Applet Permissions

Similar Messages

• Java applet permissions (allow access to ports 1024 )

  Hello everyone,
  Not sure if this is the place to post this question but this forum has been extremely helpful to me in the past.
  I'm interested in allowing a java applet to both edit my hosts file and bind to privileged ports (this is for a trusted corporate SSL VPN connection). I've tried editting my java.policy file, but it doesn't seem to affect anything. Even if I set a policy rule to temporarly allow ALL java applets to use privileged ports, it still won't work. Ditto for allowing write file permissions to /etc/hosts:
  grant {
    permission java.io.FilePermission "/etc/hosts", "write";
  The only thing that seems to work is running firefox in root, which I really don't want to do.
  Am I going about this the right way? Thanks!

  If applet is signed, Change in Java Control Panel tab Security, Security Level to High.

• Nm-applet permissions//password prompting

  I've gotten tired with wicd's general bugginess and I'm trying networkmanager + nm-applet. nm-applet refuses to work without root permissions in dwm (even if I manually start polkit-gnome). Is it safe if I run nm-applet with root permissions in ~/.xinitrc (this is the only way it will work)?
  Additionally, it seems that it refuses to prompt me for passwords even if a network has WPA2 security--it will only connect if I manually edit the connection to include the password. Is there any way to get nm-applet to prompt me for a password whenever I need one?
  Thanks

  I'm having the same problem did you ever get a fix?

• Applet Permissions - lang.java.RuntimePermission exitVM.0

  Hello All,
  I am new to java and working on java applet. I have an applet, of which functionality I wanted to extend in my java class. The applet requires so many permissions, which I have added in .java.policy file through java policy tool. But unfortunately it giving me following exception:
  java.security.AccessControlException: access denied (java.lang.RuntimePermission exitVM.0)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkExit(Unknown Source)
       at javax.swing.JFrame.setDefaultCloseOperation(Unknown Source)
       at SketchApplet_new.createAndShowGUI(SketchApplet_new.java:56)
       at SketchApplet_new.init(SketchApplet_new.java:45)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  I have added the java.lang.RuntimePermission exitVM but it is throwing an exception for exitVM.0, which I haven't got in policy tool.
  Please help me to add this permission to allow my applet execute properly.

  I'm having the same problem i've used this tutorial to sign the jar file http://forums.sun.com/thread.jspa?threadID=174214, and i'm not being able to solve the problem

• Proxy & applet & permissions

  In my applet I use this code:
  System.getProperties().put("proxySet", "true");
  System.getProperties().put("proxyHost", host);
  System.getProperties().put("proxyPort",port);
  The execution failed on the first line (java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
  ) I also try to grant permission for this applet: permission java.util.PropertyPermission "proxySet", "read, write";
  However it did not help. If I grant permission java.util.PropertyPermission *, "read, write; everything works fine.
  But I cannot grant this permission (too risky). Could you please help me what exact permissions should I grant?
  Thanks a lot

  Hi,
  The problem is that getProperties returns a instance of Properties, and no checks are done when you are trying to update that instance. That's why a check of * is done.
  Change your code so that you instead are invoking System.setProperty(String key, String value). A simple check of write permission on the key is done in that case.
  Kaj

• Lost with granting signed applet permissions

  Hi all,
  My apologies for the cross post, I have incorrectly sent this post to the jre forum but I think it is more specific to the signed aplpet forum..
  We need to deploy a very simple applet which sole role is to connect to a domain other than mother to send and get some data. We have a certificate from Verisign and have signed the applet. So far so good. The applet is compiled and signed with the jdk 1.3.1_12. With the JRE 1.3.1_x, it works just fine. If the jre 1.4.2_x is installed however, the connection doesn't happen and we receive a permission denied exception instead:
  java.security.AccessControlException: access denied (java.net.SocketPermission xxxxx resolve)
  With jre 1.4.2, when the applet loads, we do see the security prompt, but we get the permission denied exception even if we specifically choose to trust the applet. I thought this step would automatically grant all priviledges?
  So I don't know what to do from here. How can the applet request for the correct permission in jre 1.4.2_x? I looked around and found some information about policy files but I'm at a loss at how to use that, we have no control as to who will see the applet so I don't think we can ask all to update their policy file first.
  What we want to have is for our users to grant priviledge at the security prompt and not worry about anything else, even with jre1.4. Can it be done?
  Any help would be much appreciated.
  Tim.

