Article ID: 193877 - View products that this article applies to.
This article was previously published under Q193877
Note The Microsoft Java Virtual Machine (MSJVM) and the Microsoft SDK for Java are no longer available for distribution from Microsoft. There will be no enhancements to the MSJVM or the SDK for Java. For additional information about resources for Java developers, visit the following Microsoft Web site:
Consider several factors when you want to make your Java code run as fully trusted, partially trusted, or untrusted in Microsoft Internet Explorer. This article explains many of the considerations, and it points to some resources that can help ensure your Java code has the correct level of trust when it executes in the browser.
Class loaderIt is important to understand the significance of the class loader in Java. The class loader controls much of the security and access granted to a class. The following article in the Microsoft Knowledge Base explains when the Microsoft virtual machine (Microsoft VM) uses different loaders:
177168With this information, you can make a more informed decision about which method of gaining additional permissions is most suitable for your project.
(http://support.microsoft.com/kb/177168/ )How does the Virtual Machine search for Java classes?
What It means to be trustedThe term trusted means that the code is no longer confined to the Java sandbox. The sandbox restricts untrusted code from successfully performing the trusted operations, such as:
Asserting permissionThe following Knowledge Base article provides enough information to understand when, why, and how you should assert permission in your Java code:
(http://support.microsoft.com/kb/175622/ )SecurityExceptionEx exception running a Java applet
Creating the cabinet (CAB) fileNow that you understand the concept of loaders, trust, and permissions, the next step is knowing how to create the cabinet (CAB) file. At this stage, you need to decide whether you wish to install your code on the user's computer, or simply package your code in a CAB file for faster download on every visit to your page.
If you do not want to install your code onto the local computer, you can simply create a CAB file using the Cabarc.exe utility and reference the CAB from a parameter passed to your applet from HTML. This is shown in Sample 1 later in this article.
Note This method does not require that you sign the CAB file if you do not need your code to run as trusted. You can still gain the benefits of having a single compressed file download instead of individual class files.
If you wish to install your code on the local computer, there are two approaches. One way is to create a Distribution Unit (DU) using the Dubuild.exe utility in the SDK for Java. This utility creates a CAB file and includes an automatically generated .osd file. See Sample 2 later in this article.
The other method to install code on the local computer is to use an .inf file. This method is somewhat more manual and more error-prone, but has the distinct advantage of being the only method that works on Internet Explorer 3.x and later. See Sample 3 later in this article.
Each of these methods has the advantage of downloading your code on the first visit to the page and not requiring another download on subsequent visits unless a newer version becomes available. They do however require some permanent space on the user's local drive.
Using a digital signature on your CAB fileYou need to sign your CAB whenever your code needs to do something outside of the Java sandbox or whenever you want to install code to the local computer from a Web page. You sign a CAB using the Signcode.exe utility in the SDK for Java. The samples later in this article show a few common signing scenarios. You can find additional information in the find "Signing Cabinet Files with Java Permissions" topic of the SDK for Java documentation and samples at the following location:
http://www.microsoft.com/mscorp/java/In the SDK, click Index and then click S. Scroll to find "Signing Cabinet Files with Java Permissions."
Following are a few key points to keep in mind:
http://digitalid.verisign.com/For more information about how to create, how to view, and how to manage certificates, visit the following Microsoft Developer Network (MSDN) Web site:
Tags to reference your signed CAB fileThere are several options to reference your signed CAB file in HTML. Following is a list and brief comparison of the different methods:
Trusted code in Internet Explorer for MacintoshAuthenticode is not supported in Internet Explorer for Macintosh. To enable downloaded code access outside the Java sandbox, the user must add the server to the list of Trusted Sites and then set the site permissions to those that the code requires.
SAMPLESYou can use the following Java class with the following three short samples. Cut and paste this text into a file named Simple.java.
