signed applet throws security warning, but runs if yes button if clicked

Question

I have a signed applet that builds a menu from an xml file. When it loads I get the java security warning regarding signed and unsigned code. The applet uses jdom.jar

It doesn't matter if I hit yes on the security warning dialog box to block the unsigned code, or if I click no, the applet launches and runs as expected.

I have found out that a line of code in jdom that calls the SAXParserFactory.newInstance() is the cause of the security warning. I have tried signing jdom.jar, but that didn't help.

How can I get rid of the security warning without changing any settings in the Java console?

Thanks in advance.

Answer 1

You'll need to sign your entire applet if you use any of a list of features such as local file access or custom class loaders. The factory might use a custom class loader. The browser might not accept a self-signed certificate without a warning.

http://download.oracle.com/javase/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html

Answer 2

Sign the JAXP jar (or the jar that contains SAXParserFactory)

Answer 3

As the applet appears to work without the untrusted code, could you delete it? The untrusted code appears to be an alternate JAXP XML parser implementation. Hopefully the Xerces-based one in the JRE (since 1.4, IIRC), shouldn't be too bad.

(BTW: I would strongly recommend adding Trusted-Only: true to the manifest of your signed files, and Sealed: true isn't generally a bad idea.