Signed Java Applets broken on Vista
Posted on November 1, 2007 by terran
Filed Under Technology.
Having written a pure java (applet) based installer for Dekoh, I had assumed it would work seamlessly on all operating systems. But I was shocked to see support for signed applets is broken on Vista.
Why do we need special handling in the Dekoh installer for Windows Vista?
The answer is twofold -
- The primary Dekoh installer is a hassle-free, one-click web based installer based on a Java applet. (There are other installers like an exe file that you can download for Windows, but the web based is the easiest to use. Our installer applet is a signed applet which would download and install the required components on the user’s PC.)
- The second reason is related to why signed Java applets behave differently on IE 7 protected mode in Windows Vista as opposed to other Windows versions.
What is a Signed Applet?
A signed applet is a jar file containing a Java applet which has been signed with a digital certificate typically issued by an authority like VeriSign. Normal Java applets have very limited permissions. A signed applet however has all the permissions that a Java program that runs from your command line would have, after getting the user’s consent.
The browser’s Java plugin detects signed applets and accordingly shows a message and the signing certificate to the user asking whether to grant permission to the applet.
Dekoh uses a signed applet for the installer as it’s the easiest way to download, install and start the Dekoh runtime on the computer. Being browser based, there’s no need to download anything separately or configure anything, making it especially easy for non-technical users. The Dekoh installer applet is signed with a VeriSign certificate.
What has changed in Windows Vista?
Windows Vista has a new enhanced security model, the most visible part of it being UAC (User Account Control). Internet Explorer 7.0 comes bundled with Vista, and it has something called ‘protected mode’. In protected mode IE runs with greatly restricted privileges making it difficult for malicious code to install itself. Note that protected mode is only available on Windows Vista as it is based on Vista specific security features.
Processes running in protected mode have restricted access to objects with high integrity levels - such as important files and registry keys.
How does this affect the installer applet?
Operations on the file system and the registry are redirected to virtual stores using virtualization. So, when a process running inside IE (such as a Java applet) tries to create a file called say C:\Users\hrish\test.txt (assuming C is the system root drive) the file would actually get redirected to C:\Users\hrish\AppData\Local\VirtualStore\test.txt.
So,
File f = new File(”C:\\Users\\hrish\\test.txt”);
boolean b = f.createNewFile();//Will succeed.
boolean e = f.exists();//Is true.
String path = f.getAbsolutePath();//path will be C:\Users\hrish\test.txt.
But the actual file would be present in C:\Users\hrish\AppData\Local\VirtualStore\test.txt
Firefox is not affected by this, because it has no equivalent of protected mode.
What are the options?
IE has a mechanism to allow add-ons to access the file system using the user’s normal integrity level as opposed to the low integrity level that the Java plugin runs in right now. It’s called a Broker Process. This process would run with a higher integrity level than normal add-ons. The Sun Java plugin does not implement this Broker Process yet (why, I wonder?), but there is an RFE logged for this on Sun’s bugzilla - http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6504236.
Some add-ons like the Flash plugin already implement it.
Relation between UAC and protected mode.
IE’s protected mode is automatically off when UAC is turned off. A comprehensive figure with all possibilities is here.
Dekoh Desktop : Don’t upload, Just share!
Sign up now.
References:
1. http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx
2. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
3. http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/
4. http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx
5. http://msdn2.microsoft.com/en-us/library/bb250462.aspx
Comments
16 Responses to “Signed Java Applets broken on Vista”
Leave a Comment
Metagg is tracking this post
Find out what Social News Sites are discussing this post over at metagg.com
[…] Full story This entry was posted on Friday, November 2nd, 2007 at 1:08 am and is filed under le Chat Marchet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. […]
Have you tried asking users to set your site as “trusted”?
Hello Trogdoor,
I understand that protected mode is important to protect IE users from malicious sites - but the applet in question is a signed applet signed by a trusted certificate authority. This fact, as well as the certificate, is clearly displayed to the user so that s/he can make a decision whether to allow the applet to access the filesystem/registry or not.
There is no question of allowing untrusted applets to be allowed to access the filesystem. The onus is on the Sun plugin developers now to provide a mechanism for the applet process to have normal user privileges.
I have tested setting the site as trusted, and setting a site as trusted opens the site in a new window with protected mode for that site turned OFF. Which is again opening your system to attacks.
Replying to your actual question, it is not possible for a site developer to ask all it’s users to set the site as trusted - the trusted applet provides the only way to actually verify that the applet is what it claims to be, and comes from where it claims to be coming from.
Hope this answers your queries.
Regards
Hrish
Just use a webstart signed application; you won’t have any problems, and you don’t need to care about the different browsers and such.
Hello Martin,
With Java Webstart, in situations where there is no Java at all present in the target system, the operations necessary to automatically install Java and then launch the jnlp file are significantly complicated when compared to an applet. It is however simpler when the user already has java (and the jnlp file can simply ask for the required java version if not present). With an applet the browser takes care of auto installing the plugin, (IE) or atleast presenting a simple UI to install it without leaving the page (Mozilla et al).
Our target is to give users as smooth an installation experience as possible, especially non-technical users.
Regards
Hrish
Mozilla is also considering implementing Protected Mode for Firefox, so Sun should get its act together before their stuff doesn’t work on any browser on Vista.
Webstart isn’t a good solution, because some platforms — 64-bit Linux, for example — don’t support it. Sun has yet to deliver WebStart for Java on 64-bit Linux.
That’s what happen when companies like Microsoft try to retro-actively implement basic security into something as amateur as the Windows product line.
Everything becomes a hack to work around poor design. Forget ‘Windows compatibility’ letter alone encompassing serious Operating Systems like Linux, OSX, etc. The lowest common denominator (Windows) will bite you every time.
You were “Shocked” that your Java does not run as is on all platforms ??? Good grief from which planet did you drop ?
From my experience Java has never been able to deliver the “write once, run everywhere” promise Sun told us so many years ago.
Somehow all platform need some special tweeking.
>>From my experience Java has never been able to deliver the “write once, run everywhere” promise Sun told us so many years ago.
I would say it has, to a good extent.
You might need to do platform specific tweaking when running enterprise applications, but when you consider applets, you would expect them to work seamlessly across all browsers and OSs.
Regards
Hrish
[…] writes about problems with file access in signed applets under IE 7 on Windows Vista. There are some links to MSDN […]
[…] our ability to save files to the file system. Some plug-ins, such as Flash, have implemented the brokering system which allows them to boost their privileges in order to save files. However, Sun’s JVM […]
Thanks for your explanation. It helped me to solve a problem with an applet. It was solved using Firefox instead of Internet Explorer.
i have problem in windows vista when ever try to instal java it is installed with diffculty and in the menu option of IE7 that option Sun java console do not open any thing, rather java applet do not download from net and hence provide problem for applications that are run online with help of java applet, like when ever giving online typing test for certification purpose. the test never run due to java applet not downloaded in windows kindly help with suitable solution so that i can contact to my certification providers from where i can get certified , please look into the matter as soon as possible
regards mandeep
Does java applet work in windows vista and IE7or any other browsser
pls provide a support