Security problem when signed applet dynamically load plugins
Hi!
I have one problem : "security problem when signed applet dynamically load plugins"
This is the scenario:
the main program [app.jar]
. contain applet and shared library (interface & implement of common class)
. it is signed and run normally on browser
. it can draw image loaded from other URL [ex] http://bp1.blogger.com/image.jpg
. the image loader is in the shared library
. dynamically load amazon.jar through URLClassLoader and reflection
the plugin [amazon.jar]
. search amazon product [ex] Harry Potter book
. draw image on applet
. use image loader from shared library, BUT CANNOT LOAD IMAGE
The question: "Why it cannot load image, because the image loader is in the shared library which has been signed and working?" I tried to sign the amazon.jar too, but it did not work.
Your reply would be very helpful. Thank you.
Sovann
hello. i have create a signed applet for A.jar. A.jar include two package B and C. the main applet class is within B.
B need some classes in C to run the applet. but i got the error that class in package c are not found.
what shall i do?
Similar Messages
-
Security Problems with Signed Applet
Hello All,
I need help with signed applets.
I have an applet pkged in a jar that uses other jars. I have signed the jar containing applet and all the other jars being used. However, when I try to run the applet in IE 6.0.xx, I get the following error
java.lang.ExceptionInInitializerError
at aaa.aaa.somemethod(xxx.java:192)
at aaa.aaa.aaa.access$000(xxx.java:27)
at aaa.aaa.aaa.$1.run(xxx.java:467)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
... 3 moreMy application is using Java 1.4.2.xx.
Any help or pointers would be greatly appreciated.
Thanks.Thanks harmmeijer and mjparme for your responses.
I made some changes to my application and it does not now require the system property information. But now I am getting another exception related to class loader.
I made the changes to the console as suggested by harmmeijer, and here is the stack trace. Also, I am not using any JavaScript explicitly.
Registered modality listener
Invoking JS method: document
Invoking JS method: URL
Referencing classloader: sun.plugin.ClassLoaderInfo@e0a386, refcount=1
Loading applet ...
Initializing applet ...
Starting applet ...
java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
at xxx.xxx.a...<init>(a.java:39)
at xxx.xxx.b...<init>(b.java:42)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
at xxx.xxx.a...ToolBus.<init>(a.java:39)
at xxx.xxx.b....<init>(b.java:42)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Modality pushed
Modality poppedmjparme as to your second point, the action is taking place in the same jar only. No other jar is involved at the stage where I am getting exception.
Thankyou again and will appreciate your help.
AC -
Default security context for signed applets using WinXP+IE8
What is the default security context for signed applets from the internet zone using Java 6 and WinXP+IE8 combination? My guess is that all file and socket access available for the user's Windows account is provided to the applet as well. Is this correct and if so, is there a way to limit these access privileges for signed applets from the internet zone?
This information is surprisingly difficult to find given how security concious people now are using the internet.AntonBoer wrote:
Thank you for your swift reply.
Unfortunately your answer reflects to my worst fears. Frankly I find this security model naiive. Anyone with euros can get their applet signed so that is no security control at all.The same naive security model applies to just about anything signed and downloaded; not just to Java Applets.
>
Working for a corporate IT how I am supposed to allow Java installations on any of our computers with internet access? That automatically means I am providing them as platforms to whoever wishes to run Java code on them (given that the user of course visits the web site). I would have expected Sun to put more effort into this but it appers nothig have changed in this regard for 10 years.I don't see this as a Sun problem; it is indicative of what I consider to be a general security weakness for all computer systems. For example, for Windows, Vista just added more user involvement in the trust process but it still allows programs to run pretty much unconstrained if the user agrees to them running.
For some time I have advocated a more fine grained approach. I would like to see ALL programs run in a sandbox that a user can specify what and what cannot be done by each individual program. Unfortunately, this would annoy the hell out of most users so it has little chance of every of ever being accepted. The average user just wants a run-and-forget-about-security model. -
User rejected the cab - signed applet doesnt load
Hi,
I have signed my cab file and IE requests for permissons when I access it. If I deny the permissions, my signed applet doesnt load. Is there any way to make the applet load even if I dont grant the permissions. I expect only the 'out-of-the-sandbox' operations to fail - not the entire applet!
