AddProvider in a signed applet(cab file)
Hi,
I have been trying to sign an applet such that I can use the JCA from within
an applet.
My goal is to encrypt a file and then ftp it to a server. I am currently
able to "read" the file from the client's system and then ftp it. I have
created a test certificate and signed the applet grandting it "low"
privileges. I was able to open an input stream on a file without having to
make use of assertPrivilege(...) !
I believe the above was possible because I was invoking a method (which
reads the file and ftps it) on a button click and thus I think the
checkPermission(...) didn't somehow get to the init(...) ot other default
methods. I think this is the case because of the following.
After I had accomplished the above I tried to use the JCA to encrypt the
file. To be able to do so I had to use addProvider(...). This is where I am
facing the problem. I used the applet I developed to achieve the above and
inserted the call to addProvider(..) on the method handling the button
click. I even used the assertPrivilege(...) and revertPrivilege(...)
methods. But I get an exception as follows ---
om.ms.security.SecurityExceptionEx[com/pyrasec/online/pyracrypt/PyraCryptCipher.pyraCryptConnect]
at com/ms/security/PolicyEngine.deepCheck
at com/ms/security/PolicyEngine.checkPermission
at com/ms/security/StandardSecurityManager.chk
at com/ms/security/StandardSecurityManager.checkSecurityAccess
at java/security/Security.check
at java/security/Security.insertProviderAt
at java/security/Security.addProvider
at com/pyrasec/online/pyracrypt/PyraCryptCipher.pyraCryptConnect
at com/pyrasec/online/pyracrypt/PyraCryptGUI.init
at com/ms/applet/AppletPanel.securedCall0
at com/ms/applet/AppletPanel.securedCall
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.run
at java/lang/Thread.run
----- the ABOUT TO ASSERT PERMISSION
PERMISSION ASSERTED are my System.err.printlns.
I initially invoked assertPrivilege(..) using SECURITY Permission ID and
later tried using SYSTEM too. But nothing seems to help. I have read and
re-read the sdkdoc, but just can't come up with any thing I have missed out
on.
Could any one help me here, please. I saw someone suggest on the newsgroup
at the java.sun site to sign the applet. He ssemed pretty confident that the
above stack trace is a result running an unsigned applet. But after all that
I have tried I no longer think so.
What did i have to do to solve this problem ?
Thanks
Ralf
Security is very different for different combinations of web browser and/or Java Plugin. In most cases (unless you are using Plugin 1.3+) you have to have import your certificate into trusted area of your browser/plugin and only then your signature will enable those features.
Similar Messages
-
Problems with signed Applet for File Download under JRE 1.4 (works with 1.3
Dear all,
i encountered a very strange behaviour with JRE 1.4x. A signed applet used for file download worked on all platforms (Windows NT, 2000 and XP wth/wthout SP...) until I installed JRE 1.4.x (1.4.1 or 1.4.2)
I get an EOFException when downloading binary files (for ASCII it works fine) when trying to readByte() from a DataInputStream. But not immideately, but after x bytes in the while-loop. Security is fine (I know there have been changes to that in jre 1.4, the applet itself can be started an runs with ASCII files for transfer)
Does anyone know, what has changed in jre1.4.
As I said, it works fine under jre 1.3.x
The relevant code is below: byte bt = dis.readByte(); causes the error
try{
// Get URL from Server
URL uFile = new URL(sFilename);
sThisURLFile = uFile.getFile();
Integer inte = new Integer(i);
//open input stream for the file on server
DataInputStream dis = new DataInputStream(new BufferedInputStream
(uFile.openConnection().getInputStream()));
//open output stream for the file on local drive
String sFilenameOnly = sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1);
int iDotPos = sFilenameOnly.lastIndexOf(".");
String sExt;
if (iDotPos > 0) {
sExt= sFilenameOnly.substring(iDotPos);
} else {
sExt = "";
File fileOut = new File(sDownloadDir + sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1) );
DataOutputStream dos = new DataOutputStream(new
BufferedOutputStream(new FileOutputStream(fileOut)));
//read one byte from input stream, and write that byte to output stream
long nByte = 0;
int iCnt = 0;
iFilesizeDone ++;
while (nByte < iFilesize){
String sErrPs = new String();
try{
sErrPs = "00";
byte bt = dis.readByte();
sErrPs = "01";
dos.writeByte(bt);
} catch (EOFException ee)
System.err.println("internal EOFException: " + ee.getMessage());
System.out.println("Error Filesize is " nByte " of " iFilesize "---" + sErrPs);
break;
nByte++;
iFilesizeDone ++;
iCnt ++;
if(iCnt >= 10240) {
ShowProgress(nByte, iFilesize, iFilesizeDone, iFilesizeTotal); // repaint does not work during init-procedure
iCnt = 0;
line = "Progress: Total: " + ((iFilesizeDone*100)/iFilesizeTotal) + " perc, " + iFilesizeTotal/1024 +" kbytes" ;
labLine.setText(line);
//dos.flush(); // improves Client performance (Agent-Call!)
