(Updated May 29, 2014.)
To run Java Applets in your browser, you need the Java plugin, which is a
Note: You should always run the most recent stable Java version, and allow it to
"Check for Updates Automatically".
When Java pops up a window on your computer asking if you want to update, always choose "yes".
Traditionally, Java applets ran in the browser with
An unsigned applet was blocked from doing anything risky on your computer, such as accessing your hard
drive. This worked pretty well for many years. Recently a number of security vulnerabilities
have called into question Oracle's ability to keep the sandbox safe.
Oracle's response, starting with Java 7 Update 51 (7u51), was to require all Java applets to be
This effectively broke most Java applets on the internet, including mine.
Acquiring a code-signing certificate is expensive, and the process of
getting verified is unpleasant and intrusive.
I finally broke down and purchased a code-signing certificate from
(the cheapest deal I could find).
The Certifying Authority (CA) is Comodo
Getting verified for the certificate took about a month and cost me almost $100 USD
for notary fees, shipping costs, etc., in addition to the base cost of about $200
for a 3-year certificate.
It is helpful to find a notary who is very
I began signing my applets around May 28, 2014.
The certifying authority (Comodo, in my case) doesn't guarantee that a signed applet is safe.
It just guarantees that the signer is a real person who can be tracked down.
My digital signature
demonstrates that the applet was written by me,
and also ensures that the applet was not modified by someone hacking my web site and replacing the
applet with something malicious.
As far as I can see, there are
only two permission levels
for a signed applet:
"sandbox" and "all-permissions".
Here is the security prompt for an applet with sandbox permissions (in Java 1.7.0_55):
The phrase "This application will run with limited access" indicates that it
has sandbox permissions.
An application with "all-permissions" would have a phrase
like "This application will run with unrestricted access which may put your computer
and personal information at risk. Run this application only if you trust the location
As of May 29, 2014, all my applets have sandbox permissions.
However my HyperCube V2
a 3rd party
package that needs all-permissions. So if you run that applet, you
will see the "unrestricted access" prompt for JOGL,
in addition to the "limited access" prompt for my code.
Now that I have a code-signing certificate, I plan on writing some applets that use
additional functionality beyond what is allowed by the sandbox --
things like allowing the user to open a file, work on it, then save it.
Also, I have had requests, such as for the ability to save a 3D graphics file from the
applet, that I am now able to address,
as time permits.
The Java Control Panel
The Java Control panel lets you configure Java -- its cache ("temporary internet files"),
automatic updates, security level, certificates, Java versions,
visiblity of the Java Console, etc.
My Java Control Panel looks like this (on May 30, 2014):
How you open the Java Control Panel depends on your operating system.
On Windows 8, I open it from the Windows Control Panel (click Programs then Java).
If you don't know how to find it, ask Google
Java problems can sometimes be cured by deleting all the "temporary internet files".
Check the "Check for Updates Automatically" checkbox.
You can see what Java version(s) you have installed.
I have my Security Level at "High".
the Java Console!
My "Advanced"settings (as of May 30, 2014):
The Java Console
The Java Console is a pop-up window launched by the Java Plugin.
It displays diagnostic information about an applet that is running in the browser.
You will not see the Java Console window unless you have enabled it in the Java Control Panel (on the
"Advanced" tab, as mentioned above). I always keep it enabled.
If it is enabled, it will pop up (possibly behind another window), as soon as a Java applet is launched.
In my present version of Firefox, if I close the Java Console window, there is no way to get it back (as far as I know),
without closing the browser and starting over.
The Java Console looks like this when I run my
Animated Necker Cube
It shows the Java version,
followed by a list of single-key commands that are available in the Console,
followed by diagnostic output from the applet.
If the applet gets an error, there will usually be detailed error information which can be
copied and pasted into an email to the applet author.
If an applet isn't running right, you should always check the Java Console.
More About Code Signing
An partial explanation of how code signing works:
A more detailed explanation:
Ordering of the Comodo certificate is done by web form. A public/private key pair is generated at the time of ordering.
The private key is stored by the browser, in the Certificate Manager.
I'm guessing it is a good idea to set a "Master Password" for the "Software Security Device",
in your brower, before initiating the order.
The public key was sent to Comodo but hopefully not the private key.
Nobody but me is supposed to get their hands on the private key.
Once I passed Comodo's verification process, they used my public key to generate the certificate.
When I signed on to their web site to pick up the certificate, it was installed in my
browser's Certificate Manager. I was able to go into the Certificate Manager
and back up the certificate as a PKCS12
(with ".p12" file extension).
When I prepare an applet for its web page, I use the Java "jar" tool (part of the Java runtime installation)
to bundle the Java ".class" files (bytecodes) up into a "jar" (Java archive)
file. On the command line for the "jar" tool,
I supply the name of a text file that has a few attributes such as the following:
Application-Name: Stereoscopic Animated Hyperspace Objects
These are incorporated into the MANIFEST.MF file, contained in the jar file.
Then I use Java "jarsigner" tool with the "-storetype pkcs12"
option to sign the jar file with the ".p12" digital certificate file.
-- End --
<Dogfeathers Home Page>
<Mark's Home Page>
<Mark's Java Stuff>
This page URL: http://dogfeathers.com/java/aboutjava.html