ThanksI found a solution to this. Details on my blog at:
http://brandon.fuller.name/archives/2004/08/19/23.19.48/ -
i have a problem when sign in .ihave a appel id, i have a problem when sign in .ihave a appel id.help me pleas.
Welcome to the Apple Community.
Would you like to tell us what that problem is please. -
Loading problem for Signed applet on MAC OS
Hi All
I�m trying to test my application on MAC OS (For versions: 10.2.6 as well as 10.4.x)
For MAC 10.2.6 OS Java version is 1.4.1_01 and
For MAC 10.4.x OS Java version is 1.4.2_07
The code is compiled on Windows machine having Java version 1.4.2_07
There�s a functionality which is calling signed applet (signed JAR for applet) and when this functionality is called, following error encounters:
Java(TM) Plug-in: Version 1.4.1_01
Using JRE version 1.4.1_01 Java HotSpot(TM) Client VM
java.io.IOException: Server returned HTTP response code: 403 for URL: http://myMachineName: port/appName/UploadDownloadAppletJava.jar
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:709)
at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:384)
at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:302)
at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:128)
at sun.plugin.cache.JarCache.get(JarCache.java:172)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:93)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:78)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:580)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:541)
at sun.misc.URLClassPath$3.run(URLClassPath.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:308)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:285)
at sun.misc.URLClassPath.getResource(URLClassPath.java:155)
at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
at java.security.AccessController.doPrivileged(Native Method)
Due to which cannot access Applet class (which is inside UploadDownloadAppletJava.jar) and operation is failed.
(It works perfectly fine on Windows XP with both IE 6 and Firefox browsers).
On MAC I'm testing on FireFox.
Code which calls to applet is:
<applet
name=UploadDownloadApplet
code="UploadDownloadApplet.class"
codebase=/appName/
archive=UploadDownloadAppletJava.jar
width=0 height=0>
<PARAM NAME=cabbase VALUE=UploadDownloadApplet.cab>
<PARAM NAME=action VALUE=<%= action %>>
<PARAM NAME=workingAreaMac VALUE="<%= workingAreaMac %>">
<PARAM NAME=workingAreaPC VALUE="<%= workingAreaPC %>">
<PARAM NAME=processId VALUE=<%= processId %>>
<PARAM NAME=downloadBaseProductInd VALUE=<%= downloadBaseProductInd %>>
<PARAM NAME=initTime VALUE=<%= initTime %>>
<PARAM NAME=httpSessionId VALUE="<%= httpSessionId %>">
<PARAM NAME=userId VALUE="<%= userId %>">
</applet>
Please suggest some guidelinesjava.io.IOException: Server returned HTTP response code: 403 for URL:
http://myMachineName: port/appName/UploadDownloadAppletJava.jar
Have you tried entering the URL into a browser window and see what happens?
Message was edited by:
wangwj -
Problem running signed applet in 1.4 plugin
Hello,
We have a signed applet which we're trying to run on clients downloaded over the web. Our client applet is developed for Java 1.4.0. We're signing the applet because it is expected to access local client resources. The client applet runs successfully on some machines and on both IE6 and Netscape 7. We have installed Java Plugin 1.4 on all machines. But on some machines we receive the following exception:
java.security.AccessControlException: access denied (java.util.PropertyPermission java.home read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.bilten.kizilay.gui.CommPackageLoader.dataTransferToClient(CommPackageLoader.java:9)
at com.bilten.kizilay.gui.Depo.init(Depo.java:138)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)The problem seems to be related with jre configuration rather than browser's. Has anyone a clue?
Muzaffer Ozakcain the console, hit "s" to dump system properties on one machine that is working and one that is not, and post the dumps here. If it is a configuration issue, that will likely point to the problem.
