How do Java plugin and browser validate applet's certificate in intranet?

java security applet certificate intranet
ezze picture ezze · Nov 9, 2013 · Viewed 8.4k times · Source

I need to install our website using Java applet in intranet. This will run under Apache and contains all applet's JNLP- and JAR-files required for deployment. In contrast to this question my Java applet is signed by Thawte certificate.

The main question is the following: will Java applet signed by trusted certificate start on client computer in intranet?

I can't answer my own question due to I don't know how certificate is being verified before applet starts. I found this article that explains certificate's revocation options but I'm not sure whether revocation check is the same as certificate's verification on very first applet start.

I carried out the test by disabling Internet connection on client computer and set up a wired connection to local server. I'm also not sure whether such test is clean because my client computer ran this signed applet before when it was connected to Internet. Anyway, before testing I went to Java Control Panel > Security > Manage Certificates and removed the certificate from Trusted Certificates. When I open a page with applet each time I get Security Warning dialog:

Do you want to run this application?

Running this application may be a security risk

Risk: This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source

Unable to ensure the certificate used to identify this application has not been revoked

Accepting the risk adds the certificate to trusted certificates list in Java Control Panel. Does it mean that Java or/and web browser recognize the certificate by themselves?

Setting Perform certificate revocation checks on option to Do not check (not recommended) in Java Control Panel on client computer gives the desired result - user will be prompted of starting signed applet as usual and can disable such messages in the future. Is setting this option enough to run the applet in intranet?

Answer

Amin Mozafari picture Amin Mozafari · Jan 28, 2014

The answer is yes but turning off revocation checking presents a security risk to your clients. It is only advisable if the machines running your applet are situated in a managed network, like a company network, and have no internet connection. Remember that revocation checking is a global option and cannot be set per applet or domain. You may also have a look at this thread.

Related questions

Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Run local java applet in browser (chrome/firefox) "Your security settings have blocked a local application from running"

I'm trying to run a Java Applet (html file), but the browser keeps saying: "Your security settings have blocked a local application from running" I have tried using Chrome and Firefox but i get the same error. I have upgraded …

Read More
access denied (java.net.SocketPermission 127.0.0.1:8080 connect,resolve)

I have a Java Applet inserted on a simple HTML page located at http://localhost:8080/index.html: <applet id="applet" code="SomeCode.class" archive="lib.jar" Width="1" Height="1"></applet> The Java Applet has a method that …

Read More