Default security context for signed applets using WinXP+IE8

Similar Messages

• What is the best security package for an imac using yosimity

  What is the best security package for an imac using Yosimity

  Mac users often ask whether they should install "anti-virus" software. The answer usually given on ASC is "no." The answer is right, but it may give the wrong impression that there is no threat from what are loosely called "viruses." There  is a threat, and you need to educate yourself about it.
  1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to take control of it remotely. That threat is in a different category, and there's no easy way to defend against it.
  The comment is long because the issue is complex. The key points are in sections 5, 6, and 10.
  OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
  2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
  The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
  The following caveats apply to XProtect:
  ☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
  ☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
  As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
  3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
  Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
  ☞ It can easily be disabled or overridden by the user.
  ☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
  ☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
  Apple has taken far too long to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. Those lapses don't involve App Store products, however.
  For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
  4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
  5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, not machine behavior, and no technological fix alone is going to solve it. Trusting software to protect you will only make you more vulnerable.
  The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and Internet criminals. If you're better informed than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
  Software from an untrustworthy source
  ☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software. A genuine alert that Flash is outdated and blocked is shown on this support page. Follow the instructions on the support page in that case. Otherwise, assume that the alert is fake and someone is trying to scam you into installing malware. If you see such alerts on more than one website, ask for instructions.
  ☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
  ☞ Rogue websites such as Softonic, Soft32, and CNET Download distribute free applications that have been packaged in a superfluous "installer."
  ☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
  Software that is plainly illegal or does something illegal
  ☞ High-priced commercial software such as Photoshop is "cracked" or "free."
  ☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission. All "YouTube downloaders" are in this category, though not all are necessarily malicious.
  Conditional or unsolicited offers from strangers
  ☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
  ☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
  ☞ You win a prize in a contest you never entered.
  ☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
  ☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
  ☞ Anything online that you would expect to pay for is "free."
  Unexpected events
  ☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
  ☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
  ☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
  ☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
  I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
  6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
  Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
  Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
  Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a padlock icon in the address bar when visiting a secure site.
  Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
  7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
  Why shouldn't you use commercial AV products?
  ☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
  ☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
  ☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
  ☞ Most importantly, a false sense of security is dangerous.
  8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
  An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
  Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
  London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
  You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in every email attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
  The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
  9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
  10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It can be as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices.

• Restriction for signed applet

  Hi all,
  i signed applet which is trying to modify file tmp.txt on client machine. Is there any opportunity for client to forbid this action for signed applet?
  I tried use policy file but i was unlucky. It is ok for unsigned applet but what about signed one?
  Thank you for your response.
  benky