-
OC4J 10.1.3.2 oc4jclient.jar makes permission problems in signed applets
A signed applet on WINDOWS 2000 with JRE 1.5_10 or 1.5_12 plugin in a IE6 browser, which talks to Session beans on a SUN 5.9 OC4J 10.1.3.2 server has no permissions with this library :
example:
at XXX.initContext(BeanFactory.java:69)... // 69: context = new InitialContext(props);
Exception in thread "AWT-EventQueue-2" java.lang.ExceptionInInitializerError
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission oracle.j2ee.logging.severe read)
at java.security.AccessControlContext.checkPermission(Unknown Source)...
With the older OC4J 10.1.3 oc4jclient.jar there is no problem !
Therefore I use the older oc4jclient.jar in my applet.Seems to be a bug. That was the response from Oracle support (Metalink)
Response:
Your issue seems to be related to bug 5594702 - Abstract: EJB30 ENTITY BEAN WITH @ID AND @COLUMN ANNOTATION FAILS TO DEPLOY ON AIX.
There is an issue with the IBM JDK/JRE 1.5's processing of annotations.
Links:
http://www.theserverside.com/discussions/thread.tss?thread_id=37764
http://www-128.ibm.com/developerworks/forums/dw_thread.jsp?forum=367&thread=112543&cat=10
When processing annotations it returns boolean values as false.
Work-around:
Fully specify the @Column annotation's boolean values. If insertable and updatable are set to false (which will happen due to this bug) then TopLink sets the PK
mapping to read-only and the exception seen is expected.
Note: nullable attribute of the @Colmun is not used in the EJB3/JPA preview of 10.1.3.0 If the customer MUST override the default column name then they should use:
@Column(name="column-name", insertable=true, updatable=true)
If they do not wish to override the default column name then simply do not use an @Column annotation.
It can be deleted or commented out in the JDev generated code.
There are two reported annotation processing issues with the AIX JVM. One was fixed in SR1 and the other is fixed
in SR3 (due out Oc 11 - today). Upgrading to these more recent JVM releases may also address this issue.
RECOMMENDED SOLUTIONS:
1. Upgrade the IBM AIX JVM to SR3.
OR
2. Fix all generated @Column annotations as described above -
Signed Applet not loading on Mac OS X if using HTTPS protocol
Hi All,
I need to open a trusted applet on Mac OS 10.2. The applet works fine if using HTTP protocol. But if the protocol used is HTTPS the the applet does not loads and "javax.net.ssl.SSLException - untrusted server cert chain" exception comes on the console.
The error comes for both - Verisign and javakey - signed applet.
On seaching for possible solution on the net, i came across following link: http://www.macosxhints.com/article.php?story=20020525101202503&query=Workaround+for+secure+Java+applet+problems
It says that this is Mac's known bug and gives the workaround as:
1. Access the problematic site with Internet Explorer on Windows. Click on the padlock item and export the certificate to a file.
2. Copy the certificate to your Mac.
3. Use the command
sudo keytool -import -trustcacerts -keystore /Library/Java/Home/lib/security/cacerts -file mycert.cer
to import the certificate file to your keystore (substitute mycert.cer with the name of the file containing the certificate). The keystore is password protected - the default password is "changeit".
4. Restart your browser
But the client cannot be asked to do all this to run the applet.
Is this problem being solved by Mac in their java implementation or is there any other possible solution?
Thanx in advance.
Regards,
CharuI am experiencing the same problem - I notice it does not happen on OS9.2 using IE but appears a problem on all browsers on OSX
Apple gave me the following reply.....
Re: Bug ID# 3268633: cannot load applet class under https connection
Hello Andrew,
Thank you for bringing this problem to our attention. We have received feedback
from engineering on your
reported issue.
Please know that to get Java to recognize the certificate you will need to do
one of two things, depending
on which VM you are using. Since you want it to work with Internet Explorer, we
will assume Java 1.3.1.
In Java 1.3.1 you'll need to add the certificate to
/Library/Java/Home/lib/security/cacerts using
/usr/bin/keytool to import the certificate into the certificate database.
In Java 1.4.1 you should be able to just add the certificate to the keychain
using certtool. For more
details on how to do this, please refer to the information found at
<http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html>. After
doing so, if you should require
further help from Apple in resolving this issue, we recommend that you request
assistance from Developer
Technical Support. This must be done by filing a Technical Support Incident.