  If the above information doesn't help you a full trace might come in handy:
  To turn the full trace on (windows) you can start the java console, to be found here:
  C:\Program Files\Java\j2re1.4...\bin\jpicpl32.exe
  In the advanced tab you can fill in something for runtime parameters fill in this:
  -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect
  if you cannot start the java console check here:
  C:\Documents and Settings\userName\Application Data\Sun\Java\Deployment\deployment.properties
  add or change the following line:
  javaplugin.jre.params=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  The trace is here:
  C:\Documents and Settings\your user\Application Data\Sun\Java\Deployment\log\plugin...log

• Lost with signed applet permissions

  Hi all,
  We need to deploy a very simple applet which sole role is to connect to a domain other than mother to send and get some data. We have a certificate from Verisign and have signed the applet. So far so good. The applet is compiled and signed with the jdk 1.3.1_12. With the JRE 1.3.1_x, it works just fine. If the jre 1.4.2_x is installed however, the connection doesn't happen and we receive a permission denied exception instead:
  java.security.AccessControlException: access denied (java.net.SocketPermission xxxxx resolve)
  With jre 1.4.2, when the applet loads, we do see the security prompt, but we get the permission denied exception even if we specifically choose to trust the applet. I thought this step would automatically grant all priviledges?
  So I don't know what to do from here. How can the applet request for the correct permission in jre 1.4.2_x? I looked around and found some information about policy files but I'm at a loss at how to use that, we have no control as to who will see the applet so I don't think we can ask all to update their policy file first.
  What we want to have is for our users to grant priviledge at the security prompt and not worry about anything else, even with jre1.4. Can it be done?
  Any help would be much appreciated.
  Tim.

  Apologies, I think this post would have been more suited for the sigend applet forum. I have reposted there, please ignore the post in this forum.

• How do I change applet permissions just for development?

  I'm trying to write an applet which will have to make an http connection to an external server. I presume the only way to forego the security restriction preventing me making that connection is to sign the applet. However, it won't be very practical to repackage and resign the applet every time I wish to update it during development. Is there any way to get around this beside running it as an application in the meantime? I'm hoping to avoid this since I will need to use JavaScript at some stage to interact with the applet and update some forms inside the page.
  thanks
  Alex

  AFAIK, u can turn off the security option in IE. But it is not feasible , if you are on the internet and u get mysterious applets spooking ur pc. go for signed applet.
  You can use ANT which can be found from jakarta.apache.org, makes compiling,signing and deploying a breeze.

• Applet permissions denied unpredictably

  I have a Java 1.5 applet using SwingWorker that seems to break unpredictably due to the following error:
  java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)
  at java.util.concurrent.FutureTask$Sync.innerGet(Unknown Source)
  at java.util.concurrent.FutureTask.get(Unknown Source)
  at org.jdesktop.swingworker.SwingWorker.get(Unknown Source)
  The applet is signed with jarsigner using a key I generated with
  keytool and exported as a self signed certificate.
  One pattern I often observe is that the applet works fine the first time I download it from a new browser when it pops up a dialog asking me if I want to trust the signer I created. However, if I close the first applet window and open it again from the same browser I do not get the trust dialog and the applet fails as above. This seems to happen for all subsequent applet invocations from the same browser.
  I've observered this with Firefox 1.5.0.7 and IE 6.0 on Windows XPsp2.
  Thank you.

  I have a Java 1.5 applet using SwingWorker that seems
  to break unpredictably due to the following error:
  java.util.concurrent.ExecutionException:
  java.security.AccessControlException: access denied
  (java.lang.RuntimePermission modifyThreadGroup)
  at
  java.util.concurrent.FutureTask$Sync.innerGet(Unknown
  Source)
  at java.util.concurrent.FutureTask.get(Unknown
  Source)
  at
  org.jdesktop.swingworker.SwingWorker.get(Unknown
  Source)
  The applet is signed with jarsigner using a key I
  generated with
  keytool and exported as a self signed certificate.
  One pattern I often observe is that the applet works
  fine the first time I download it from a new browser
  when it pops up a dialog asking me if I want to trust
  the signer I created. However, if I close the first
  applet window and open it again from the same browser
  I do not get the trust dialog and the applet fails as
  above. This seems to happen for all subsequent
  applet invocations from the same browser.
  I've observered this with Firefox 1.5.0.7 and IE 6.0
  on Windows XPsp2.
  Thank you.Something is not getting shutdown properly; I'd wager your AWTEvent Thread.
  To ensure this, make sure you overwrite stop/start/run/init for the Applet
  as described here...
  http://java.sun.com/j2se/1.3/docs/guide/misc/threadPrimitiveDeprecation.html
  This is the safe way to implement stop/start. Do it this way and there are no issues and the behavior is consistent across different Thread / Event models/Operating Systems.
  I personally prefer the Runnable interface as opposed to Thread BTW.
  Good Luck!
  (T)

• Nm-applet permissions problem?