  you need to install the jre, and place the win32.dll at JavaSoft\JRE\1.3.1_06\bin, that properties file place at JavaSoft\JRE\1.3.1_06\lib, comm.jar at JavaSoft\JRE\1.3.1_06\lib\ext\
  and in ur code try to use it to open ur com port
  public String test() {
  String drivername = "com.sun.comm.Win32Driver";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  drivername = "javax.comm.*";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  portList = CommPortIdentifier.getPortIdentifiers();
  while (portList.hasMoreElements()) {
  portId = (CommPortIdentifier) portList.nextElement();
  if (portId.getPortType() == CommPortIdentifier.PORT_SERIAL) {
  if (portId.getName().equals("COM2")) {
  //if (portId.getName().equals("/dev/term/a")) {
  try {
  serialPort = (SerialPort)
  portId.open("SimpleWriteApp", 2000);
  } catch (PortInUseException e) {}
  try {
  outputStream = serialPort.getOutputStream();
  } catch (IOException e) {}
  try {
  serialPort.setSerialPortParams(9600,
  SerialPort.DATABITS_8,
  SerialPort.STOPBITS_1,
  SerialPort.PARITY_NONE);
  } catch (UnsupportedCommOperationException e) {}
  int i=0;
  while(true)
  try {
  messageString="hi";
  System.out.println(i++);
  outputStream.write(messageString.getBytes());
  } catch (IOException e)
  System.out.println(e);
  messageString=String.valueOf(e);
  return messageString;
  and yet u need to signed the applet
  1. Compile the applet
  2. Create a JAR file
  3. Generate Keys
  4. Sign the JAR file
  5. Export the Public Key Certificate
  6. Import the Certificate as a Trusted Certificate
  7. Create the policy file
  8. Run the applet
  Susan
  Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
  1. Compile the Applet
  In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
  javac SignedAppletDemo.java
  2. Make a JAR File
  Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
  jar cvf SignedApplet.jar SignedAppletDemo.class
  3. Generate Keys
  Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
  In her working directory, Susan creates a keystore database and generates the keys:
  keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c
  This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
  The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).
  The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.
  You can view all keytool options and parameters by typing:
  keytool -help
  4. Sign the JAR File
  JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
  jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5. Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5: Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:
  keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer
  Ray
  Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.
  6. Import Certificate as a Trusted Certificate
  Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:
  keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh
  7. Create the Policy File
  The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.
  Ray creates the policy file in his home directory using either policytool or an ASCII editor.
  keystore "/home/ray/raystore";
  // A sample policy file that lets a JavaTM program
  // create newfile in user's home directory
  // Satya N Dodda
  grant SignedBy "susan"
  permission java.security.AllPermission;
  8. Run the Applet in Applet Viewer
  Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
  Html code :
  </body>
  </html>
  <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
  width="600" height="400" align="middle"
  codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,1,2">
  <PARAM NAME="code" VALUE="SignedAppletDemo.class">
  <PARAM NAME="archive" VALUE="SSignedApplet.jar">
  <PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
  </OBJECT>
  </body>
  </html>
  appletviewer -J-Djava.security.policy=Write.jp
  http://aURL.com/SignedApplet.html
  Note: Type everything on one line and put a space after Write.jp
  The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
  Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
  9. Run the Applet in Browser
  Download JRE 1.3 from Javasoft
  good luck! [email protected]
  i already give u many tips, i use 2 weeks to try this to success, hopw that u understand that, a result of success is not important, the process of how to get things done is most usefull!

• Security problem when signed applet dynamically load plugins

  Hi!
  I have one problem : "security problem when signed applet dynamically load plugins"
  This is the scenario:
  the main program [app.jar]
  . contain applet and shared library (interface & implement of common class)
  . it is signed and run normally on browser
  . it can draw image loaded from other URL [ex] http://bp1.blogger.com/image.jpg
  . the image loader is in the shared library
  . dynamically load amazon.jar through URLClassLoader and reflection
  the plugin [amazon.jar]
  . search amazon product [ex] Harry Potter book
  . draw image on applet
  . use image loader from shared library, BUT CANNOT LOAD IMAGE
  The question: "Why it cannot load image, because the image loader is in the shared library which has been signed and working?" I tried to sign the amazon.jar too, but it did not work.
  Your reply would be very helpful. Thank you.
  Sovann

  hello. i have create a signed applet for A.jar. A.jar include two package B and C. the main applet class is within B.
  B need some classes in C to run the applet. but i got the error that class in package c are not found.
  what shall i do?

• EJBException::No valid security context for the caller identity

  Hi,
  I was working with EJB and i had a basic doubt in security propogation from the web tier to EJB tier.
  I deployed an EJB on JBOSS app server and in that bean i was trying to get the caller principal object from the EJBContext and i was printing the name of the principal.
  System.out.println(ctx.getCallerPrincipal().getName());
  then i created ordinary EJB client which is a java class and when i invoked the business method i was getting the below error
  Exception in thread "main" javax.ejb.EJBException: java.lang.IllegalStateException: No valid security context for the caller identity
  at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63)
  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
  This error sounds meaningful but how will i set the security context from the java class. If it can be done then is this the same way that the security principal propogates from web tier to EJB tier.
  Thanks,
  Suresh B