dis.close();
dos.close();
}// End try
catch (EOFException ee)
System.err.println("EOFException: " + ee.getMessage()e);
catch (SecurityException se)
System.err.println("SecurityException: " + se.getMessage());
catch (IOException ioe)
System.err.println("IOException: " + ioe.getMessage());perhaps they've changed something with the file blocking.
btw, you should try to use something like this
DataInputStream dis = new DataInputStream(is);
byte[] buffer=new byte[8192];
int numBytesRead;
while ( dis.available()>0 ) {
numBytesRead = dis.read(buffer);
} -
Signed applet for file download?
Hello folks,
I have a signed applet through which i can upload multiple files to a servlet. I wish to create another applet or enhance this one to enable it to download multiple files from the server to the client m/c. Any idea, how to go about it?
I will appreciate your helpful replies.
Thank you,
Coreliwhich part? You apparently already know how to sign an applet... and use a file chooser... and create servlets that can take files.... seems you need to do the opposite and use input streams where you used output streams before and vice versa...
-
User rejected the cab - signed applet doesnt load
Hi,
I have signed my cab file and IE requests for permissons when I access it. If I deny the permissions, my signed applet doesnt load. Is there any way to make the applet load even if I dont grant the permissions. I expect only the 'out-of-the-sandbox' operations to fail - not the entire applet!
ThanksI found a solution to this. Details on my blog at:
http://brandon.fuller.name/archives/2004/08/19/23.19.48/ -
Signed cab file using j++, IE, XERCES
HI:
i am using j++ and adding class files from XERCES.jar
for parsing. I add the class files manually using J++
and they are definetly in the .cab file. And i am sure it downloads the cab w/ the files. But,
IE 5.5 gives me a classNotFound Exception when it tries to load in the classes. Any idea why they would not show up???
THANKS1. make sure you first unjar XERCES.jar in the same directory where your classes are
2. make the cab file using all the classes, yours and the ones from the jar file.
Here is an example:
cd <directory_with_all_classes>
cabarc -s 6144 -r -p n mycab.cab *.class *.gif *.ini *.propertiesIf you want, you can then sign the cab file using signcode.
I hope this will help you.
Iulian -
How to create and sign CAB files info on Supplement Option
To all Supplement Option subscribers:
At the supplement option for iDevelopment Accelerators, I uploaded a zip with detailed info on how to create and sign CAB files (necessary when you are running your application on the Native IE Java Virtual Machine).
Not all functionality provided to you through JInitiator will work (e.g. WebUtil doesn't) but the way how to make and sign a CAB file will become more easy.
Cheers,
Marc Vahsen
Headstart TeamThis defeats the purpose of trying to centralize SAP-related web resources on the SAP server. Typically IIS/Apache or other non-SAP servers are under the control of IT and not the SAP BASIS group.
We simply would like to have a centralized location to store static web files so that they are not overwritten during Portal support pack applications. -
Signed applet still shows:"warning:applet window"
I have signed a cab file for use with IE.
But it always shows the message "warning:applet window" in the status bar.
Am I missing something?
Should not be signing enough to eliminate this message??
regards
-SMicrosoft has a Knowledge Base article on this. Try this link:
http://support.microsoft.com/support/kb/articles/q169/8/08.asp
HTH,
Carl Rapson -
Signing applets, going crazy
hi,
I think I've posted enough thread on signed applets and
still haven't got the solution and i'm the strong believer
that any sought of problem will be solved in the forums,
and I still believe in that. Ok! I don't wan't to bore u,
here is my problem:
1) I've signed the applet using keytool and specify the
signed.jar file in the archive parameter in <applet> tag,
but each and every client have to get the .java.policy
file to be placed on their windows home directory!!!
Is that the rt way to do it, or is there any way to link
the .java.policy while signing the applet.
2)I've also tried in signing the cab files, ok fine but don't
know how to set the permissions in the .ini file in SDK for
java, no proper documentation and also when i got to
use the plugin converter to use my applet since the
browser does'nt recognise the rmi classes, so when i use
the plugin, and also the cabbase parameter, i'm not able
to get it, but i'm able to get one of my applet get going
which is a normal applet tries to write a file on to the
desktop, but it doesn't have the plugin.
