Denying the Java Security Prompt in Internet Explorer

Geek1 Comment

For the last few years, this dialog box has plagued me and my team. Our product uses Java applets that require users to grant them permission in order for them to execute. We need permission because we download code and do other crazy things. Anyway, given that users are dumb, some of the time when they see this dialog box, they get confused and push “No” which is a bad idea.

JavaSecurity_MSJVM.jpg

What happens when you push no in Internet Explorer with the Microsoft Java Virtual Machine is that the .cab file that you were loading is skipped over and your web page looks the same as if you didn’t have the applets on your web server at all. Users are even more confused by this.

The solution that I have seen posted year after year is to put a timer on the page and if the timer expires, redirect the user to a page telling them what they did wrong. Your applet would then have code in it that uses LiveConnect to call out and kill the timer before it goes off. The downside of this solution is that it is a timer and timers are usually wrong in some set of cases. You never know how long it should be set for because downloads can take a while based on connection speed. Even worse, you have the time spent by the user while they read the dialog box or they ignore it and it falls behind the window and then the timer goes off.

Well, today I figured out a solution that works and its foolproof. I stumbled upon it by accident while making another fix. So I am going to post it here so others do not have to live in geek misery if they have the same issue.


<applet ...>

<param name="CABINETS" value="foo.signed.cab, foo.unsigned.cab, random.cab">

</apple>

That is all there is to it. Let me explain. Most of us use the param CABBASE to specify the name of the .cab file to use. That parameter only takes a single .cab file. The CABINETS parameter however allows you to specify a list of .cab files that it will iterate through. So now what happens is that IE tries to load the first cabinet file. Since it is a signed .cab file, you get the security prompt.

If you click “No”, then it skips that .cab file and moves on to the 2nd .cab file. The 2nd .cab file in our list contains the exact same class files as the first only we did not sign that .cab file. Now, this .cab file loads with no security prompt. Once the applets are alive, you can run code inside your applet to determine your security permissions and display an error telling the user that they should have clicked “Yes”.

Now the other case — if you click “Yes” to the security prompt when loading the signed .cab file, it will go on to load the unsigned .cab file also. But since they are the same and all the needed classes were already pulled from the signed .cab file, nothing really happens here.

The final .cab file is a fake .cab file. The reason we have this is to force Internet Explorer to load our applets in a new classloader each time we load the containing page. Replace the name of random in random.cab with some JavaScript that generates a real random number each time the page is rendered. This way you force IE to load your applets in a new classloader each time to prevent reuse of previously loaded applets on reloads.

Hope this helps somebody else out there.