  Hi,
  I was working with EJB and i had a basic doubt in security propogation from the web tier to EJB tier.
  I deployed an EJB on JBOSS app server and in that bean i was trying to get the caller principal object from the EJBContext and i was printing the name of the principal.
  System.out.println(ctx.getCallerPrincipal().getName());
  then i created ordinary EJB client which is a java class and when i invoked the business method i was getting the below error
  Exception in thread "main" javax.ejb.EJBException: java.lang.IllegalStateException: No valid security context for the caller identity
  at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63)
  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
  This error sounds meaningful but how will i set the security context from the java class. If it can be done then is this the same way that the security principal propogates from web tier to EJB tier.
  Thanks,
  Suresh B

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• Security Problems with Signed Applet

  Hello All,
  I need help with signed applets.
  I have an applet pkged in a jar that uses other jars. I have signed the jar containing applet and all the other jars being used. However, when I try to run the applet in IE 6.0.xx, I get the following error
  java.lang.ExceptionInInitializerError
       at aaa.aaa.somemethod(xxx.java:192)
       at aaa.aaa.aaa.access$000(xxx.java:27)
       at aaa.aaa.aaa.$1.run(xxx.java:467)
  Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       ... 3 moreMy application is using Java 1.4.2.xx.
  Any help or pointers would be greatly appreciated.
  Thanks.

  Thanks harmmeijer and mjparme for your responses.
  I made some changes to my application and it does not now require the system property information. But now I am getting another exception related to class loader.
  I made the changes to the console as suggested by harmmeijer, and here is the stack trace. Also, I am not using any JavaScript explicitly.
  Registered modality listener
  Invoking JS method: document
  Invoking JS method: URL
  Referencing classloader: sun.plugin.ClassLoaderInfo@e0a386, refcount=1
  Loading applet ...
  Initializing applet ...
  Starting applet ...
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
       at xxx.xxx.a...<init>(a.java:39)
       at  xxx.xxx.b...<init>(b.java:42)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
       at xxx.xxx.a...ToolBus.<init>(a.java:39)
       at xxx.xxx.b....<init>(b.java:42)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Modality pushed
  Modality poppedmjparme as to your second point, the action is taking place in the same jar only. No other jar is involved at the stage where I am getting exception.
  Thankyou again and will appreciate your help.
  AC

• Current Security Context Not Trusted When Using Linked Server From ABAP

  Hello,
  I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
  The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
  Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
  That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
  EXEC SQL.
     SET XACT_ABORT ON
     DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
  ENDEXEC.
  The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
  The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
  I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
  What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
  Any insight someone could offer on this thorny problem would be most appreciated.
  Best regards,
  Matt

  Good news! We have got it to work. However, we did it in something of
  a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
  At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
  reference the tables in SAP via the Linked Server defined on the remote
  server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
  So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
  Then, in our ABAP code, we simply do something along the lines of
  exec sql.
     set connection 'REMOTE'
  endexec.
  exec sql.
     connect to 'REMOTE'
  endexec.
  exec sql.
     insert into REMOTE_TABLE
        select * from SAPSERV.SID.sid.SAP_TABLE
  endexec.
  exec sql.
     commit
  endexec.
  exec sql.
     disconnect 'REMOTE'
  endexec.
  This is, of course, a test program, but it demonstrated that it worked,
  and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
  I don't know if this solution will have applicability to any other customers, but it works for us, for now.
  SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
  Best regards,
  Matt