3)Is there anyway to make applet work without using the
plugin concept. I came to know the if i specify archive
for rmi.zip, it should work, but I cou'lnt do it, is there any
other versions of rim.zip
Sorry 4 a long story,
ThanX for baring me.
kiran,
[email protected]1:From my understanding, if you sign the applets you should not have to set policy files onto the client side.
Applets should have complete unrestricted access to the system when these are signed.
2: Are you trying in anyways to perform callbacks through firewalls ? If you do check RMI vs Internet on this forum.
RMI works without plugin for jdk1.1 and over
3: I don't know , sorry. -
**URGENT : signed applet still doesn't get full permissions**
I've bought a Microsoft Authenticode certificate with which I signed a CAB file containing my class files...
On a client machine, the browser detects security stuff but even when one acknowledges, the applet still doesn't get the permission, for instance, to open a directory for reading... a SecurityException is thrown as if the applet was not signed.
Have I forgotten something or did another one wrong ?? Must I set the Security Manager to null ????
It's really urgent, so please reply asap !!!
Thanks,
R�gis KuckaertzJust signing the applet doesn't give it any permissions. You have to assert whatever permissions you want. For example:
import com.ms.security.*; // need dummy classes to compile for non-MS
// check if we are in the MS JVM
if (Class.forName("com.ms.security.PolicyEngine") != null)
// Assert all Permissions
PolicyEngine.assertPermission(PermissionID.SYSTEM);
catch (Throwable cnfe)
System.out.println("Microsoft JVM permissions not asserted.");
System.out.println(cnfe.getMessage());
} -
File read access denied for signed applet
Hi:
I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
java.lang.Exception: java.security.AccessControlException:
access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
private KeyStore ks;
private Provider provider;
private static final String providerName = "PKCS11";
private static final String providerLibrary = "aetpkss1.dll";
public void loadKeyStore(String pin) throws IOException,
CertificateException, KeyStoreException, NoSuchAlgorithmException {
if (provider == null)
registerProvider(providerLibrary);
try {
ks = KeyStore.getInstance(providerName,provider);
} catch (Exception e) {
throw new KeyStoreException("Failed get keystore instance\n"
+ e.getMessage());
try {
ks.load(null, pin.toCharArray());
} catch (Exception e) {
throw new KeyStoreException("Failed load keystore\n"
+ e.getMessage());
public void registerProvider(String library)
throws FileNotFoundException, KeyStoreException {
String fileName;
if (new File(library).isAbsolute())
fileName = library;
else
fileName = getAbsolutePath(library);
if (!(new File(fileName).exists()))
throw new FileNotFoundException("No such file: " + fileName);
String config = "name = " + providerName + "\n"
+ "library = " + fileName;
ByteArrayInputStream confStream =
new ByteArrayInputStream(config.getBytes());
try {
provider = new sun.security.pkcs11.SunPKCS11(confStream);
Security.addProvider(provider);
} catch (Exception e) {
throw new KeyStoreException("Can initialize " +
"Sun PKCS#11 provider. Reason: " +
e.getCause().getMessage());
private String getAbsolutePath(String lib) throws FileNotFoundException {
String[] searchPath;
/* NOTE: This should be modified to suit different versions of *
* Windows and not just Windows XP */
if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
searchPath = new String[] { "C:\\WINDOWS\\system32" ,
"C:\\java" };
} else {
searchPath = new String[] { "/usr/local/lib/" };
for (int i = 0; i < searchPath.length; i++) {
if ((new File(searchPath[i] + File.separator + lib).exists()))
return (searchPath[i] + File.separator + lib);
throw new FileNotFoundException("Library not in search path " + lib);
}The above code is called by a java script, the class' constructor is empty.
The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
I have also made a CLI application that uses the above code and it works perfectly.
So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
The certificate I generated with
keytool -genkey -keystore mystore -alias me
keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
Thanks! ErikThe problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate. -
IS there code to avoid policy file push in a VeriSign Signed applet?
Q: Must a digtally signed ( thus Trusted) Applet have some some security code scripts -within the applet- to read specific "out of SandBox Permission" which have been Granted in the users Java.Policy file.
Actually at first I thought the applet was not finding the users Java.Policy file so I hard coded the permission below into the standard java.policy file just to test it but no luck.
