CodeBase for Applet called from Javascript

I have a Search applet that is called from an HTML form in a browser when a button in the form is pressed. The Applet searches files in a folder/subfolders and uses a JSObject to create a new page for the browser with results. Up until recently I was using the plugin from jre 1.3.1 with the appropriate FilePermission entries in the .java.policy file and the applet worked as expected. IE if I added new folders to be searched, I had to add new entries to the policy file to give permission.
I then installed jre 1.4.2 and the applet started getting Security problems stating the program did NOT have FilePermission. I tried several changes to the policy file and finally found that if I put the FilePermission entries in the empty(Global) codeBase the applet would work.
What changed between jre 1.3.1 and 1.4.2?
I would like to understand how the system works, ie where is the true codeBase and not cop-out with giving global permission.
Any suggestions?
Also the Java Tutorial shows a Windows syntax for a path (uses \) : C:\testing\-
The policytool gets confused when I try to enter this. I use double \\ and it takes it OK when I do a Save. But later if I use policytool again to make changes somewhere else in the policy file, the \\ are removed and I end up with: C:testing- in the policy file. So I do it manually with an editor.
Norm

I would agree. Remember that the changes you make to the policy file apply to all applets that will ever be run on the system, not only to your applet.

Similar Messages

  • Signed applets called from javascript - how/where to load policy file?

    I'm running into some apparently well-known problems with signed applets accessing a client machine's hard drive.
    So, I can get things to work if I place the following two lines in my 'local' JDK installation:
    permission java.io.FilePermission "${user.home}/x.properties", "read,write";
    permission java.util.PropertyPermission "user.home", "read";These let me a) read the user's home directory and b) read/write a file that's located there.
    What I don't want to do is edit the java.policy file, but I'm having problems loading a separate policy file. The app server we run with our product is jetty, and I'm assuming I would be passing in the '-Djava.security.policy=='filename' with the other jetty start-up parameters- is this a correct assumption? And, what path do I give for the file, will I need to put it somewhere in the .war file we distribute, or in the JDK installation on the server? If it's on the server, will client machine's know about these extra rights?
    I'd REALLY appreciate any help I could get on this...
    thanks in advance,
    +0^^

    Maybe you didn't realize but my previous post was sarcastically ment:
    "hello SUN security stop bugging me in writhing this malicious program"
    and
    "hello SUN security, I'm a good boy now trust what I'm doing"
    Are in a practical sense exactly the same.
    SUN should either remove the stack check or the doprivileged. The stack check takes up
    valuable resources for nothing since a malicious program can easily circumvent that.
    Your post about a malicious user abusing your (CA) signed applet to ruine someone's
    system is correct, it would not be difficult. A CA signed applet will not even ask a user to
    trust or not. This is one of the reasons we have the usepolicy in affect, but this cannot be
    used on "grandma's old PC" since it's too complicated for users to do such things.
    YOU seem to be the one to blame, not the hacker! (The user accepted YOUR
    certificate!).Actually you are to blame, because you made software that exposes a vonurability
    other people can take advantage of.
    what you can do before calling the doprivileged private method is check the call stack.
    So your signed applet has a public method checking the callstack, if this lookes OK
    that method will call the private doprivileged method.
    Here is the example
    package t;
    import java.util.Properties;
    import java.applet.Applet;
    public class test extends Applet {
             public test(){
                   startingPrivileged();
             public void startingPrivileged(){
                   System.out.println("this is the stack");
                   try{
                        throw new Exception("get the call stack");
                   }catch(Exception e){
                        StackTraceElement stack[] = e.getStackTrace();
                        for (int i=0; i<stack.length; i++) {
                             System.out.println("file: " + stack.getFileName() + " method: " + stack[i].getMethodName() + " class: " + stack[i].getClassName() + " at " + new Integer(i).toString());
                        // this is a really simple check to see if this method was started from the t. package
                        // a good hacker can just create it's own package named t and take advantage of this method
                        // if this method was started from the same package there is no reason to make this method
                        // public, protected would work.
                        // there must be a better way to check if this method was called by "your" or "trusted" code
                        if(stack[1].getClassName().startsWith("t.")){
                             dosomePrivileged();
              private void dosomePrivileged(){
                   System.out.println("this is the method that does privileged stuff");
         public static void main(String args[]) {
              new test();

  • Invoking Applet methods from Javascript for Netscape 6

    Hi,
    I am trying to invoke an applet method from javascript, but it is failing with Netscape 6 browser:
    I am doing it the following way-
    function test(form)
    var i = document.myapplet.getname();
    where myapplet is the name of the applet and getname is a method within the applet. This is
    working with Ie but not with netscape 6.
    I would appreciate it if someone could tell me how should I invoke the applet method for netscape browsers.
    Thanks.
    Jay Srin.

