Insights and updates on Java SE and OpenJDK from the Java Platform Group Product Management Team

  • September 17, 2013

Signing applet code does not grant all-permissions (since 7u25)

Guest Author

There are two levels of authorization for Java applets and web start applications: sandboxed, where the application is limited in terms of actions it can take on users' computers, and all-permissions, where applications operate as though they were native, with full access to the system and its resources.

In the old days of Java 6 and early days of Java 7, the rule was that only applications that required all-permissions needed to be signed. Since Java 7 update 21 (April 2013), you are able to (and encouraged) to sign all types of applications: sandbox and all-permissions. The intent of this is that code signatures from trusted certificate authorities provide a means of authentication for end users, so that they can know who actually wrote the application.

Java 7 update 25 also introduced two new attributes within a jar's Manifest file aimed at Preventing RIAs from Being Repurposed. By having these attributes within the signed jar, attackers cannot make any adjustments to the permissions level without invalidating the signature. An example of the META-INF/MANIFEST.MF file with these attributes would be:

Manifest-Version: 1.0
Created-By: 1.7.0_25
Permissions: sandbox
Codebase: https://example.com

Name: Clazz.class

Beginning January 2014, code signatures and use of the Permissions attribute will be mandatory for all Applets and Web Start applications. The Codebase attribute will remain optional, as ISVs may not know this information beforehand.

These changes create a separation between three areas of trust:

  1. Identification: provided by the application, stating its publisher.
  2. Authentication: automatic by the JRE, the code signatures within JARs is verified against public certificate authorities and dynamically updated revocation lists.
  3. Authorization: once authentication has occurred, allow the application to ask the user for a specific set of permissions.

For additional information about the role of code signatures, sandboxed or not, see our previous blog entry, Code signing: Understanding who and when.

Join the discussion

Comments ( 2 )
  • guest Wednesday, September 18, 2013

    So from user side I don't know if a Applet will just making some visual effects or is scanning my system - it's signed. Before this stupid idea unsigned Applets stand for sandbox, secure.

    Bye bye Java!

  • costlow Wednesday, September 18, 2013

    Signed applets can run with either sandbox or all-permissions. The change here is that the use of a code signature does not imply permissions in either direction. Users will be able to identify permissions based on what the applet requests.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.