I think your problem is that you need to add additional lines to the manifest file (before you sign it!). I added these lines to my manifest, signed it using jarsigner and then it worked fine.

Codebase: *
Permissions: all-permissions
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Application-Name: <my app name>

I'm not a Java programmer, so I'm not completely 100% sure why each is needed. But from what I can tell, Java security knows where you called the .jar file from, and if there is a class outside that it won't call it because it exists outside the .jar. By adding the codebase parameters, it says trust anything. You can change it to a specific web address (such as http/https://) to lock it down more specifically.

Hope this helps.

Answer 2

I had a similar issue when switching from one code signing certificate to another one from a different CA. I signed the exact same jar with the new certificate and when loading the Applet I got a ClassNotFoundException .

The Manifest contained the following security related attributes:

Application-Name: <app name>
Permissions: all-permissions
Codebase: *

I finally got it to work after I added the following attribute:

Trusted-Library: true