    Not working with NS 6 - and will not i guess till they upgrade to Mozilla Version 1.0 - Live Connect is not implemented 100% correct yet - if you want you can download the 7.0 Pre Release Netscape - since its using mozilla 1.0 it should work , see :
    http://forum.java.sun.com/thread.jsp?forum=30&thread=272975

  • Applet function call from javascript

    Hi,
    I'm haveing a problem with accesing applet's functions from Javascript in Mozilla. IE works fine but in Mozilla I get the following error:
    Error: document.applets[0] has no properties
    The code used is: document.applets[0].test();
    The applet has the following 2 tags defined, I don't know if they are necessary here but I'm doing the reverse too (applet functions call javascript).
    <PARAM name="MAYSCRIPT" value="Y">
    <PARAM name="SCRIPTABLE" value="Y">
    If you have any ideea please help.
    Thanks

    in javascript try document.getElementById("idOfTheApplet")
    use object tag instead of applet tag:
         <object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
                  height="300" width="450" >
            <param name="code" value="appTest.class" />
            <!--[if !IE]> Mozilla/Netscape and its brethren -->
            <object classid="java:appTest.class"
                    height="300" width="450"
                    >
              <param name="mayscript" value=Y" />
            </object>
            <!-- <![endif]-->
          </object>or check out HtmlConverter.exe in the jdk bin dir.

  • Calling from javascript a method which uses accesscontroller.dopriviledged

    Hello everybody!
    I've a problem in accessing my pc resources from a signed applet when calling methods from Javascript.
    If I try from start() or init() methods, I can do it, but as soon as I try from anoter method defined by myself, it throws this me an AccessControlException:access denied.
    I googled and found that I should use this code:
    KeyStore smartCardKeyStore= (KeyStore)
                 AccessController.doPrivileged(
                           new PrivilegedExceptionAction() {
                             public Object run() throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, IOException {
                                 KeyStore alfa;
                                 alfa = KeyStore.getInstance("PKCS11",pkcs11Provider.getName());
                                 alfa.load(null,null);//this is the point where it trhew the AccessControlException
                                 return alfa;
                         );The problem is that with this code, I can't get it work with Firefox (which doesn't throw any exception, just won't work!) neither with IE, which throws this:
    netscape.javascript.JSException: Nome sconosciuto.
    java.lang.Exception: netscape.javascript.JSException: Nome sconosciuto.
         at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
         at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.plugin.com.DispatchImpl.invoke(Unknown Source)Please, help me! I'm in a big trouble, since I should finish my project asap and I am not able to pass this cumbersome obstacle...
    Thank you in advance! :)

    Hi! Don,
    You cannot call methods which breach Security from Javascript. That is what SUN says.
    But there is a hack, or a work around...
    Declare a boolean Variable , say named buttonClicked.
    Initailly keep its value false(default).
    Write an inner class that extends a thread class whose RUN method will contain the following piece of Code:
    public void run(){
        while(buttonClicked){
                     KeyStore smartCardKeyStore= (KeyStore)
                 AccessController.doPrivileged(
                           new PrivilegedExceptionAction() {
                             public Object run() throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, IOException {
                                 KeyStore alfa;
                                 alfa = KeyStore.getInstance("PKCS11",pkcs11Provider.getName());
                                 alfa.load(null,null);//this is the point where it trhew the AccessControlException
                                 return alfa;
    }You start the Thread inner class in your init method.
    So, its RUN method will continuously be waiting to go into the while loop.
    And in your start method you will set the +"buttonClicked"+ variable to true upon a Javascript onclick event of a button.
    So, the moment you click a button, you only set the buttonClciked variable to true in your start method--------
    This does, in no way breach security. So no exception is thrown.. But the code which breaches security is initiated by another thread other than that spawned the Applet; so the browser does not care anything about its privileges. It just lets the execution of the code.
    I hope it works for you; be in contact, if it doesn't.
    Thanks and Regards,
    Samba

  • New Window for Form called from a form based on a procedure

    Hi
    I have a form that is based on a procedure that asks for an employee number. The number is then passed to the procedure. The procedure then calls the next form passing in the employee number.
    This works however I would like the form called from the procedure to open in a new window while still being able to pass in the employee number as a parameter.
    Is there a way to do this? I have tried looking at wwa_app_module.new_instance & wwv_media.show_newwindow but I these only take the moduleid, I can't see how to pass in the employee number at the same time.
    Any help would be appreciated.
    Thanks
    Belinda

    Hi,
    You can pass parameters like this
    wwv_redirect.url('SJAYARAM_9042F.wwa_app_module.link?p_arg_names=_moduleid&p_arg_values=1060253649&p_arg_names=deptno&p_arg_values=10&p_arg_names=_deptno_cond&p_arg_values=%3d');
    In this example the parameter deptno is passed with a value 10 and conditional operator '='
    Hope that helps.
    Thanks,
    Sharmila

  • Best Practice for EJB calls from servlet?

    Hi folks
    I could not find general rules for making calls to an stateful EJB from the web container (e.g. from a backingBean). In some books they say it is a bad programming style calling them directly from a common servlet. The book says create first an HTTPSession Object and from there call the stateful EJB.
    I'm a bit confused because, I'm missing some best practice guide from where to initiate such calls.
    Can somebody please point me in the right direction?
    Kind Regards
    Bruno
    Edited by: zajoho on Oct 30, 2008 11:14 PM

    Hi Bruno,
    The main issue with the combination of stateful session beans and servlets is the servlet threading model.
    It is dangerous to store a stateful session bean reference in servlet instance state, since the servlet instance
    can be accessed concurrently, yet a stateful session bean reference is intended to be used by only one
    client.
    As you point out, one alternative is to store the reference in the HttpSession. That associates the reference
    with a particular client, which matches the stateful session bean programming model.

  • Best approach for RFC call from Adapter module

    What is the best approach for making a RFC call from a <b>reciever</b> file adapter module?
    1. JCo
    2. Is it possible to make use of MappingLookupAPI classes to achieve this or those run in the mapping runtime environment only?
    3. Any other way?
    Has anybody ever tried this? Any pointers????
    Regards,
    Amol

    Hi ,
    The JCo lookup is internally the same as the Jco call. the only difference being you are not hardcoding the system related data in the code. So its easier to maintain during transportation.
    Also the JCO lookup code is more readable.
    Regards
    Vijaya

  • How to disable "slide to call" feature for missed calls from lock screen on ios7

    I realized that when the iphone (running iOS7) is locked, the“Slide to Call” allows anyone to make an outgoing call to the missed calls from a locked phone (with passcode).
    it is nice feature for people who don't care about locking their phone.but I believe there should be an option to disable the “slide to call” or at least require password before allowing the outgoing call to go through.
    This is a serious security issue.it should be user configurable.
    Hope Apple will take it seriously and release a update for the same.

    You can provide feedback to Apple here: http://www.apple.com/feedback/iphone.html

  • Option to disable the "slide to call" feature for missed calls from lock screen

    I realized that when the iphone (running iOS5) is locked, the“Slide to Call” allows anyone to make an outgoing call to the missed calls from a locked phone (with passcode). This may allow malicious and unwanted calls to be made from a locked phone by anyone having access to the phone and defeats the purpose of having the phone locked by a passcode.
    Don't get me wrong, it is nice feature for people who don't care about locking their phone, but I believe there should be an option to disable the “slide to call” or at least require password before allowing the outgoing call to go through. 
    At this point the only option that I see is to disable the phone related notifications from lock screen, which prevents all phone related notifications to be displayed on lock screen (missed or voicemail). This is not a desired solution.....
    This is the first time in the history of iOSes, that a user can make outgoing calls from a locked phone with a passcode. Even the voice commands (for dialling a number) have option to be disabled on locked screen.
    I was wondering if anybody else feels the same way about this? or have a solution?

    I share the same feeling with you about this issue.
    Actually I was very surprised when I discovered that!
    In addition to this, when you actually slide a missed call, it calls the person and when you end the call, the notification of the missed call is still present! So that person can be called again and again and again.
    This is a serious issue that Apple has overlooked!
    Please secure the iOS 5.
    Thanks.

  • Change iPhone number for outgoing calls from mac (Yosemite)

    I have two iPhones, and one of the iPhone is set for iPhone cellular calls (handoff) in macbook under FaceTime preference. How to change this number so that I can make outgoing calls from different iPhone?

    Hi,
    If you Erased the Drive  and set up the computer anew it will depend on how you migrated/imported your Mac User Account (if you even did).
    Mostly the process will make the Mac seen as a "New" computer.
    In some cases this will means settings that involve some sort of "pairing" will not work.
    You may also get to the point of having 5 "devices" linked to iTunes because of this.
    I have  G4 that is coming up on 121 years old.
    It has 4 drive bays and some of the drives are partitioned.
    It will boot into OS 9 and every version of OS X up to and including Leopard (OS X 10.5)
    I have tended to Clone the current set up and then Update the main Drive.
    It does mean though that iTunes counts them all individually.
    On top of that I have a Snow Leopard MacBook Pro and my current Yosemite booted iMac (It also has Older OSes on External Drives)
    The outcome is that you might have to re-link the two devices.
    9:38 pm      Friday; January 2, 2015
    ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
     Couple of iPhones and an iPad

  • Call Applet method from JavaScript, tiny test program works... SOMETIMES!?

    I have an embedded Applet in a web page, and I am trying to directly call a method in that Applet from the same page, using JavaScript.
    Here is the complete Applet:
    import java.applet.Applet;
    public class Test extends Applet {
      public String test() {
        return "test() method return value";
    }Here is the complete web page:
    <HTML>
    <HEAD><TITLE>Applet Invocation test</TITLE></HEAD>
    <BODY>
    <APPLET CODE="Test" WIDTH=10 HEIGHT=10 NAME="test"></APPLET>
    <HR>
    <SCRIPT>
    document.write( "JavaScript is working<br>" );
    document.write( document.test.test() );
    </SCRIPT>
    </BODY>
    </HTML>Is there anything wrong with this? Because it works about 15% of the time, displaying an <HR>, "JavaScript is working", and then "test() method return value" on the next line.
    The other 85% of the time, it just gets to "JavaScript is working", then I get a JavaScript error "Object does not support this property or method" for the line: document.write( document.test.test() );
    Now here's another weird quirk... I can get it to work ALL the time, if I delay the execution of the Applet method. For example, if the first line after <SCRIPT> is alert( "alert" ); then the user gets a little dialog box with "alert" message in it, and when they hit OK execution continues, and the applet method call ALWAYS works. (On a side note, if I make the Applet test() method static, it NEVER works. Why is this?)
    So it seems to me, that when it is failing, it is because the Applet is not completely loaded into the browser yet. My question is, how can I get around this?? Is there a way to instruct JavaScript to wait until the Applet is finished loading before attempting to call any methods on it?
    PS I am using Windows ME and IE 6

    Thanks for the reply, I appreciate it. I have another question, if you don't mind... here is what my new test web page looks like:
    <HTML>
    <HEAD>
    <TITLE>Applet Invocation test</TITLE>
    <SCRIPT>
    function testFunc()
      document.write( document.test.test() );
    </SCRIPT>
    </HEAD>
    <BODY onLoad="testFunc()">
    <APPLET CODE="Test" WIDTH=10 HEIGHT=10 NAME="test">
    </APPLET>
    <HR>
    </BODY>
    </HTML>What happens is: the page loads, I see a 10x10 grey applet box, and a <HR>... then a split second later, onLoad is fired, and everything on the page so far is REPLACED with the output of testFunc(), so the ONLY thing on the page after this all completes is "test() method return value"
    Why is a single document.write() statement CLEARING the page before outputting? I don't understand. If calling a document.write() from an onLoad event wipes out everything on the page, this is not extremely helpful solution.

  • Call applet methods from Javascript

    Hello,
    If I call applet method like :
    function callbackFunc(){
        var pp = appletID.getData();
        alert(pp);
    It works only if applet is deployed with <APPLET> tag or with javascript.
    If applet is deployed using <Object> and <embed> tags, in browser console the error is :
    TypeError: appletID.getData is not a function
    I couldn't find why is that behaviour. What do I do wrong?
    Thanks

    Hi Paul,
    (1)Seems to be your Java Runtime Environment path is still setted for JRE 1.3.0_01 and not for 1.3.1. So pelase go to the
    Control Panel-->java plugin 1.3.1-->Advanced. Here you set the Java Runtime Environment to the JRE 1.3.1 version. Its better to remove the older version before installing the new version on JRE.
    (2)<OBJECT> tag won't work for Netscape. You can only use <APPLET> or <EMBED> tag for Netscape.
    Hope this will help you.
    Anil
    Developer Technical Support
    Sun Microsystems
    http://www.sun.com/developers/support

  • Call to Applet Method from JavaScript Failed.

    I Am calling a method from a javascript function from within a web page.
    The page is loaded into a frame. The parent window of the frame has stored a reference to the applet which defines the methods. Note I am treating the reterence to the applet as a global variable. So that I can reference it methods as I navigate from one page to another.
    I have JavaScript objects defined, and I am passing them as parameters to the applet's methods. In java, the JavaScript objects are refererenced as JSObject. When I call a java method passing a JavaScript
    Object I get the following exception. Note Iam using j2sdk1.4.2_01 on a Windows 2000 Professional System. This problem start occurring after the recent Microsoft Worm/Virus a fix was loaded on my system which resulted in the following bug. Could someone please help me.
    java.lang.NullPointerException
         at sun.plugin.javascript.ocx.JSObject.setIExplorerAppletContext(Unknown Source)
         at sun.plugin.com.DispatchImpl.convertParams(Unknown Source)
         at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
         at sun.plugin.com.DispatchImpl$2.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
    java.lang.Exception: java.lang.NullPointerException
         at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
         at sun.plugin.com.DispatchImpl$2.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.plugin.com.DispatchImpl.invoke(Unknown Source)

    A little code snippet would help. I use JSObjects from Java 1.4 no problem and do have all the latest updates. I also have JavaScript calling Java code as well - also with no problem.

  • Applet called from netbeans TomcatServletExample

    How?
    I started with the netbeans Tomcat Servlet Example as a base and it works fine.
    I would like to load an applet created under the same project and placed into
    the TomcatServletExample.war or in a seperate project with a seperate jar archive.
    (I have tried both)
    I have added the TestApplet.html to the Servlet project and call it from the example index.html
    My TestApplet.html just can not find my applet code.
    The error is a
    load: class socapplets.AReflectance.class not found.
    My HTML looks something like the following, I have tried many combinations with and without the
    codebase.
    <html>
    <head>
    <meta content="text/html; charset=ISO-8859-1"
    http-equiv="content-type">
    <title>TestApplet</title>
    </head>
    <body>
    Test Applet<br>
    <br>
    <APPLET CODE="socapplets.AReflectance.class"
    archive="socApplets.jar"
         WIDTH=550 HEIGHT=450>
    </APPLET>
    </body>
    </html>
    Is there a simple way of loading an applet into an external browser under netbeans. This
    is just for development only. I hope to make the applet communicate back to one of my servlets.
    My Browser is Mozilla 1.7

    Followup to my own question.
    I finally got my applet to run by adding a jar archive containing the applet directly to
    my tomcat war archive. This is ok but not ideal. I wonder if this is a strange feature of the
    bundled Tomcat or netbeans. This maybe the wrong forum, but I do
    see others with applet class not found questions. This may help.
    Thank you.
    ~
    ~

Maybe you are looking for

  • Set Cursor.vi fails after it has been called for 30 different panel refs in LV 7.1.1

    Make sure both attached files (Run LabVIEW_Cursor_TestCase.vi, SimpleVI.vi) are in the same folder. Run LabVIEW_Cursor_TestCase.vi notice that the -3 error code is returned from "Set Cursor.vi" after it has been called with 30 different panel refs. I

  • What have you found useful after setting up new solutions?

    I have a general question about the setup of new solutions in Solution Manager. At Tech Ed, one of the SAP reps mentioned that all of the production systems related to a process should go into one solution. What does that really mean? We have an ECC

  • Working multiple tasks and executable vi

    Hi, I have been working a code for a long time and it is getting closer to the end, but I have some doubts about building a standalone application. In the system, there are temperature and amperage measurement devices. I prepared the vi but I am not

  • Need help on setting up the strucute for a SideScrolling game

    I am using the tile approach and put the objects in a 2D array. For objects that move and interact with the chracters beyond just being there I have a list. The first group of Objects are called bricks and the second is World Objects. Bricks' locatio

  • Is there a way to hide the project name in the "Big SMPTE/Bar Displays"?

    Is there a preference I can't find? I understand why these are useful at the top of the big windows, but most of the time I'm trying to squeeze these meters at the bottom of the page, and these headers just make them harder to find a place for. Also,