So I am supposed to tell every Mac user to do the above am I?!!! -
HI All,
I am writing a small applet to draw a line graph by setting the parameters from the html pages .It came up beutifully .There are two problems here .
1)When i try to print the applet it prints only black coloroued rectangle in place of applet(graph) .I read lot of articles only to find out that the applet need to be signed for printed .I tried all ways and means but could not succedd in printing an applet .
2)When i try to access the applet from other computer with out copying it says that applet can not be acceessed due to security failure .It throws exception.
I need your help on how to sign applets to access from other computer and also how to print applet content .
Can any one help me on this
Thanks in advance .i am not sure of that , but having experience with drawing images ,graphs and the like and with no experience in printing, i can share u my experience.
using setBackground(Color.white) of the applet/panel wouldnot work since i believe it is something that is got to do with the graphics class .U have to draw a full white rectangle as a background before u start drawing lines.
like
g.setColor(color.white);
g.drawfullrect(0,0,width,height); /// draw a white background
g.setColot(Color.black);
g.drawline(0,0);
etc.....
Have fun dude. -
Problems with signed Applet for File Download under JRE 1.4 (works with 1.3
Dear all,
i encountered a very strange behaviour with JRE 1.4x. A signed applet used for file download worked on all platforms (Windows NT, 2000 and XP wth/wthout SP...) until I installed JRE 1.4.x (1.4.1 or 1.4.2)
I get an EOFException when downloading binary files (for ASCII it works fine) when trying to readByte() from a DataInputStream. But not immideately, but after x bytes in the while-loop. Security is fine (I know there have been changes to that in jre 1.4, the applet itself can be started an runs with ASCII files for transfer)
Does anyone know, what has changed in jre1.4.
As I said, it works fine under jre 1.3.x
The relevant code is below: byte bt = dis.readByte(); causes the error
try{
// Get URL from Server
URL uFile = new URL(sFilename);
sThisURLFile = uFile.getFile();
Integer inte = new Integer(i);
//open input stream for the file on server
DataInputStream dis = new DataInputStream(new BufferedInputStream
(uFile.openConnection().getInputStream()));
//open output stream for the file on local drive
String sFilenameOnly = sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1);
int iDotPos = sFilenameOnly.lastIndexOf(".");
String sExt;
if (iDotPos > 0) {
sExt= sFilenameOnly.substring(iDotPos);
} else {
sExt = "";
File fileOut = new File(sDownloadDir + sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1) );
DataOutputStream dos = new DataOutputStream(new
BufferedOutputStream(new FileOutputStream(fileOut)));
//read one byte from input stream, and write that byte to output stream
long nByte = 0;
int iCnt = 0;
iFilesizeDone ++;
while (nByte < iFilesize){
String sErrPs = new String();
try{
sErrPs = "00";
byte bt = dis.readByte();
sErrPs = "01";
dos.writeByte(bt);
} catch (EOFException ee)
System.err.println("internal EOFException: " + ee.getMessage());
System.out.println("Error Filesize is " nByte " of " iFilesize "---" + sErrPs);
break;
nByte++;
iFilesizeDone ++;
iCnt ++;
if(iCnt >= 10240) {
ShowProgress(nByte, iFilesize, iFilesizeDone, iFilesizeTotal); // repaint does not work during init-procedure
iCnt = 0;
line = "Progress: Total: " + ((iFilesizeDone*100)/iFilesizeTotal) + " perc, " + iFilesizeTotal/1024 +" kbytes" ;
labLine.setText(line);
//dos.flush(); // improves Client performance (Agent-Call!)
dis.close();
dos.close();
}// End try
catch (EOFException ee)
System.err.println("EOFException: " + ee.getMessage()e);
catch (SecurityException se)
System.err.println("SecurityException: " + se.getMessage());
catch (IOException ioe)
System.err.println("IOException: " + ioe.getMessage());perhaps they've changed something with the file blocking.
btw, you should try to use something like this
DataInputStream dis = new DataInputStream(is);
byte[] buffer=new byte[8192];
int numBytesRead;
while ( dis.available()>0 ) {
numBytesRead = dis.read(buffer);
} -
Determine when signed applet certification is rejected
Hello,
When a signed applet is first run and the cert is verified, the dialog allows the user to "Run" or "Cancel". If they click "Cancel" the applet continues to run, but without the permissions it may need to do its job. Is there a way for the applet or the web page to determine if the user clicked "Cancel"?