• Loading problem for Signed applet on MAC OS

  Hi All
  I�m trying to test my application on MAC OS (For versions: 10.2.6 as well as 10.4.x)
  For MAC 10.2.6 OS Java version is 1.4.1_01 and
  For MAC 10.4.x OS Java version is 1.4.2_07
  The code is compiled on Windows machine having Java version 1.4.2_07
  There�s a functionality which is calling signed applet (signed JAR for applet) and when this functionality is called, following error encounters:
  Java(TM) Plug-in: Version 1.4.1_01
  Using JRE version 1.4.1_01 Java HotSpot(TM) Client VM
  java.io.IOException: Server returned HTTP response code: 403 for URL: http://myMachineName: port/appName/UploadDownloadAppletJava.jar
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:709)
  at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:384)
  at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
  at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:302)
  at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:128)
  at sun.plugin.cache.JarCache.get(JarCache.java:172)
  at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:93)
  at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:78)
  at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:580)
  at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:541)
  at sun.misc.URLClassPath$3.run(URLClassPath.java:319)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.misc.URLClassPath.getLoader(URLClassPath.java:308)
  at sun.misc.URLClassPath.getLoader(URLClassPath.java:285)
  at sun.misc.URLClassPath.getResource(URLClassPath.java:155)
  at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
  at java.security.AccessController.doPrivileged(Native Method)
  Due to which cannot access Applet class (which is inside UploadDownloadAppletJava.jar) and operation is failed.
  (It works perfectly fine on Windows XP with both IE 6 and Firefox browsers).
  On MAC I'm testing on FireFox.
  Code which calls to applet is:
  <applet
  name=UploadDownloadApplet
  code="UploadDownloadApplet.class"
  codebase=/appName/
  archive=UploadDownloadAppletJava.jar
  width=0 height=0>
  <PARAM NAME=cabbase VALUE=UploadDownloadApplet.cab>
  <PARAM NAME=action VALUE=<%= action %>>
  <PARAM NAME=workingAreaMac VALUE="<%= workingAreaMac %>">
  <PARAM NAME=workingAreaPC VALUE="<%= workingAreaPC %>">
  <PARAM NAME=processId VALUE=<%= processId %>>
  <PARAM NAME=downloadBaseProductInd VALUE=<%= downloadBaseProductInd %>>
  <PARAM NAME=initTime VALUE=<%= initTime %>>
  <PARAM NAME=httpSessionId VALUE="<%= httpSessionId %>">
  <PARAM NAME=userId VALUE="<%= userId %>">
  </applet>
  Please suggest some guidelines

  java.io.IOException: Server returned HTTP response code: 403 for URL:
  http://myMachineName: port/appName/UploadDownloadAppletJava.jar
  Have you tried entering the URL into a browser window and see what happens?
  Message was edited by:
  wangwj

• Problem in Granting permissions for Signed Applet

  Hi,
  I have signed my applet with my self generated certificate. The client browser has imported this certificate in his cacerts keystore as trustcacerts. When I grant permission for my client(manually,in the client machine), I have peculiar errors.
  Case 1 : grant codeBase "http://***.XXX.***.XX/-" { permission java.security.AllPermission; };
  This permission works fine. But the client is able to download all applets from the granted machine, including unsigned applets.
  Case 2: grant SignedBy "dcard" codeBase "http://***.XXX.***.XX/-" { permission java.security.AllPermission; };
  If I add the signedBy tag, this particular grant section is completely omitted by the system. That is, the browsers does not recognize the signedBy tag( & its entire grant block) and throws SecurityExceptions for accessing the local machine.
  Please help me to grant permission for the applet coming from a particular source AND signed by a particulr person.
  Thanks in advance,
  Rajesh
  Note : Plug-in is java1.3.0_02. The public certificate is imported as trustcacerts in all cacerts files in system.

