Java Notes

(Updated May 29, 2014.)

General Remarks

The Java programming language was first released in 1995 by Sun Microsystems. Sun was acquired by Oracle in 2010. Java source code compiles into bytecodes that will run on a large number of operating systems including Windows, Macintosh, Linux and Unix.

I've been programming in Java since 1996, mostly for fun but occasionally for my job. I have written a number of Java applets, which can be found here.

Java Plugin

To run Java Applets in your browser, you need the Java plugin, which is a free download.

Note: You should always run the most recent stable Java version, and allow it to "Check for Updates Automatically". When Java pops up a window on your computer asking if you want to update, always choose "yes".

Java Security

Traditionally, Java applets ran in the browser with sandbox permissions. An unsigned applet was blocked from doing anything risky on your computer, such as accessing your hard drive. This worked pretty well for many years. Recently a number of security vulnerabilities (like this) have called into question Oracle's ability to keep the sandbox safe.

Oracle's response, starting with Java 7 Update 51 (7u51), was to require all Java applets to be digitally signed. This effectively broke most Java applets on the internet, including mine. Acquiring a code-signing certificate is expensive, and the process of getting verified is unpleasant and intrusive.

I finally broke down and purchased a code-signing certificate from Tucows (the cheapest deal I could find). The Certifying Authority (CA) is Comodo. Getting verified for the certificate took about a month and cost me almost $100 USD for notary fees, shipping costs, etc., in addition to the base cost of about $200 for a 3-year certificate. It is helpful to find a notary who is very patient. I began signing my applets around May 28, 2014.

The certifying authority (Comodo, in my case) doesn't guarantee that a signed applet is safe. It just guarantees that the signer is a real person who can be tracked down. My digital signature demonstrates that the applet was written by me, and also ensures that the applet was not modified by someone hacking my web site and replacing the applet with something malicious.

As far as I can see, there are only two permission levels for a signed applet: "sandbox" and "all-permissions". Here is the security prompt for an applet with sandbox permissions (in Java 1.7.0_55):

security alert

The phrase "This application will run with limited access" indicates that it has sandbox permissions.

An application with "all-permissions" would have a phrase like "This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the location and publisher...".

As of May 29, 2014, all my applets have sandbox permissions. However my HyperCube V2 applet uses JOGL, a 3rd party package that needs all-permissions. So if you run that applet, you will see the "unrestricted access" prompt for JOGL, in addition to the "limited access" prompt for my code.

Now that I have a code-signing certificate, I plan on writing some applets that use additional functionality beyond what is allowed by the sandbox -- things like allowing the user to open a file, work on it, then save it. Also, I have had requests, such as for the ability to save a 3D graphics file from the HyperStar applet, that I am now able to address, as time permits.

The Java Control Panel

The Java Control panel lets you configure Java -- its cache ("temporary internet files"), automatic updates, security level, certificates, Java versions, visiblity of the Java Console, etc.

My Java Control Panel looks like this (on May 30, 2014):

Java Control Panel

How you open the Java Control Panel depends on your operating system. On Windows 8, I open it from the Windows Control Panel (click Programs then Java). If you don't know how to find it, ask Google.

General tab:
Java problems can sometimes be cured by deleting all the "temporary internet files".

Update tab:
Check the "Check for Updates Automatically" checkbox.

Java tab:
You can see what Java version(s) you have installed.

Security tab:
I have my Security Level at "High".

Advanced tab:
Please Show the Java Console!
My "Advanced"settings (as of May 30, 2014):

Advanced Tab

The Java Console

The Java Console is a pop-up window launched by the Java Plugin. It displays diagnostic information about an applet that is running in the browser.

You will not see the Java Console window unless you have enabled it in the Java Control Panel (on the "Advanced" tab, as mentioned above). I always keep it enabled. If it is enabled, it will pop up (possibly behind another window), as soon as a Java applet is launched. In my present version of Firefox, if I close the Java Console window, there is no way to get it back (as far as I know), without closing the browser and starting over.

The Java Console looks like this when I run my Animated Necker Cube applet:

Java Console

It shows the Java version, followed by a list of single-key commands that are available in the Console, followed by diagnostic output from the applet. If the applet gets an error, there will usually be detailed error information which can be copied and pasted into an email to the applet author. If an applet isn't running right, you should always check the Java Console.

More About Code Signing

An partial explanation of how code signing works: here. A more detailed explanation: here.

Ordering of the Comodo certificate is done by web form. A public/private key pair is generated at the time of ordering. The private key is stored by the browser, in the Certificate Manager. I'm guessing it is a good idea to set a "Master Password" for the "Software Security Device", in your brower, before initiating the order. The public key was sent to Comodo but hopefully not the private key. Nobody but me is supposed to get their hands on the private key.

Once I passed Comodo's verification process, they used my public key to generate the certificate. When I signed on to their web site to pick up the certificate, it was installed in my browser's Certificate Manager. I was able to go into the Certificate Manager and back up the certificate as a PKCS12 file (with ".p12" file extension).

When I prepare an applet for its web page, I use the Java "jar" tool (part of the Java runtime installation) to bundle the Java ".class" files (bytecodes) up into a "jar" (Java archive) file. On the command line for the "jar" tool, I supply the name of a text file that has a few attributes such as the following:

Main-Class: HyprCube
Application-Name: Stereoscopic Animated Hyperspace Objects
Permissions: sandbox
Codebase: *
These are incorporated into the MANIFEST.MF file, contained in the jar file.

Then I use Java "jarsigner" tool with the "-storetype pkcs12" option to sign the jar file with the ".p12" digital certificate file.

-- End --

<Dogfeathers Home Page>   <Mark's Home Page>   <Mark's Java Stuff>
Email: Mark Newbold
This page URL: