Applet's security manager

Similar Messages

• Security manager & mention "Java Applet Window"

  A simple program that displays a frame with one button in it.
  The frame displays, no problem.
  When a security manager is added "System.setSecurityManager(new SecurityManager());"
  and the program is run again a "status bar" is added at the bottom of the frame
  mentioning "Java Applet Window".
  Why is that, and can it be suppressed ? (I am working in JDK 1.4)
  Any tip greatly appreciated

  I was dealing with this myself and just discovered that the adding the following line to my security policy removed the message:
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";

• Security manager - applet - write/read files

  Hi.
  I've been trying to built a SecurityManager to allow my java applet to construct a file (*.txt or *.doc) on the server (webhosting provider) it came from. Unfortunately when I use the setSecurityManager method to set my Security Manager as the default Security Manager for that specific applet, the applet throws a SecurityException. It wouldn't allow me to change the Security Manager.
  I want to change the default Security Manager so that my applet can have permission to read and write to the specified file (*.txt or *.doc). I don't want to save any kind of files on the host computer even if I can do that, I only require to save my file (*.txt or *.doc) to the computer from were the applet's classes came from.
  Thank you!

  If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's ok to replace the existing security manager. This may result in throwing a SecurityException. Thus I think that you need to grant the setSecurityManager permission to your current SecurityManager to be able to replace it.

• How to setup security manager for applet at runtime?

  hello everyone,
  I am wonder if there is a way to setup security manager at runtime. This is what I am trying to do:
  1. Create a Applet GUI and allow users to specify in an input dialog box of the URL they like make connection to.
  I know there is two way of do this
  1. Is modify java.policy file and specify the URL SocketPermission to connect to.
  2. setup signed certificate applet.
  But, I would to try to see if there is a way to have applet make connection at runtime when users specify the URL.
  Anyone have any ideas.
  Thanks.

  Thanks, Peter
  Going over some articles you and references that you pointed out was very useful on how the java security model work and a little bit history too.
  So, I am assuming that I can make my own securitymanager class that defines the permission of the applet that I am working, using Permission, SecurityManager, ....etc class right? I just want to be clear on what I am going to be doing.
  If you have any other thoughts, Thanks,

• Setting security manager

  Hi,
  I have a typical requirement which asks me to have a security manager which applies to only a part of the code and not to the whole code. I will try to explain it.
  Lets say I have a class A which does something (may be it accesses files, open socket connections over network etc etc). This class A is a sort of trusted class and is allowed to do everything. Now suppose this class is built in such a manner that it can load another class B at runtime which could be any class written by any third party. So what exactly class B will do cannot be predicted because it is a third party class. Now what I want is to set a security manager only for class B that will prevent it to do any nasty things like accessing file system, shutting down vm etc. . Please note that class A can do all these things but class B should not be allowed to do these. If class B tries to do any of those things then security exception should be thrown.
  Hope I made my point clear.
  Please note that I am not talking of Applets but complete application so pls dont forward any replies which applies to applets.
  Can anyone help pls........
  regards.

  Hey guys,
  crack_it:
  If you would rather dismiss the (A)pplication (P)rogramming (I)nterface then go ahead. No disrespect to the folks at O'Reilly, but reading the API is as good as hearing it from the horses mouth. If you could humour me, just test what the API says.
  I can't remember if we discussed it somewhere at some point, but I am under the impression you are locking-down you application designed in a plugin-architecture.
  If this is true, you simply need to specify two entries in your policy: one for your code in app_home/lib; one for third-party code in app_home/plugins. How you load these classes are irrelevant.
  As for detecting which classes trigger security checks, as mmhuda says, you can access the execution stack through the Thread class. You can retrieve information on the calling class and its method which made the call. These 'calls' are stacked i.e. most recent first. You may need to skip 3 or 4 frames (StackTraceElements) which represent the calls to access the stack information. It is troublesome. I recently implemented a similar method wihtin my Policy implementation to prevent it from being wrapped and exploited by other bogus policy implementations. I have a lookup of class.method --> class.method strings that represent permitted calls. All you would need to do is implement a lookup mapping class or class.method --> Permission or Permissions (PermissionCollection) containing what the class can do, and check against them.
  Now I have stated it, I am even more convinced; you are simply reimplementing the security infrastructure,or rather, shifting the function of the Policy and AccessController to your XxxxSecurityManager. Perhaps a waste of effort.
  mmhuda:
  Do not confuse terms; a class can be loaded and not in the execution stack - I wouldn't be surprised if a loaded class spends 99.99% of its life sitting idle off the stack. The stack represents a 'chain' of method calls for a particular Thread. It does not represent all the loaded classes in the JVM, otherwise the stack would be 100's of frames deep.
  Warm regards,
  D

• Role based reflection security manager?

  Hi,
  I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
  I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
  I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
  Thanks.

  Jrm wrote:
  Ok, fair enough regarding storing data on end user PC.
  But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
  I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
  Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

• " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

  Hi,
  Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
  Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
  Thanks,
  Shyam

  Hi Linc,
  Thank you for your response. Here is the screenshot of the warning that I am talking about.
  Here is what I do:
  1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
  2. Click Security Tab and click Manage WebSite Settings
  3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
  4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
  I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
  Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
  Thanks again,
  Shyam

• Need security management software for OS 8.6 through 9.2

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.