I have the following Java Applet code which is digitally signed against a Versigin Class3 Code Signing Certificate in the Trusted root. SO I kow the applet runs..
import java.awt.*;
import java.io.*;
import java.lang.*;
import java.applet.*;
public class UserName extends Applet {
public void init() {
public String runajacode()
String UserName="";
try {
UserName = System.getProperty("user.name");
catch (SecurityException e) {
return UserName;
I Keep getting the security exception error when I try to read User.name property
Here is the text of the Java.Policy file which is placed in the users home directory
/* AUTOMATICALLY GENERATED ON Fri May 10 11:37:28 CDT 2002*/
/* DO NOT EDIT */
grant {
permission java.util.PropertyPermission "user.name", "read";
Thanks BeforeHand
AJWe cannot use the Java Plugin (company Rules) so you
are saying I must modify the original java.policy
file and without the Plugin the IE 5.5 VM will notWell, i have to say that if u r not using the java plugin, then there is no need for the policy file and u have to use the VM of the browser.I dont think the browser will support the latest version of java and so u have to write your code according the java 1.0 version. Mircosoft have not updated their java jvm due to issues with sun.
Can u give me the code of the html file where u include the applet tags and let me have a look at it.
if u plan to use the applet in IE and signed, then u have to use the CAB file utility which can be downloaded from the microsofft site. A signed cab file can run on IE only.Signed Jar can be run in plugins and netscape .
Let me know if u need further help.
ciao -
How to resolve problems in policy file of signed Applet
Hi to All,
I want to connect the web site through my Signed Applet which is working as a Proxy server. but i m facing certain problems in my policy file:
this is my policy file :-
grant {
permission java.security.AllPermission "", "";
permission java.net.SocketPermission "http://www.google.com:4321", "connect, accept,resolve";
permission java.security.UnresolvedPermission;
n i got such type of exceptions n my Applet prompt applet not initialized.
Got connection Socket[addr=/192.168.1.232,port=1200,localport=4321]
Reading request...
URI is: http://www.google.com/
Host to contact is: www.google.com at port 80
Got request...
java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
at java.net.InetAddress.getAllByName(InetAddress.java:1061)
at java.net.InetAddress.getByName(InetAddress.java:958)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
at java.net.Socket.<init>(Socket.java:179)
at ProxyApplet.handle(ProxyApplet.java:75)
at ProxyApplet.<init>(ProxyApplet.java:132)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
at java.lang.Class.newInstance(Class.java:303)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:721)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:650)
at sun.applet.AppletPanel.run(AppletPanel.java:324)
at java.lang.Thread.run(Thread.java:595)
here 4321 is Port no. which i've as a random port no.
plz Help
thnx in advance
with regards
pank_nainiPlease, if you can't help me, could you tell me who can I contact ?
-
Signed applet : problem signing jar files that are in build path
Hello,
I have a problem while trying to create an ftp applet.
I use org.apache.commons.net.ftp and i build path for commons-net-1.1.4.jar and then i build my classes.
When i create a jar file with my classes and after signing it, it works under eclipse but not on a web page.
I had signed commons-net-1.1.4.jar before to build the path in eclipse but commons-net-1.1.4.jar is not in my jar file.
What is the way to sign applet correctly even if some jar ressources are in eclipse build path.
Thank youYou were right!!!
I'm not sure what to write down in the formsweb.cfg (configuration file) , following the instructions on the on-line help of Developer Forms 10g , in step 9..
The step 9 says...
Because in this release the JACOB code is in an external Jar file and not incorporated into frmwebutil.jar, it needs to be downloaded. To do this, change the WebUtilArchive setting to read: webUtilArchive=/forms/webutil/frmwebutil.jar,/forms/webutil/jacob.jar
The doudt is pointed to the fact that the frmwebutil.jar isn't in the ORACLE_HOME\forms\webutil path but it is ORACLE_HOME\forms\java path.
Also , these paths referenced in webUtilArchive are physical paths in a Unix system or they are logical paths in a url?
Simon -
Question about Java Applet Jar file signing.
These questions pertain to Java 6 Standard Edition 1.6.0_22-b04 and later.
I have gone through the Oracle Java Tutorial for generate public and private key information
to sign a jar file, and how to sign the jar itself, all at
[http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html]
, and seek some clarification on the following related questions:
-In order to "escape" the java applet sandbox that exists around the client's
copy of the applet running in their web browser, ie.
(something forbidden by default), is verification of the signed applet enough, or is a policy file required
to stipulate these details?
-using the policytool policy file generator, what do I need to add under "Principals"
(if anything) when dealing with a Java applet? Are Codebase and SignedBy simply author information?
