I am running Java 1.7.0_67-b01. We have an applet which downloads into the browser. Normally the user receives two prompts the first time the user employs the applet. The first one reads "Do you want to run this application" It then give the name of the application, the publisher, and the location and then states "This application will run with unrestricted access..." At the end of the prompt, the user has the option of checking a box to "Do not show this again for apps from the publisher and location above.". Clicking on the checkbox and then clicking the RUN button will result in the certificate of the applet being installed in an area accessible from the Java control panel.
Then the user receives a second prompt: "Allow access to the following application from this web site?" Again the Application and the Publisher are identified. And the following statement appears: "This web site is requesting access and control of the java application shown above. Allow access only if you trust the web site and know the application is intended to run on this site." Again there is a check box: "Do not show this again for this app and web site."
Oracle calls the act of clicking the check box and pressing the "Allow button" or "Run" button depending on the prompt, a "trust decision". If you choose to trust an application running from a particular web site, you can undo your decision by going to the Java Control Panel and clicking on the "Restore Security Prompts" button.
A permanent change occurs in the environment but I don't understand where the change is made. It is obvious that some information related to the website identified in the prompt is stored because making a trust decision, causes the prompt to disappear. But where is it stored? I've looked within the browser (I'm using IE9) and the control panel for java. I did discover that the certificates themselves are stored in a file called trusted.certs. This is located on my Windows 7 machine under Users\\AppData\LocalLow\Sun\Java\Deployment\security. When I click on the Restore Security Prompts button, the file changes. And it also updates when I make a trusted decision in response to the first prompt. But, not so the latter. Interestingly, if I copy the trusted.certs file to a different machine whatever decisions I made to the first prompt carry to the second machine. This suggests that by deploying the trusted.certs file to my user population, I can spare them the problem of having to be confronted with the first security prompt.
However, where data is stored related to the second prompt remains a mystery to me at this time. If anyone knows something about this prompt and where the data related to the trusted decision associated with this prompt is kept, I would appreciate it.
Is there also a way to avoid having the user having to make trust decisions? If this is a protected intranet environment, there should be a way to bypass this cumbersome security provision in the JRE.
I never did find out where the JRE stores data related to the second prompt. But this is much less important than figuring out how to control prompting in situations where it is inconvenient for users to make trust decisions or just not possible. Oracle has a way around this in its most recent releases of the JRE through the use of something called a rule set. I enclose the links that describe these below:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
http://www.java.com/en/download/faq/release_changes.xml
Below is a sample ruleset that worked with our application:
<ruleset version="1.0+">
<rule> <!-- allow anything signed with company's public cert -->
<id location="http://10.190.65.254/myapp">
</id>
<action permission="run"/>
</rule>
<rule>
<id />
<action permission="default"/>
</rule>
</ruleset>
We packaged the rule set in a signed jar and deposited it in a directory:
C:\Windows\Sun\Java\Deployment
After that, no more prompting.