Java Applet Security

[TRexx]

I'm working on a small Java  project for my client.  I wrote an app-let that will gather some information from the user, invoke an API to fetch some more information from a remote server, then write that information to the user's hard drive.   I developed it under VisualAge and it works OK.  

Now I need to deploy this to about a dozen users.  So I   created a JAR with all the classes I need and built a little HTML file to invoke my app-let.  My plan is to install these two files in the user's hard drive then tell him to open the HTML with his browser. That works just fine until I try to run that  API or write to my hard drive. That's when I run into all kinds of Java Security exceptions.

I've read through several web pages that talk about certificates and signed app-lets and policy files and keystores and my eyeballs are starting to bleed.  As usual the examples I've found are wrong or incomplete.  

Can anyone point me toward a resource that will explain this stuff simply, and possibly have some examples that might actually work?   How about a simple checklist of the steps I need to take to get this thing deployed. I think that once I know the steps to take I can figure out the details but right now it's just a large black hole.

Many thanks

[Randy Given]

Purchase a "Digital ID" from VeriSign (the preferred computer associate) for $400 (this provides $50K of protection from code thieves) and sign the ****** using that certificate...the customer will see a prompt to install a VeriSign "trusted" certificate from a "known" company, and once installed, will never be prompted again.

Some VeriSign links:

+ VeriSign Code Signing Digital IDs: www.verisign.com/products/signing/code/

+ How It Works: www.verisign.com/products...g/how.html

+ Features & Benefits: www.verisign.com/products...efits.html

[TRexx]

Thanks a bunch.  I found this web site that does an OK job of explaining the process (of course he takes 4 pages to explain what you said in 1 sentence  -- "get a key, sign the app, tell the user to accept the certificate".

www.javaworld.com/javawor...urity.html

I ran keytool to get a key (didn't cost me anything)  then used  jarsigner to sign my JAR.  My users are ecstatic.

This is by far one of the most idiotic "solutions" I've ever provided.  My client recently deployed a new "strategic" application but the user interface is somewhat less than optimal. Actually it sucks. Lots of keywhacking with little  validity checking. The users, mostly managers, can't be bothered following the directions, and we wind up with a lot of garbage data which causes a host of problems down stream.   So I built this thing to pre-edit the user input then load it into the real app.

[jacek2]

Please also take a look at Java Web Start - all the advantages of dynamic distribution without the negatives of ******s.

-- Jacek

[TRexx]

Thanks, but I don't think Java Web Start is appropriate in this case. Doesn't it require a server from which the apps are downloaded?  We don't have one and getting space on an official one is next to impossible.    

Unfortunately this little project was been canceled about 2 days after we rolled out the first prototype. The folks that own the "strategic" application found out we were trying to make it easier to use and landed on us like a ton of bricks.