  This is the complete Error :
  WARNING: Attempting to use HTTP Firewall Proxy Server
  due to security restrictions: org.omg.CORBA.INTERNAL: Can not find GateKeeper: java.security.AccessControlException: access denied (java.net.SocketPermission localhost:15000 connect,resolve) minor code: 0 completed: No
  org.omg.CORBA.INTERNAL: Can not find GateKeeper: java.security.AccessControlException: access denied (java.net.SocketPermission localhost:15000 connect,resolve) minor code: 0 completed: No
       at com.visigenic.vbroker.gatekeeper.BridgeEx.login(BridgeEx.java:102)
       at com.visigenic.vbroker.gatekeeper.BridgeEx.loginHelper(BridgeEx.java:71)
       at com.visigenic.vbroker.gatekeeper.BridgeEx.bind(BridgeEx.java:200)
       at com.visigenic.vbroker.interceptor.ChainBindInterceptorImpl.bind(ChainBindInterceptorImpl.java:42)
       at com.visigenic.vbroker.orb.ORB.bind(ORB.java:1196)
       at com.visigenic.vbroker.orb.ORB.bind(ORB.java:1361)
       at com.visigenic.vbroker.orb.ORB.bind(ORB.java:1171)
       at com.platform7.persona.acceptor.GacHelper.bind(GacHelper.java:299)
       at com.platform7.persona.acceptor.GacHelper.bind(GacHelper.java:295)
       at GenericApplet.init(GenericApplet.java:40)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  org.omg.CORBA.INTERNAL: Can not find GateKeeper: java.security.AccessControlException: access denied (java.net.SocketPermission localhost:15000 connect,resolve) minor code: 0 completed: No

• What is the security context when deploying application using SCCM 2012?

  As far as i know when using Group Policy the software is always installed under SYSTEM security context. However i cannot find any information related to SCCM 2012 (and deploying applications) security context.
  Also is there a difference in doing "Install for User" or "Install for Device/System"?
  Thanks

  Thanks. Just to confirm that if you use Group Policy and you Publish the msi for user when the user install it from Add/Remove Programs it is still going to be executed in SYSTEM security context?
  And while we are on this topic - is the above (about the security context in SCCM 2012) written anywhere in some official MS web page?
  Not sure about the context for Intellimirror, but for ConfigMgr it's as Ronnie and Torsten stated. This may be documented somewhere, not sure. Not everything is documented though -- in fact, I'd say less than 25% (probably less than 10%) of everything
  to be known about ConfigMgr is officially documented. Note that this is the same for any product -- there simply are far too many permutations and possibilities to document them all. 
  Jason | http://blog.configmgrftw.com

• Problem on runtime enviorment for signed applet

  I am using the Java Media Framework for video capturing .Problem which i am facing is i have to configure the client machine so i wanted to download few of the class files which will execute on the client side and then stream the video back to the server .For this i have dezigned a java applet.This applet is signed by myself without any external agency so when ever the application is executed where it was signed this application gives no problem but when a different machine access the applet the user is asked for the verification of the applet but the error is thrown stating that the class not found exception .So please guide me that while making a signed applet which all packages need to be signed and what is the procedure .Do i have to sign the jmf packages also .

  I have signed applets but not with jmf. Your best bet is to put the applet in a jar and sign the jar. Most java runtimes with a self signed applet will prompt the user and ask the user if they want to grant permission. You probably have to use the java html converter to code your html to force the use of suns plugin. I am not sure if you have to sign the jmf jars or they may already be signed.

• Set default directory/path for SaveAs Dialog using WPG_DOCLOAD

  Hi, im trying to set the default directory/path for the SaveAs Dialog called by wpg_docload.download_file.
  I'm not able to find where I can specify the default path.
  Is it something like "htp.p('Content-Disposition: attachment; path=:PX_OUTPUT_DIR" ?
  Thx for your help !
  Here's a part of my code
  owa_util.mime_header( NVL(mime,'application/octet'), FALSE );
  htp.p('Content-length: ' || length);
  htp.p('Content-Disposition: attachment; filename="'||substr(fileName,INSTR(fileName,'/')+1)|| '"');
  owa_util.http_header_close;
  wpg_docload.download_file( lobLoc );
  /*********************/

