7 Replies Latest reply: Sep 10, 2010 4:50 PM by 843802 RSS

    All Browsers Hang When The User Denies A Signed Applet's Certificate

    843802
      It took me awhile to figure this out so I thought I would post this information to the community. I have a simple applet that is using a digital signature. Therefore, when the applet is loaded, the user receives a security confirmation dialog asking them if they accept the certificate; which allows the applet to be run without restrictions, outside of the sandbox. In order to load an applet in a web page, you should use the "recommended" <object>/<embed> tags; instead of the "deprecated" <applet> tag. When doing so, I encountered a serious bug in the Java Plugin. If the user allows the certificate, then your signed applet runs just fine. But, if the user denies the certificate, the PlugIn causes the browser to hang. The hang is more apparent in Firefox and IE than the other major browsers out there.


      When using the "recommended" <object>/<embed> tags, and the user denies the applet's certificate, the console outputs:
      exception: exit(-1).
      ExitException[ 4]java.lang.RuntimeException: exit(-1)
          at com.sun.javaws.Main.systemExit(Unknown Source)
          at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
          at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
          at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
          at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
          at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
          at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
          at java.lang.Thread.run(Unknown Source)
      Exception: ExitException[ 4]java.lang.RuntimeException: exit(-1)
      But when using the "deprecated" <applet> tag, and the user denies the applet's certificate, the plugin gracefully corrects itself and the browser is happy too.

      Here is a sample javascript to easily test your html that inserts the applet into the webpage:
      <script type="text/javascript" language="javascript">
      
          var bUseDeprecatedAppletTag = false;
      
          if (!bUseDeprecatedAppletTag) {
      
              //    References:
              //        http://download.java.net/jdk7/docs/technotes/guides/jweb/applet/applet_deployment.html#jnlp_href
              //        http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/technotes/tools/appletviewertags.html
              //        http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_tags.html#mixed
      
              //    insert the <object> tag that tells the browser to u this is a java applet
              var sID = "Applet";
              var sInsertAppletTag = '<object type="application/x-java-applet;version=1.5"' +    
                                      'id="' + sID + '"' +                                             
                                      'width="100%"' +                                               
                                      'height="200"' +                                                 
                                      'classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93">';         
      
              //    insert our parameters to the <object> tag
              sInsertAppletTag += '<param name="code" value="---your main class that derives from JApplet: Ex. CApplet.class">' + 
                                      '<param name="archive" value="---your Applet's Jar file: Ex. ./TestApplet.jar">' +             
                                      '<param name="type" value="application/x-java-applet;version=1.5">' +                         
                                      '<param name="jnlp_href" value="---your Applet's jnlp file: Ex. ./TestApplet.jnlp">' +        
                                      '<param name="scriptable" value="true">';                                                      
      
              //    for a pure HTML way of launching an applet across all browsers, we insert a <comment> tag within the <object> tag and then use the <embed> tag
              sID = "AppletEmbed";
              sInsertAppletTag += '<comment>' +
                                      '<embed type="application/x-java-applet;version=1.5"' +                             
                                          'jnlp_href="---your Applet's jnlp file: Ex. ./TestApplet.jnlp"' +                 
                                          'id="' + sID + '"' +                                                              
                                          'code="---your main class that derives from JApplet: Ex. CApplet.class"' +         
                                          'archive="---your Applet's Jar file: Ex. ./TestApplet.jar"' +                     
                                          'width="100%"' +                                                                 
                                          'height="200"' +                                                                 
                                          'scriptable="true"' +                                                           
                                          'pluginspage = "http://java.sun.com/products/plugin/index.html#download"' +     
                                      '>' +
                                      '<noembed>' +
                                      '</noembed>' +
                                      '</embed>' +
                                  '</comment>';
              //    close off the <object> tag
              sInsertAppletTag += '</object>';
      
              //    write this HTML to the page
              document.write(sInsertAppletTag);
          } // if
          else {
              var sInsertAppletTag = '<applet width="800" height="768" code="./CTestApplet" archive="./TestApplet.jar">' +
                                          '<param name="Applet" value="./TestApplet.jnlp">' +
                                      '</applet>';
      
              //    write this HTML to the page
              document.write(sInsertAppletTag);
          } // else
      </script>
      I hope this helps others that have encountered the same problem as I have. I have also entered a bug to Sun/Oracle about this issue.
        • 1. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
          843802
          Well, I guess I'm not out of the woods yet. The <applet> tag also gives me problems when trying to close the browser after I deny the signed applet's certificate. I was using Firefox as the browser.

