Signed Java

During the creation of the HushMail applet, I tackled the problem of creating signed Java applets; a signed applet was required in order to allow the HushMail applet to request permission from the user to perform activities normally restricted by the Java VM’s security sandbox. Although the process of creating signed applets is fairly straightforward, there are some tricks to getting the whole system working. In order to enable others to overcome the hurdles of producing signed applets, I’ve created a step-by-step tutorial to guide developers through the process of installing the tools and creating signed archives:

Developers should be warned that signing alone is not enough to enable their Java applets to access resources normally restricted by the Java sandbox. Although signing provides proof of the integrity of the applet and validation of the author’s identity through trust-heirarchies, developers must also make use of the browser-dependent APIs to request permission from the user to perform restricted activities. I have already created a browser-independent set of classes which allow applets to request permissions in a browser-independent manner for Internet Explorer, Netscape, and the Java 1.2 Security Model; however, this code is not yet available as I’m still cleaning up and documenting the code. This browser-independent framework is based primarily on the framework described by Greg Frascadore in his May 1999 article in Java-Pro magazine.

(Note: for some reason, doesn’t seem to allow deep-linking; to find the article, go to, search for “Greg Frascadore”, and choose his “Write Once, Trust Anywhere” article.)