  After i've upgraded to Gnome3 (the reason why I post this here),
  my previously working nm-applet has gone mad. As I try to change settings,
  either from the panel applet, or from the control-center, it doesn't accept
  any of the changes.
  I've tried to launch it from a terminal too, no error message is shown.
  ( $ gnome-control-center network )
  And here comes the best: after changing the settings, I've a REALLY FAST popup window showing up:
  "System policy prevets users to change network settings", or something like this -
  (I've managed to read this by breaking my fingers on the PrintScreen key).
  In short, it asks for the root password, but I don't have the time to type, it disappears.
  1, my user is part of the network and networkmanager groups ( see wiki )
  2, if I launch "#gnome-control-center network " as root, the checkbox "accesible to all users" is well checked,
      root is able to change settings.
  3, I've crated another user, same promlem, not able to change anything
  everything worked 'til Gnome3 has arrived (besides of this, I like it... and that is just the beginning)
  Last edited by scar (2011-05-06 19:17:19)

  # ps ax | grep polkit
  3519 ?        Sl     0:00 /usr/lib/polkit-1/polkitd
  And I've temporary "solved" the problem by editing "/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy".
  At the "<action id="org.freedesktop.NetworkManager.settings.modify.system">" changed the line:
  <allow_active>auth_admin_keep</allow_active>
  to
  <allow_active>yes</allow_active>
  But I really don't like this solution, I mean there are other users on my system too, I don't want them to change my settings.
  So, this is not a solution

• What are the default permissions for "self-signed" applets?

  Hello!
  I have a self-signed applet (=signed with a self made certificate) and under most plugin-enviroments java asks the user if it accepts this certificate as trustworth.
  On my linux-box I do not have any problems to write files to the local filesystem after I accepted this self-signed applet.
  However I've often read that users must grant some permissions even for signed applets, so is there a list of permissions that are denied by default?
  Are there differences between java releases starting with 1.2.2?
  Thanks in advance, lg Clemens

  Default settings are like you said, jre asks the user and everything will work.
  Unless.your applet uses classes that are not signed like with calls from javascript to your applet the plugin.jar is used and you'll get an exception when writing to files.
  When writing to files the OS might not allowe the user to write to a certain file or folder.
  Don't know what type of exception will be thrown if the OS doesn't allowe it but it has
  nothing to do with applet permissions.
  To change the default setting you can add the following line in the grant { bit of the
  java.policy
  permission java.lang.RuntimePermission "usePolicy";
  When this line is there all signatures will be ignored and an applet can only do extra
  things (like access to local files) if a policy is set up for this applet.
  To find out what's wrong at your clients site you should ask them to send a full trace
  and check that. I hope you did a .printStacktrace() on the exception in your code so
  you can see if any other classes are involved when the exception is thrown.
  To turn the full trace on (windows) you can start the java console, to be found here:
  C:\Program Files\Java\j2re1.4...\bin\jpicpl32.exe
  In the advanced tab you can fill in something for runtime parameters fill in this:
  -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect
  if you cannot start the java console check here:
  C:\Documents and Settings\userName\Application Data\Sun\Java\Deployment\deployment.properties
  I think for linux this is somewhere in youruserdir/java (hidden directory)
  add or change the following line:
  javaplugin.jre.params=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  for 1.5:
  deployment.javapi.jre.1.5.0.args=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  The trace is here:
  C:\Documents and Settings\your user\Application Data\Sun\Java\Deployment\log\plugin...log
  I think for linux this is somewhere in youruserdir/java (hidden directory)

• Applets and files

  Hello!
  I have built an applet which have to write, read, delete some files. I have write the permissions in the java policy file and I have no problem to run the applet with appletviewer. However, when I try to run it with the web browser the applet write the files but then it doesn't find them when the applet needs to read the files. I have been reading and I think I have to change my initial folder in the java console but I`m not sure about how I have to do it.
  Thank you in antitipation for your help.

  You can find the java policy file in your Java folder Java/JRE/1.4.1/lib/security/java.policy.
  You have to open java.policy with the notepad and add the permissions you need and save the file. For example, if you want to allow your applet to read, write and delete files you have to add this lines to the java.policy file.
  grant {
  permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
  permission };
  Anyway, google java applet permissions and you will find web pages where you can learn to use grant.

• What are EXACT STEPS for giving an applet unrestricted access?