The applet can of course try to do a privileged operation and catch AccessControlException, but that doesn't necessarily mean that the user clicked "Cancel"; maybe OS or browser security settings are preventing the applet from doing the operation.
ThanksYes, you can check that a permission is allowed without attempting that action. You will need to change the 'permission' object to be of the type of permission that you want to check.
try {
java.util.PropertyPermission permission = new java.util.PropertyPermission("my.fav.property", "read");
java.security.AccessController.checkPermission(permission);
System.out.println("Permission Check Passed");
} catch (AccessControlException e) {
System.out.println("Permission Check Failed");
} -
FDM keeps give me DCOM Security Error when I configure the Load Balance
Hello, everyone.
I installed FDM on the Windows 2008 Server.
When I configure the Load Balance Server for FDM.
It keeps give me error:
Unable to create Load Balance Manager Object!
Please verify that the user name, password, and domain name are correct.
However, I am pretty sure the user name and password input are correct.
I have tried the solution provides on Oracle Support. And changes the DCOM component's security settings.
However, the issue is still existed.If after clearning out the security on the DCOM object and attempting to reset the Load Balance Config the same issue occurs, you will need to un-install FDM using the EPM System Un-installer and reboot. Following the reboot you will then choose to install FDM again, configure FDM using the EPM System Configuration utility, and then reset the FDM configuration items.
-
Security problem when trying to connect a CMP Session Bean deployed on J2EE
I am working through Wrox�s book Professional java Mobile Programming and trying to set up the Mobile Positioning project. The book has instructions for Ericson MPS-SDK 3.0 but the only version available now is the 5.0 and these instructions are no longer valid. I have built the application with the Studio 4 IDE and deployed it on an instance of the J2EE reference Implementation and this seems to work fine. However I have built a CMP session bean which should connect to the Ericsson Emulator running on their supplied Eserver and this connection is failing with a security problem. Following is a snippet of the code I have used to instantiate the connection.
ConnectionFactory con = null;
con = new ConnectionFactory(true);
The code compiles with out errors but when I try to test it I get the following error
java.security.AccessControlException: access denied (java.util.PropertyPermission sun.net.inetaddr.ttl write)
Any Hints or suggestions would be appreciated.
ThanksOops!! I meant Session Bean NOT CMP Session Bean
-
Problem when signing with Reader 11.0.08
I tried to sign using stylus for Reader 11.0.08. However, it requires double-tap to activate when signing the PDF doc.
It is difficult for people to sign with multiple strokes (lift up the stylus for space or separating names).
In Reader 10.1.4, user can sign much easier (not have to active with double-tap).
Is there any setting in Adobe Reader or editing in Adobe Pro version to fix this issue?I use Lenovo IdeaPad, Yoga 11S, with non-digitized stylus(similar to this).
http://shop.lenovo.com/us/en/itemdetails/AMM01TBUS/460/ECBF758B22E043D7AA80E287D05CEE39
Do you know if any setting is set for this since version 10 works better than version 11?
Maybe you are looking for
-
App store doesn't recognize installed software
Ok. I've upgraded to Lion. The app store STILL doesn't recognize software that's on the Mac, and this INCLUDES Apple apps. The only software that shows up as installed is Lion.
-
Hi all, i have one problem in the settings of p.o document types in that i1st deleted item category 'l' &saved then it will ask for req.no and again igiven item cat.'l'&saved it is not asking for req.no.my doubt is is it saved or not plz any body
-
I get an error message saying it won't save my project
Any help? It just randomly says it can not save my projects. Not a space issue- just won't save any edits. Will let me make edits and render and export- but all changes are lost when I quit.
-
I need to clean the contact list. How can I do that ? Solved! Go to Solution.
-
Why does i-tunes library change when i change song data, and graphics? For example, if I choose follow you, follow me from genesis greatest hits, i modify it to the original album, and art work. it reamins for some time, and I play it some time down