This past week (Dec. 6th and 7th) I had the opportunity to attend the Sun Tech Days conference in Toronto. I'll be writing up summaries of several of the presentations I went to over the next little while, but I want to start off with a few high-level notes:

• James Gosling keynoted the conference on Tuesday morning - it was definitely nice to get the chance to listen to someone who created the language that I spend so much of my time working with


• There was a draw to win lunch with James Gosling, and I WON!@#!@# I'm hoping to post a sumary of some of the discussions that were had during that lunch over the next few days


• In the past I've been a bit annoyed about the focus on NetBeans at Sun conferences - I understand why it happens (Sun conference, NetBeans is a Sun product, etc.), however I have to say that I was truly impressed with how much NetBeans has changed since the last time I used it a few years ago -- it really looks like it has had a ton of work sunk into it, and it may still give Eclipse a healthy fight for the Java IDE space


• I was surprised at the nuber of times Brazil was mentioned -- Sun seems to be taking a very large interest in the Brazillian market, and it sounds like they've had a lot of success there recently


• The Code Maneuvers conference that I attended May of this year seemed to be a testing ground for a lot of the presentations that were in TechDays -- I won't bother summarizing the Java 5.0 New Features presentation or the SOA/JBI presentation, since they were not substantialy different from the Java 5.0 and SOA/JBI presentations from then, aside from delving into some things with more detail

WARNING: Personal opinions ahead. I state no opinion but my own, and the thoughts I express are NOT in any way linked to the company I work for - Hell, there hasn't been a single discussion about it in the office here.

First, here's a snippet from the story (which I'm sure you've probably heard about by now):

SYS-CON Media Obtains Michael Lynn's Black Hat Cisco Presentation
— The brouhaha over a presentation given last week by Michael Lynn has taken on a life of its own on the worldwide web. No surprise here. Lynn's presentation can be found easily, as can many other interesting related items. SYS-CON Media herewith presents a few things we've found.

I suppose I'm becoming a small part of that brouhaha, but so be it. I applaud SYS-CON for putting these documents online, and I hope that they keep them up through what is likely to be a legal firestorm (Grain of salt: in the interest of full disclosure, this blog is hosted by SYS-CON. However, I will also note that I feel perfectly willing to state my opinion, whatever it may be, and that I receive no pay or anything other than space to host this blog from SYS-CON). It's amazing to me that a company like Cicso hasn't yet realized what kind of public relations nightmare is created by trying to clamp down on things like this - it becomes a free speech thing, and the advocates all gather around in a feeding frenzy as headline after headline is spread around the world.

Another debate that this brings up is the one around security by obscurity. I believe that this sort of release is a good thing - Cisco now HAS to deal with this problem, and get these routers fixed. <FUD>With the ability to overwrite the log and cover your tracks, how do we know that this exploit hasn't been in use for years by organized criminals or controlling governments?</FUD> -- the answer is that we don't. When a flaw is not being addressed and gets publicized, it forces a company to get it fixed or suffer repercussions in the marketplace.

Eclipse 3.1 has been released for download. The download site's a bit slow (you'd think it was getting hammered by a ton of downloaders or something), but it will be worth it to get a version of Eclipse that supports J2SE 1.5/5.0.

Get it while it's hot!

It feels like 1999 again. Ubuntu Linux is offering free pressed CDs of Ubuntu Linux, shipped anywhere, and they will eat the shipping costs. For those that are not familiar with Ubuntu, it is a desktop-oriented linux distribution that has become very popular in a very short period of time (A review of Ubuntu Linux is available here). Ubuntu is supported on x86, PowerPC, and AMD64 and EMT64 architecture (e.g. Athlon64, Opteron, EM64T Xeon), and comes in both an installer version (installs to a local hard drive) or in a LiveCD version (The CD is booted, and Ubuntu runs in RAM and writes nothing to disk).

The price is right - maybe it's time to try a new Linux distribution!

In Part 1, we created a webpage which could upload files with a drag and drop operation in the Mozilla and Firefox browsers. This page works wonderfully when it's on the local machine, but breaks as soon as it's put on a web server due to the Mozilla security mechanisms. In order to get this to work correctly when it's deployed out to a server, we need to create a signed jar which Mozilla recognizes. Although this seems like a straightforward task, I actually encountered a lot of difficulty figuring out how to do this right. The following steps must be followed in order to properly create a signed Mozilla jar:

1. Download Mozilla NSS and NSPR, and set up the NSS directory


2. Create a new certificate repository


3. Create a new certificate with which to sign the jar


4. Generate a signed jar from a folder with the web pages and scripts


5. Discuss how jar links in Mozilla are handled


6. Enable certificate permissions in the browser

Download and set up NSS and NSPR

In order to create a signed jar, you must download the Netscape/Mozilla jar signing tool. The Sun jar signing tool will NOT work correctly, as I discovered after several hours of trial and error – Mozilla will not recognize a Sun-signed jar as a valid signed jar. NSS and NSPR can be downloaded from the Mozilla site at the following URLs:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_10_RTM/
ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.4.1/

I preferred to just use an existing binary distribution, but you can compile your own from source if you choose. If you decide on binaries, select the platform you are running on and download as required. Once you have downloaded both NSS and NSPR, you will need to dump all of the libraries into one directory and put the executables you will be using in the same directory. For me, being on a Windows platform, this entailed copying all of the files from \NSPR\lib to \NSS\lib, and copying signtool.exe and certutil.exe into \NSS\lib.