  Hello all,
  My company has developed a library for Java applications, and it's packaged in a jar file. We recently needed to create an applet to put on our website to demo the library's functionality. However, because it wasn't designed to be used in an applet, we get all kinds of security violations when running it in a web browser (reading system properties, reading Preferences API, reading local files, etc.)
  What we want is a really simple way for our potential customers to run this applet and give it permission to do whatever. We're a trustworthy company so they will be willing to accept an applet signed by us. However, they will not be willing (or even know how) to modify security policy files on their local machine.
  Can an applet signed by us get these permissions without the end user having to modify their policy file? I tried signing the applet using the techniques from
  http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
  but the link may be out-of-date and it didn't work. Frankly I think Sun has failed miserably with regards to applet security - they made it incredibly difficult to do correctly and they provide no documentation on how to do it. Basically every topic in this forum is asking the same question - how do you easily give an applet permission to do what it needs to do?
  So here's the question: once and for all, can anyone provide a list of the exact steps necessary to give an applet permissions?

  Hello.
  "1. Create your code for the applet as usual.
  It is not necessary to set any permissions or use security managers in
  the code.
  2. Install JDK 1.3
  Path for use of the following commands: [jdk 1.3 path]\bin\
  (commands are keytool, jar, jarsigner)
  Password for the keystore is *any* password. Only Sun knows why...
  perhaps ;-)
  3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
  Enter keystore password: *******
  What is your first and last name?
  [Unknown]: Your Name
  What is the name of your organizational unit?
  [Unknown]: YourUnit
  What is the name of your organization?
  [Unknown]: YourOrg
  What is the name of your City or Locality?
  [Unknown]: YourCity
  What is the name of your State or Province?
  [Unknown]: YS
  What is the two-letter country code for this unit?
  [Unknown]: US
  Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  correct?
  [no]: yes
  (wait...)
  Enter key password for tstkey
  (RETURN if same as keystore password):
  (press [enter])
  4. Export key: keytool -export -alias tstkey -file tstcert.crt
  Enter keystore password: *******
  Certificate stored in file tstcert.crt
  5. Create JAR: jar cvf tst.jar tst.class
  Add all classes used in your project by typing the classnames in the
  same line.
  added manifest
  adding: tst.class(in = 849) (out= 536)(deflated 36%)
  6. Verify JAR: jar tvf tst.jar
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
  849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  7. Sign JAR: jarsigner tst.jar tstkey
  Enter Passphrase for keystore: *******
  8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
  130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
  183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
  920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  (tstkey)
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
  (recommended to use HTML Converter Version 1.3)
  10. Place a link to the .crt file (created in step 4) in the HTML-File.
  This .crt file has to be opened by the browser and has to be set to
  trusted,
  as the root CA for testing is not known to the browser. For use with
  "real" certificates, this step should not be necessary."
  Only one my comment. You should sign all jars that your applet requires.

• How to run an applet with JDBC connectivity on a web browser

  I've created an Applet in Java with SQL connectivity...i.e. it retrieves certain data from a table in SQL and puts in the TextField.....
  Now, the problem is that this Applet works in NETBEANS....but fails to work when I use a web-browser..or the "appletviewer" command....
  It says that it doesn't have permission to access local files....On Research, i've found that it is somethin' related to the concept of "Signed Applets", "Permissions" & "Security Policies" in java which doesn't allow any applet (without Certificate) to access Local Files.....
  Can Somebody please tell how to overcome this problem.....?

  I'm going to be blunt with you. You are most likely going to have to redesign your application from scratch. And if it turns out you don't have to then you should anyway because it's a bad idea and fraught with peril.
  Anyway here the major touchpoints on this discussion. You can be the judge of how these various points apply to you.
  - Applets are restricted. - Yes Applets have a number of security restrictions on what they can or cannot do. This is designed to protect users from malicious applets. By signing your applet you can request permission from the user to do certain activities that are otherwise restricted. But not all.
  - If you are using the JDBC-ODBC bridge then you need a different driver. If you sign your applet it might work in some limited scenarios but it will be hairy and is discouraged.
  - If you are using Access or another file based database (CSV Excel etc) then you are doomed. You'll have to get yourself a different database. A non file based one. It doesn't matter if you sign your applet or not. You're still doomed.
  - If you are trying to connect to a database server that is not at the same physical address as your web server you are doomed. Signing the applet will not help
  - Connecting directly to a database from an applet is extremely risky business. Starting with now anyone can steal your username and password for your database quite easily.
  What you should do in the redesign is put all the database accessing code in a Servlet. This Servlet does not have to be Java, it could be PHP, Perl, ASP, etc. It doesn't matter. Just put it on the server side. Then have your applet connect to this code via a webservice to do what is required.

• Can I use policy to grant permission for my Applet?

  Hi,
  I want to know if I can use policy files to grant my applet permissions which are loaded from browser , like
  grant codebase "file :http://host/port" {permission java.security.AllPermission;}
  If anyone knows, please let me know. Thanks.
  Michael

  Yes, you can.
  Under Windows NT the policy file is in C:\WINNT\Profiles\USERNAME\.java.policy, in Windows 9x is in c:\windows\.java.policy
  HTH,
  Bruno.