Java Applet Constantly Asks for Authentication

Question

With have a ADF application on Weblogic 10 that has occasional access to a Java applet. The Java applet is loaded whenever it's needed and not loaded whenever it isn't. The applet is currently in the public_html/applet folder.

When we set the SSL configuration to requiring a client certificate, when the Java applet loads, it'll constantly ask for a client certificate:

Request Authentication Identification required. Please select certificate to be used for authentication.

This is annoying to users and the Java Applet doesn't need authentication. Is there any way we can disable the authentication or remove the prompt?

Here's the embedded applet code:

Edit: Things I've already tried:

1) Setting the Applet up on HTTP instead of HTTPS; I get a warning about mixed content and still get the authentication pop-up.

2) Created a minimal applet that only types out "HELLO WORLD" in the console, still get the authentication pop-up

Here's the console window:

Java Plug-in 1.6.0_35
Using JRE version 1.6.0_35-b10 Java HotSpot(TM) Client VM
User home directory = C:\Users\mfan

security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@1df073d
basic: Plugin2ClassLoader.addURL parent called for https://192.168.130.99/app/applet/HelloWorld.jar
network: Cache entry not found [url: https://192.168.130.99/app/applet/HelloWorld.jar, version: null]

network: Connecting https://192.168.130.99/app/applet/HelloWorld.jar with proxy=DIRECT
network: Connecting http://192.168.130.99:443/ with proxy=DIRECT
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loaded SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loaded Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: KeyUsage does not allow digital signatures
(and here's where the prompt comes up).

Answer 1

You said that your applet not requires client authentication so you can put your applet jars on http location. Then you have to specify the codebase parameter to this http location. For example if you put your jar as a resource on

http://public.test/somewhere/myApplet.jar

you can specify:

 codebase = http://public.test/somewhere/ archive = myApplet.jar 

However I think that this is probably a configuration issue, you can configure your web server to request a client certificate authentication optionally an not required on applet location.

Hope this helps,

EDIT:

You can put your webLogic behind a proxy (like apache http server), an configure proxy to require the client certificate only in a specific location. A configuration sample for apache http server case looks like:

 ## ## SSL Virtual Host Context ## <VirtualHost myHost:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData JkMount /myWeb loadBalancer JkMount /myWeb/* loadBalancer <Location /myWeb/login/certificateLoginLocation> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCACertificateFile conf/trustedCA.cer SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate RewriteEngine on RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$ RewriteRule .* http://myHost/myWeb/accesForbbiden.htm </Location> </VirtualHost> 

Answer 2

well, i not sure about weblogic, i am using jboss and i know that there is no way to do this.

so what we did is install an apache in front, served as reverse proxy

and the configuration look

Listen vgw_mgmt:443
<VirtualHost vgw_mgmt:443>
    DocumentRoot /srv/www/
    SSLEngine on
    SSLCipherSuite HIGH
    SSLProtocol all -SSLv2
    SSLOptions +ExportCertData +StdEnvVars
    SSLCertificateFile /etc/httpd/ssl/server-mgmt.pem
    SSLCertificateKeyFile /etc/httpd/ssl/server-mgmt.key
    SSLVerifyDepth 3
    SSLCACertificateFile /etc/httpd/ssl/trustedca-mgmt.pem
    SSLVerifyClient none    

    ProxyPass /webmgr/   ajp://webapps:8009/webmgr/

    <Location /webmgr/>
    SSLVerifyClient optional
    </Location>

    <Location /webmgr/javascript/>
    SSLVerifyClient none
    </Location>

</VirtualHost>

so, whenever user hit https : // pro xy /webmgr/ , client authentication is prompt (the reason we use "optional" instead of "required", is because we want to display nice error page tell customer you need to provide cert to login)

and, my applet stored inside /webmgr/javascript/applet.jar

so when applet load

<applet archive="applet.jar" codebase="/webmgr/javascript/" name="jsapplet" id="jsapplet" code="myapps.mylittleprogram" height="1" width="1"></applet> 

it will skipped the client authentication.

Answer 3

由于我们的应用程序位于http和https上，因此我只将存档设置为http：//，现在可以正常工作了。