• Rmi with security manager not working in netbeans

  Hello i'm trying to use rmi but get the error java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) when i run it in netbeans. here is my code
  public static void main(String[] args) {
          if (System.getSecurityManager() == null) {
              System.setSecurityManager(new SecurityManager());
          try {
              String name = "Compute";
              Compute engine = new ComputeEngine();
              Compute stub =
                  (Compute) UnicastRemoteObject.exportObject(engine, 0);
              Registry registry = LocateRegistry.getRegistry();
              registry.rebind(name, stub);
              System.out.println("ComputeEngine bound");
          } catch (Exception e) {
              System.err.println("ComputeEngine exception:");
              e.printStackTrace();
      }It works if i don't have a security manager and it works with a security manager if i don't use netbeans to run it and use the command line. i need to use a secuirty manager because the client code is running in eclipse and it moans that there is no security manager if i run it without one
  this is the error i get when running with no security manager
  java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
       java.lang.ClassNotFoundException: takenoteremote.Compute (no security manager: RMI class loader disabled)
  Please help

  I have sort of got it to work, i took out the security manager and used the code base parameter on the command line, and put my interface into a jar file. I can only get it to work though on the command line, if i run it in netbeans it doesn't find the class in the jar file it needs.
  Any ideas?

• Windows 2008 r2 Cluster not starting - "unable to create security manager worker queues"

  Hello, following a power outage, we got a serious cluster error preventing the start of the cluster.
  We are trying to interpret the only four lines the cluster.log generates :
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [WTQ] bogus file creation failed, 2
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [WTQ] bogus file creation failed, 2
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [CS] Unable to create SecurityManager worker queues, 2
  00000330.000016cc::2014/09/26-10:44:06.363 ERR   Error 6
  AND if starting clussvc manually :
  Got ERROR_FILE_NOT_FOUND(2)' because of 'Error while creating the Security Manag
  er's Thread Pool' in
      000007fe:fd69940d( ERROR_MOD_NOT_FOUND(126) )
      00000000:001ff190( ERROR_MOD_NOT_FOUND(126) )
  We suspect a DLL problem (because of mod not found), but we are unable to find the ones involved even with process monitor.
  clusdb hive seems ok.
  The situation is serious, can anybody help, please ?

  Hi RodV,
  This error usually caused by cluster service fails to open a 
  handle to the \NUL device, Device manager shows the device instance in error state.
  Please check whether the following register value still exist, if not please backup your current registry then add the it.
  HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NULL\0000\CONTROL
  ActiveService REG_SZ Null
  I am glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Problem with Advanced Security Manager

  Hi
  I am using the advanced security manager to migrate security from Essbase 7 server to Essbase 11 server. The users who are externally authenticated on essbase 7 server are under native security mode on the Essbase 11 server after security import.Does the Advanced security manager put all the users (whether they are externally authenticated or under native security mode) in native security mode after import?
  Please help

  Hello 831221
  In version 11 "native" means that the users are stored in OpenLDAP (once Essbase was externalized).
  You would only be able to create "external" users if the Shared Services have been connected to an external User Source (e.g. MSAD) prior to
  importing the users.
  best regards
  .T

• Security manager not used with JNDI ?!

  Hi,
  I have a simple stand-alone java app that does a JNDI lookup
  and subsequent method invocation on the returned session bean.
  I never explicitly install a security manager and am wondering
  why there are no security problems getting the bean proxy
  and any subsequent code downloads from the WebLogic server.
  Seems like this would never work under under pure RMI, so
  what's going on in this case?
  Thanks, Garry

  Hi,
  According to the screenshot, it seems like compatibility problem, What's the type of your system?
  In addition, you can refer to the link below to view its compatibility list.
  http://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb
  Roger Lu
  TechNet Community Support

• Saving Password for a pdf file in HP Client Security Manager

  Hello,
  I want to save the password for a pdf file in the Password Manager of the HP Client Security Manager Software but the symbol for the entry of the password is not appearing on the top right of the screen. If I use the registered fingerprint a dialog opens where the Client Security Manager asks which account it should use to login. But i can't add a password for the file. The login for websites is perfectly fine. 
  Do you have any idea how to fix that?
  Is there a way to manually enter password for files?
  Thanks in advance.

  Thanks for the information.
  Suggest you to try uninstall and re-install the latest version which is - 8.3.3.1762. The direct link is:
  http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=5405363&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalState%3Didx%253D%257CswItem%253Dob_129972_1%257CswEnvOID%253D4060%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253DdriverDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
  If this does not fix, then suggest you to log a call with technical support.
  Please do post any progress on this.

• Datagram socket and security manager

  I have subclassed the security manager to implement my own network security rules.
  However when the receive(datagramPacket) method is called by the my datagram socket, the host parameter passed to the checkAccept(host, port) method does not belong to the sender of the packet(to be received).
  How then can malicious addresses be blocked by the security manager, as suggested by the comments in the source code of DatagramSocket.
  Any help is greatly appreciated. Thank you in advance.

  However when the receive(datagramPacket) method is
  called by the my datagram socket, the host parameter
  passed to the checkAccept(host, port) method does
  not belong to the sender of the packet(to be
  received).It should. What are you getting instead?

• Security Manager/Access problem

  (WWC-00000)
  An unexpected error has occurred in portlet instances: wwpob_api_portlet_inst.create_inst (WWC-44846)
  The following error occurred during the call to Web provider: java.lang.NullPointerException
  at oracle.portal.provider.v2.security.URLSecurityManager.hasAccess(Unknown Source)
  at oracle.portal.provider.v2.DefaultPortletDefinition.hasAccess(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletDefinition(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
  at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.registerPortlet(Unknown Source)
  at java.lang.reflect.Method.invoke(Native Method)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
  at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
  (WWC-43147)
  Removing the provider.xml security manager setting will do away with this problem.
  Versions being used: Portal 9.0.2 and PDK september.

  I have checked with PDK September samples related to Security Manager/Access and they are working fine. Please lets know for which PDK sample gives this error.