Creating a new certificate repository

In order to create a new certificate repository, we need to use the certutil tool. If we wanted to create a new repository in c:\certdir, we would run the following command:

certutil -N -d c:\certdir

The program will ask you for a password which you will use to secure the certificate database. I will assume that the password used is dragdrop. Once the program has completed, if you look in c:\certdir you will notice that three files have been added – cert8.db, key3.db, and secmod.db. These represent the certificate database.

Creating a new jar-signing certificate

Now that we have a new certificate database, we need to generate a certificate that can be used to sign the jar. This can be done using the following command:

signtool -G dragDropCert -d c:\certdir -p "dragdrop"

This will walk you through entering a bunch of information, like company name, person name, etc. This is the information which will be presented to the user, so put in data as appropriate. Once the questions have all been filled in, the program will generate a certificate, add it to the database, and create an x509.raw and x509.cacert file for you in whatever directory signtool.exe was run in. Hold onto x509.cacert, as we will need to add it to the website later so that the user can authorize the certificate to request special permissions.

An alternative to this certificate generating and permission requesting process which will be much more useful in a production environment is to get the certificate created and signed by a verified Certificate Authority, such as Verisign or Entrust. If you get a certificate signed by an authority which is already registered in Mozilla/Firefox, you can skip the whole certificate permissions part which is described in the Enable certificate permissions section. For a complete list of default trusted certificate authorities, just install Firefox and open the Options dialog – under the Advanced Section and the Manage Certificates section, a list of all recognized certificate authorities is presented along with how much trust each has.

Generate a signed jar from a set of web pages

Now that we have a certificate to sign the jar with, we just need to generate the jar. If we have a folder called c:\jarfolder which contains all of the files we want to jar up (including subdirectories and such) then we would generate a signed jar with the following command:

signtool -d c:\certdir -k dragDropCert -p "dragdrop" -X -Z dragdrop.jar c:\jarfolder

This will create a signed jar called dragdrop.jar in the current directory based on the contents of c:\jarfolder. The jar will be signed with the certificate named dragDropCert from the certificate database in c:\certdir.

At this point, we have finished the technical part of creating a signed jar. Now however, we must consider two things which might prevent our application from working as expected. Each issue will be covered with its own section.

How jar links are handled in Mozilla

Mozilla has the ability to reference an HTML file inside of a jar directly. The URL for this would look like:

jar:http://www.remoteserver.com/website/dragdrop.jar!/mozilla-drag-example.html

As you can see, there are two parts to this URL. The first part is the URL to the jar itself:

http://www.remoteserver.com/website/dragdrop.jar

The second part is the jar URL and references the file inside the jar (which in this case is mozilla-drag-example.html):

jar:[jar-url]!/mozilla-drag-example.html

One of the biggest problems with jar URLs is that they must be absolute URLs. It is not possible to wrap a relative URL in a jar: URL, therefore if you want to be able to handle a relative jar URL, you need to do some Javascript trickery. An example of what I did to enable a jar link on a page to work from multiple IP addresses is:

<SCRIPT>

function loader()
{
  var elemList = document.getElementsByTagName("a");

  for (var i = 0; i < elemList.length; i++)
  {
    if (elemList[i].getAttribute("class") == "jarlink")
    {
      elemList[i].href=
        "jar:" +
        elemList[i].href
      ;
    }
  }
}
</SCRIPT>
…
<BODY onload="loader();">
…
<a href="dragdrop.jar!/mozilla-drag-example.html" class="jarlink">
  Basic Mozilla Drag and Drop Jar Link
</a>

As you can see, I have specified the A HREF attribute with a relative URL (i.e. dragdrop.jar is located in the same directory as the current page). I have also assigned it a class of jarlink – that allows the loader() method to identify that this A HREF is a relative jar link, and it processes it appropriately. Please note that when I reconstruct the A HREF url, I am only appending the jar: string to the beginning and then calling the existing href property on the A DOM object - this is because the href property will automatically convert dragdrop.jar to it’s full path on the server (e.g. http://www.remoteserver.com/website/dragdrop.jar) and thus I only need to append the jar: to the beginning and the full link will be constructed.

Also note that, if you wish to use relative URLs inside the jar, you will have a similar issue - all of the URLs will be prefixed with jar:http://www.remoteserver.com/..., which is not a valid server URL - you will need to manually reparse the URL with javascript to remove the jar: at the beginning as well as do any other URL cleaning which has to occur.

Enabling certificate permissions in Mozilla

If you’ve used a self-signed certificate (as described in the steps above) to create your signed jar, you will need to ensure that the certificate has been granted enough permission to run correctly. The easiest way to do this is to add a link to your page somewhere which links to the certificate file (The one named x509.cacert which we created earlier – you will want to save it as x509.crt so that the browser and web server handle it correctly) and ask the user to click on it before they access the website. When they do this, a dialog will appear asking the user if they want to trust the new certificate which has just been presented – the user must check the Trust this CA to identify software developers, or the XPConnect bridge will not be accessible to the drag and drop script. If they click on a jar link before clicking on the certificate link, the certificate will automatically be imported with no trust when the jar is first accessed, and clicking the certificate link will show a dialog that says The Certificate already exists. If this happens, the user will have to open the Certificate Management console (Found under Tools > Options > Advanced > Manage Certificates), find the certificate listed under Authorities, and edit the certificate to enable the Identify software makers permission.

I'll mention again that all of this can be eliminated if a certificate is purchased from a recognized certificate authority – these authorities have trust levels built into Mozilla and Firefox, and purchasing a certificate from them (e.g. a Class 2 public certificate from Verisign) will eliminate these trust-based issues entirely.

As a final note, this article is Copyright (C) 2005, Codesta LLC. All Rights Reserved. All of the research that I did for this article was on company time, and Codesta agreed to let me publish it. The information in it is free for you to use, but don't go claiming it's yours - it's not.