          I receive this output in the console:
          java.lang.SecurityException: attempted to open Trusted-Only jar file:<my jar file> on sandboxed loader
               at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
               at java.security.AccessController.doPrivileged(Native Method)
               at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
               at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
               at java.lang.ClassLoader.loadClass(Unknown Source)
               at java.lang.ClassLoader.defineClass1(Native Method)
               at java.lang.ClassLoader.defineClassCond(Unknown Source)
               at java.lang.ClassLoader.defineClass(Unknown Source)
               at java.security.SecureClassLoader.defineClass(Unknown Source)
               at java.net.URLClassLoader.defineClass(Unknown Source)
               at java.net.URLClassLoader.defineClass(Unknown Source)
               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
               at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
               at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
               at java.lang.reflect.Method.invoke(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
               at java.security.AccessController.doPrivileged(Native Method)
               at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
               at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
               at java.lang.ClassLoader.loadClass(Unknown Source)
               at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
               at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
               at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
               at java.lang.Thread.run(Unknown Source)
          Exception: java.lang.SecurityException: attempted to open Trusted-Only jar file:<my jar file> on sandboxed loader
          The Firefox browser closes, but the java.exe is still active and attached to the firefox.exe. Therefore, even though the browser is closed, I can't relaunch the browser b/c Firefox thinks it is already launched.

          Does anyone else have this particular problem with signed applets; once you deny the security certificate? If so, anyone found any workarounds or solutions to this problem?
          • 2. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
            baftos
            Windows 7, IE 8, FF 3.5.5, Java 1.6.0_21, using <applet> tag. No problem.
            • 3. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
              843802
              Hi baftos,

              If it's not too much trouble, would you mind doing the following....

              Is your <applet> tag loading the applet by using a jnlp file? Also, is the applet signed so you get the security warning dialog that prompts you to run the applet? If so, please enable your java console and post the output to this thread when you deny the signed applet access; I want to compare your output w/ mine. Then close Firefox and see if java.exe is unloaded; which should unload firefox.exe from Task manager (I'm on Windows 7).

              Thanks for the help.
              • 4. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
                baftos
                Is your <applet> tag loading the applet by using a jnlp file?
                No. Just plain HTML with an <applet> tag.
                Also, is the applet signed so you get the security warning dialog that prompts you to run the applet?
                Of course.
                If so, please enable your java console and post the output to this thread when you deny the signed applet access; I want to compare your output w/ mine.
                Java Plug-in 1.6.0_21
                Using JRE version 1.6.0_21-b07 Java HotSpot(TM) Client VM
                User home directory = C:\Users\e

                ----------------------------------------------------
                c: clear console window
                f: finalize objects on finalization queue
                g: garbage collect
                h: display this help message
                l: dump classloader list
                m: print memory usage
                o: trigger logging
                q: hide console
                r: reload policy configuration
                s: dump system and deployment properties
                t: dump thread list
                v: dump thread stack
                x: clear classloader cache
                0-5: set trace level to <n>
                ----------------------------------------------------