Note Ensure you have a version of jvc.exe in your path from the SDK for Java 2.0 (build 4337) or later. This class will simple assert permission and display a Win32 MessageBox when run:
Note The linefeed is inserted in the command lines for Signcode.exe below. These command lines are too long to fit in one line in the Microsoft Knowledge Base, but should be edited in your batch files to be a single line.
Sample 1 - Simple1This sample shows a signed CAB file that does not install onto the local computer.
You can use the commands below to compile Simple.java, create a CAB file that contains Simple.class, enable the test root on the local computer, create a test certificate, sign the CAB file with LOW Java permissions using the test certificate, and launch the Simple1.html page in the browser. Cut and paste these commands into a batch file named go1.bat and save it to the same directory as the Simple.java file created above:
Before you execute go1.bat, cut and paste the HTML below into a file named Simple1.html and place it in the same directory as the files named Simple.java and go1.bat created previously:
Note A "cabinets" parameter works interchangeably with a "cabbase" parameter on computers running Internet Explorer 4.0 and later. The "cabinets" parameter has the added functionality of allowing for multiple CAB files to be referenced from the same APPLET tag.
Sample 2 - Simple2This sample shows a signed CAB file that installs into the Java Package Manager (JPM) on the local computer.
You can use the commands below to compile Simple.java, create a CAB file that contains Simple.class and a dubuild-generated .osd file, enable the test root on the local computer, create a test certificate, sign the CAB file with LOW Java permissions using the test certificate, and launch the Simple2.html page in the browser. Cut and paste these commands into a batch file named go2.bat and save it to the same directory as the Simple.java file created previously:
Before you execute go2.bat, cut and paste the HTML below into a file named Simple2.html and place it in the same directory as the files named Simple.java and go2.bat created previously:
Once a package is installed on the local computer using JPM, it will be present in the "<windir>\Downloaded Program Files" folder. Use this folder to view and remove packages that are installed using Internet Explorer.
Sample 3 - Simple3This sample shows a signed CAB file that installs the Simple.class file in the <windir>\java\lib\simple directory on the local computer. You can use the commands below to compile Simple.java, create a CAB file that contains Simple.class and an .inf file that you create, enable the test root on the local computer, create a test certificate, sign the CAB file with LOW Java permissions using the test certificate, and launch the Simple3.html page in the browser. Cut and paste these commands into a batch file named go3.bat and save it to the same directory as the Simple.java file created previously:
Before you execute go3.bat, you need to cut and paste the following HTML into a file named Simple3.html and place it in the same directory as the files named Simple.java and go3.bat created previously:
Note Replace the guid above "99999999-9999-9999-9999-999999999999" with the one created for the .inf file in the following instructions.
Follow these steps to create the simple.inf file that is to be included in the outer CAB file:
Note 2 Please consider the following when signing your CAB file for production use verses testing:
Note 4 You can configure Internet Explorer 4.x or higher to treat unsigned code as having more than the sandbox permissions by default. You should only do this for specialized situations like the intranet or for testing purposes. If you choose to configure Internet Explorer in this manner, be advised that you will no longer have any protection against malicious Java code that runs on your computer. For example, to automatically treat all Java applets as fully trusted in the Intranet Zone, perform the following steps:
For additional information about security and packaging issues in the Microsoft virtual machine, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/175622/ )SecurityExceptionEx exception running a Java applet
(http://support.microsoft.com/kb/177168/ )How does the Java Virtual Machine search for Java classes?
(http://support.microsoft.com/kb/179652/ )How to deploy Java in Internet Explorer 4.0 and Netscape 4.0
181374For more information about code download issues, visit the following MSDN Web site:
(http://support.microsoft.com/kb/181374/ )Related component download articles
http://msdn.microsoft.com/library/default.asp?url=/workshop/delivery/download/overview/entry.aspFor the latest Knowledge Base articles and other support information on Visual J++ and the SDK for Java, please see the following pages on the Microsoft Technical Support site:
Article ID: 193877 - Last Review: January 31, 2006 - Revision: 11.0
Contact us for more help
Connect with Answer Desk for expert help.