  I don't believe you're allowed to set the directory path in the Content-Disposition (or any other) header. More accurately, you can set path in the filename, but browsers don't pay any attention to that, they only look at only the terminal filename.
  <p>According to RFC 2183, browsers are supposed to ignore any path information sent with the filename. Even though it's dated 1997, I believe this RFC is still in effect.
  <p>This was done as a security precaution against malicious web apps that might try to download into a system directory or other dangerous place. Also, browsers (usually) allow users to specify their own default download directories. Further, even if you could specify the path, you'd have to do it for any and all filesystems (Linux, Mac HFS, Mac OSX, Windows, etc etc).

• Signed Applet - Using same alias while development

  Hi,
  I am working on Embedded Java Signed Applet. My applet using the TCP/IP thus required to load each time to my Lantronix XPort.
  The problem is, every time I change something in the applet, I need to run the following commands again and finally load to Lantronix XPort.
  And every time, I required to change the alias name i.e. signapplet17 in the following commands.
  Is there any easy way while developing the signed applet
  e.g. we can use the same alias name each time i.e. signapplet1 ( I reached to signapplet17)
  Or we can avoid the following commands while developing.
  jar cmf mainClass.txt DataMain.jar *.class
  : Generate key pairs
  keytool -genkey -alias signapplet17 -keystore mykeystore -keypass mykeypass -storepass mystorepass
  : Sign the JAR file
  jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SDataMain.jar DataMain.jar signapplet17
  : Export the public key certificate
  keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet17 -file mycertificate.cer
  Thanks.

  This is my code that i use to read the graph:
  private Graph<Integer, Integer> loadGraph(int year, String type) {
       String graph_dir = ProjectDir.data_dir + "input/Network/vt_kn." + year + "-" + year + "/";
       String graph_name = "vt_kn." + year + "-" + year +".intern." + type;
            Graph<Integer, Integer>graph = new UndirectedSparseMultigraph<Integer, Integer>();
            try{
                 GraphMLReader<Graph<Integer, Integer>, Integer, Integer> gmlReader
                      = new GraphMLReader<Graph<Integer, Integer>, Integer, Integer>();     
                 gmlReader.load(graph_dir + graph_name +".graphml", graph);               
            } catch (Exception e) {
                 e.printStackTrace();
  System.out.println("loaded: " + graph_name);
  return graph;
  public class ProjectDir {
       public static final String data_dir = "F:/Apache/Tomcat 6.0/webapps/ROOT/app/Data/";
       public static final String script_dir = "../Script/";
       //F:/Apache/Tomcat 6.0/webapps/ROOT/VT/data/
  Could you tell me how i could change this code so that i can load from a url instead of a file?

• Interpret Yes/No (accept/deny) for signed applets

  Hi,
  I have signed my applet .jar file with an RSA certificate. The applet is working just fine except when the user is to grant access for it. If he waits for a while an exception occurs. It seems like the applet runs EVEN if it has not been granted.
  My question is why and how I can prevent this from happening. Is there a clear way of reading user input from the permission dialog? Can I put the applet on hold in some way?! This seems quite basic to me, but still I can't find a solution.
  It is very crusial for me to know whether the user grants the applet permission or not. The flow of the applet depends upon this.
  Btw I get the following exception:
  java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkExec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at se.infogate.hitnet.client.ip.impl.Win2KXPIPConfig.config(Win2KXPIPConfig.java:31)
       at se.infogate.hitnet.client.ip.IPConfigApplet.changeIP(IPConfigApplet.java:66)
       at se.infogate.hitnet.client.ip.IPConfigApplet.start(IPConfigApplet.java:46)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Many thanks in advance!
  /Henrik

  You can't access the dialog, but you can always use AccessController.checkPermission(perm); to check whether you have permissions or not. You could place the check in the applet initialisation and display a notice to the user that he/she must grant the privileges.