                java.security.AccessControlException: access denied (java.util.PropertyPermission user.language write)
                     at java.security.AccessControlContext.checkPermission(Unknown Source)
                     at java.security.AccessController.checkPermission(Unknown Source)
                     at java.lang.SecurityManager.checkPermission(Unknown Source)
                     at java.util.Locale.setDefault(Unknown Source)
                     at com.eicon.iConnect.util.j2.Secure$2.run(com/eicon/iConnect/util/j2/Secure$2)
                     at java.security.AccessController.doPrivileged(Native Method)
                     at com.eicon.iConnect.util.j2.Secure.localeSetDefault(com/eicon/iConnect/util/j2/Secure)
                     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                     at java.lang.reflect.Method.invoke(Unknown Source)
                     at com.eicon.iConnect.util.Secure.localeSetDefault(com/eicon/iConnect/util/Secure)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.?B(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.?B(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.start(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
                     at java.lang.Thread.run(Unknown Source)
                java.lang.RuntimeException: Cannot happen
                     at com.eicon.iConnect.util.Secure.localeSetDefault(com/eicon/iConnect/util/Secure)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.?B(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.?B(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at com.eicon.iConnect.avivaj.ui.app.Workspace.start(com/eicon/iConnect/avivaj/ui/app/Workspace)
                     at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
                     at java.lang.Thread.run(Unknown Source)
                Exception: java.lang.RuntimeException: Cannot happen
                Then close Firefox and see if java.exe is unloaded; which should unload firefox.exe from Task manager (I'm on Windows 7).
                It is, but only after I close the console as well.


                Imortant!
                Don't pay much attention to the stack trace. Those are exceptions caused by the fact that I denied the certificate and the applet is not clever enough to deal with this situatiuon.
                By the way, you can try it yourself: [http://web-to-host.avivasolutions.com/avivaj/users/guest/usr_en.htm]
                • 5. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
                  843802
                  Hi baftos,

                  Indeed, your applet works like a charm in the browser when I deny it. I'm still at a loss on why mine would be of a concern. Maybe I'll have to revert to using a plain <applet> tag without the JNLP reference in it.

                  Would you mind testing out the applet I created, remember to deny it and see if it hangs your browser (Firefox works best for the hang). I created a self-signed certificate for it.
                  It's located here: [http://dale.dns4me.com:8002/launch.html]

                  If you want to see my JAR file's source, it's located here: [http://dale.dns4me.com:8002/CApplet.txt]


                  If anyone else has any suggestions on why the browser hangs when I deny this applet, please post back to this thread.

                  Thanks.
                  • 6. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
                    baftos
                    Your applet in FF:
                    Java Plug-in 1.6.0_21
                    Using JRE version 1.6.0_21-b07 Java HotSpot(TM) Client VM
                    User home directory = C:\Users\e
                    
                    ----------------------------------------------------
                    c:   clear console window
                    f:   finalize objects on finalization queue
                    g:   garbage collect
                    h:   display this help message
                    l:   dump classloader list
                    m:   print memory usage
                    o:   trigger logging
                    q:   hide console
                    r:   reload policy configuration
                    s:   dump system and deployment properties
                    t:   dump thread list
                    v:   dump thread stack
                    x:   clear classloader cache
                    0-5: set trace level to <n>
                    ----------------------------------------------------
                    
                    exception: exit(-1).
                    ExitException[ 4]java.lang.RuntimeException: exit(-1)
                         at com.sun.javaws.Main.systemExit(Unknown Source)
                         at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
                         at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
                         at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
                         at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
                         at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
                         at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
                         at java.lang.Thread.run(Unknown Source)
                    Exception: ExitException[ 4]java.lang.RuntimeException: exit(-1)
                    It does not hang FF at all.
                    Same for IE, works ok.

                    Edited by: baftos on Sep 3, 2010 6:27 PM
                    • 7. Re: All Browsers Hang When The User Denies A Signed Applet's Certificate
                      843802
                      I still have no idea why my firefox browser would not exit properly, but there is hope. After a couple days, I decided to uninstall all java products. I had jdk1.6.0_13, jdk1.6.0_18, jdk1.6.0_21, jre1.6.0_21, NetBeans_5.3.1, NetBeans_9.7, NetBeans_9.1 all installed on my local machine. Therefore, I uninstalled all the NetBeans programs, then I uninstalled all the jdks, then the jre, then uninstalled firefox. Then I reinstalled firefox and the jre and somehow, my test applets are no longer hanging firefox when I deny the applets security certificate. I then installed the latest jdk and NetBeans and tested again, everything works.

                      So if anyone else was seeing problems like I was, please follow the steps above and maybe (just maybe) it may correct itself.