Java Notes

I've been programming in Java since 1996, mostly for fun but occasionally for my job. I have written a number of Java applets, which can be found here.

Note: You should always run the most recent stable Java version, and allow it to "Check for Updates Automatically". When Java pops up a window on your computer asking if you want to update, always choose "yes".

Oracle's response, starting with Java 7 Update 51 (7u51), was to require all Java applets to be digitally signed. This effectively broke most Java applets on the internet, including mine. Acquiring a code-signing certificate is expensive, and the process of getting verified is unpleasant and intrusive.

I finally broke down and purchased a code-signing certificate from Tucows (the cheapest deal I could find). The Certifying Authority (CA) is Comodo. Getting verified for the certificate took about a month and cost me almost $100 USD for notary fees, shipping costs, etc., in addition to the base cost of about $200 for a 3-year certificate. It is helpful to find a notary who is very patient. I began signing my applets around May 28, 2014.

The certifying authority (Comodo, in my case) doesn't guarantee that a signed applet is safe. It just guarantees that the signer is a real person who can be tracked down. My digital signature demonstrates that the applet was written by me, and also ensures that the applet was not modified by someone hacking my web site and replacing the applet with something malicious.

As far as I can see, there are only two permission levels for a signed applet: "sandbox" and "all-permissions". Here is the security prompt for an applet with sandbox permissions (in Java 1.7.0_55):

The phrase "This application will run with limited access" indicates that it has sandbox permissions.

An application with "all-permissions" would have a phrase like "This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the location and publisher...".

As of May 29, 2014, all my applets have sandbox permissions. However my HyperCube V2 applet uses JOGL, a 3rd party package that needs all-permissions. So if you run that applet, you will see the "unrestricted access" prompt for JOGL, in addition to the "limited access" prompt for my code.

Now that I have a code-signing certificate, I plan on writing some applets that use additional functionality beyond what is allowed by the sandbox -- things like allowing the user to open a file, work on it, then save it. Also, I have had requests, such as for the ability to save a 3D graphics file from the HyperStar applet, that I am now able to address, as time permits.

My Java Control Panel looks like this (on May 30, 2014):

How you open the Java Control Panel depends on your operating system. On Windows 8, I open it from the Windows Control Panel (click Programs then Java). If you don't know how to find it, ask Google.

You will not see the Java Console window unless you have enabled it in the Java Control Panel (on the "Advanced" tab, as mentioned above). I always keep it enabled. If it is enabled, it will pop up (possibly behind another window), as soon as a Java applet is launched. In my present version of Firefox, if I close the Java Console window, there is no way to get it back (as far as I know), without closing the browser and starting over.

The Java Console looks like this when I run my Animated Necker Cube applet:

It shows the Java version, followed by a list of single-key commands that are available in the Console, followed by diagnostic output from the applet. If the applet gets an error, there will usually be detailed error information which can be copied and pasted into an email to the applet author. If an applet isn't running right, you should always check the Java Console.

Ordering of the Comodo certificate is done by web form. A public/private key pair is generated at the time of ordering. The private key is stored by the browser, in the Certificate Manager. I'm guessing it is a good idea to set a "Master Password" for the "Software Security Device", in your brower, before initiating the order. The public key was sent to Comodo but hopefully not the private key. Nobody but me is supposed to get their hands on the private key.

Once I passed Comodo's verification process, they used my public key to generate the certificate. When I signed on to their web site to pick up the certificate, it was installed in my browser's Certificate Manager. I was able to go into the Certificate Manager and back up the certificate as a PKCS12 file (with ".p12" file extension).

When I prepare an applet for its web page, I use the Java "jar" tool (part of the Java runtime installation) to bundle the Java ".class" files (bytecodes) up into a "jar" (Java archive) file. On the command line for the "jar" tool, I supply the name of a text file that has a few attributes such as the following:

Main-Class: HyprCube
Application-Name: Stereoscopic Animated Hyperspace Objects
Permissions: sandbox
Codebase: *.dogfeathers.com

Then I use Java "jarsigner" tool with the "-storetype pkcs12" option to sign the jar file with the ".p12" digital certificate file.