-If I choose to use a java.security.Permission subclass object set up in equivalent fashion within the Applet,
which class within the Applet jar do I instantiate that object in? Does it need to be mentioned
in the applet's jar Manifest.MF file?
-Is the "keystore database" a java language service/process which runs in
the Server's memory and is simply accessed and started by default
by the client verifier program (appletview/web browser)?
-The public key certificate file (*.cer) is put in the webserver directory holding
the Applet jar file (ie. Apache Tomcat, for example).
-Presumably, the web browser detects the signed jar
and certificate file, and provides the browser pop up menu asking the user
about a new, non recognised certificate (initially).
Is this so?
-With this being the case, can the applet now escape
the sandbox, be it with or without the stipulated
policy permissions?848439 wrote:
-In order to "escape" the java applet sandbox that exists around the client's
copy of the applet running in their web browser, ie.
(something forbidden by default), is verification of the signed applet enough, or is a policy file required
to stipulate these details?Just sign the applet, the policy file is not necessary.
-Is the "keystore database" a java language service/process which runs in
the Server's memory and is simply accessed and started by default
by the client verifier program (appletview/web browser)?No.
-The public key certificate file (*.cer) is put in the webserver directory holding
the Applet jar file (ie. Apache Tomcat, for example).No. For a signed Jar, all the information is contained inside the Jar.
-Presumably, the web browser detects the signed jar
and certificate file, and provides the browser pop up menu asking the user
about a new, non recognised certificate (initially).
Is this so?No. It is the JVM that determines when to pop the confirmation dialog.
-With this being the case, can the applet now escape
the sandbox, ..Assuming the end-user OK's the trust prompt, yes.
..be it with or without the stipulated
policy permissions?Huh? -
Include many jars for a complex signed applet in html file??
hello
I'd like to know how it's possible to put a signed applet in an html file, that needs many jar files.
I explain myself: I know that to create a signed applet and to put it in an html file, I need to create a Jar file that contains this applet, create a private key with keytool, sign the jar and include it in my html file with the tag <applet code="....." archive="......jar".... />
This works fine if my applet is a simple program that only uses the clases present by default in the jdk.
In my case, I have a big project, with many packages. In one of these packages, I have my applet that uses some classes of the other packages, which use classes from imported jars, such as BouncyCastle, and others...
There is still no problem when I run the applet from the applet viewer.
The problem appears when I put the JAR file with all these classes in the html file: there is a problem since it doesn't know anything of these classes imported from these jars.. It's quite obvious actually.
My question is: how do I do to make the html file aware of these classes? Is there an html tag that allows us to include many jar files? Do I have to decompress all these jars, take all the directories, add them to the directories of my project and create a BIG jar (that's what I did, but it's really dirty, and heavy! (11M))??
Does anyone have an idea about how I can do it?
Thanks for your help
Philippe11 MB is pretty big for an applet.
Let's say your applet uses java 3d, normally a client would download and
install this seporately, meaning the jars needed end up in lib/ext directory where
any applet can find them.
Check what applets need to be installed (put in lib/ext) and what can be
downloaded:
<object .....
<param name="archive" value="myJar.jar, myOtherjar.jar" />
Maybe you are looking for
-
How to create @prompt filter at universe level for my Webi reports
Dear all, I am using BO XI 3.1 SP3 with SAP BW 7.0. I have created an open[big] query based on a multiprovider for my OLAP universe. OBJECTIVE: to create LOV prompts for Calender year, for my webi reports, which takes 2010 as input then offsets the i
-
I'm having a keystroke issue...
Hey, recently I've noticed that, when editing. I'll hit say, the delete key, to obviously delete the selected section.... and it doens delete. I end up hitting it a few times, sometimes twice, sometime three times before it will actually delete the s
-
Flash keeps telling me to shut Safari!
I Have my brand new toy a Mac Air.I am trying to download Flash. All goes well on the installation bar until towards the end up comes the message'Safari' needs to be closed before installation can be completed.Safari is shut so I can not progress.Any
-
Existing IDE drive into a new G5?
I'm considering buying a new G5 (intel Mac) or getting a used G5 (non-intel) and wondered if I can simply put my exising IDE drive from a G4 into either the intel mac or into a late-model G5? That would save me a lot of time re-installing software in
-
Re: Since updating to JellyBean, my playlists keep disappearing!
Hello Ann, I have a razr maxx with jb and am experiencing this problem as well. I also saw a s3 user complaining of it too. Haven't noticed problems happening with sd mount/unmount, but i had a playlist of songs i had purchased on itunes and 1 song p