Does Java Plug-in Ignore java.policy Permissions?

Similar Messages

• Java.policy ignored

  I'm profiling an applet during the code/compile cycle, and I don't want to sign it every time, so I've modified my java.policy file.
  I've tried many different settings in my java.policy file and they seem to always be ignored. Finally I tried the following "catch all"
  grant codeBase "file:/-" {
       permission java.security.AllPermission;
  and my applet still gets an AccessControlException.
  WTF?
  Doesn't that line mean that anything on my hard drive can do whatever it wants?
  My applet is not being served on a webserver, my profiler runs it with javaw ... sun.applet.AppletViewer file:/.../page.html.
  I'm using 1.4.1_01.

  This is far fetched, but it couldn't be that somehow the
  Appletviewer class doesn't install a security manager, could it?At least on 1.4.1_01, it does, and I would assume it always has. You could check by calling System.getSecurityManager() (q.v.), or by running this simple applet:
  public class Appy extends Applet {
      String name = "none";
      public void start() {
          SecurityManager sm = System.getSecurityManager();
          if (sm != null) name = sm.getClass().getName();
      public void paint(Graphics g) {
          FontMetrics fm = getFontMetrics(getFont());
          int x = (getSize().width - fm.stringWidth(name)) / 2;
          int y = (getSize().height - fm.getHeight()) / 2;
          g.drawString(name, x, y + fm.getAscent());
  }On my system (JDK 1.4.1_01, Win XP) it diplays: sun.applet.AppletSecurity
  Good luck,
  David R. Conrad

• Java.policy codebase ignored

  I've recently been trying to allow an applet on a local webpage to write to a file in the same folder. I've been using the following .java.policy file:
  grant codeBase "file:${user.home}/My Documents/folder/*" {
    permission java.io.FilePermission "${user.home}${/}My Documents${/}folder${/}*", "read,write";
  };The HTML is in the folder called "folder" as above. So is the JAR file for the applet. In the HTML is:
  <applet code="foo.class" archive="foo.jar"></applet>The applet implements a "load" function and a "save" function, which are called like:
  data=document.applets[0].load(filename);
  document.applets[0].save(filename,data);Everything works perfectly using Opera, but fails in IE and Firefox unless I remove the codebase from the grant, leaving just a universal "grant {".
  I'm using 1.5.0_06. I've tried other codeBase values such as "file:C:/-", "file:///C:/-", "file:C:/Documents%20and%20Settings/-", and similar variations (too many to list). I've also tried adding a codebase attribute to the applet tag with the value "file:///C:/Documents%20and%20Settings/username/My%20Documents/folder/" (value derived from document.location).
  Is there some way to limit granting of permissions to applets in a particular folder that works in all browsers? I know Opera bypasses the Java plugin to access the runtime directly, hence my feeling this is a plugin bug.
  Thanks in advance for any help.

  Use doprivileged for signed code called by javascript
  Signing applets:
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and last post for the java class file using doprivileged
  Still problems?
  A Full trace might help us out:
  http://forum.java.sun.com/thread.jspa?threadID=656028

• Java.policy - does it need restart of all processes to take effect

  I have to change java.policy in WebSphere. Do I have to restart all the servers running on that node (all Java Processes using that JRE) for the policy changes to take effect?
  This will force me to restart all the other applications running on different WAS server instances. Is there a way to avoid this?
  Thanks
  Satish

  I am not familiar with WebSphere but there should be a way to refresh the Policy. My Mozilla browser Java console has this option.

• Problems with $HOME/.java.policy

  hi,
  i'm using suse linux 7.3 & jdk 1.4.
  i have a simple test applet that prints the user name. i signed it by:
  cprokt@linux:~/java/applets/uname> jarsigner -signedjar strapp.jar trapp.jar cprokt
  Enter Passphrase for keystore: dubel07
  cprokt@linux:~/java/applets/uname> jarsigner -verify strapp.jar
  jar verified.then i created the java policy file /home/cprokt/.java.policy
  keystore "/home/cprokt/.keystore";
  grant SignedBy "cprokt"
  permission java.util.PropertyPermission "user.name", "read";
  };Running this applet with appletviewer resulted in a AccessControlException which said:
  java.security.AccessControlException: access denied (java.util.PropertyPermission user.name read)I got the same result when I ran the applet with Konqueror (blackdown vm 1.3).

  It's not neccessary to have a .java.policy file if you sign the applet. I run my applets (intranet only) with a policy file alone, without signing them. The only drawback to the policy file security is that it will have to be deployed to your users, this does not work in the internet, who's going to accept your policy file, but it's not so bad in an intranet. If you sign the applet succesfully, by default you'll get "all permissions" and getting the user name should not be a problem.
  Hope this helps...

• Please tell me what all softwares does Java Studio Enterprise 6 include.

  Please tell me what all softwares does Java Studio Enterprise 6 include.

  Hi there,
  JSE 6 software includes the following components.
  * Java Studio Enterprise IDE
  * Java Studio Enterprise 6 plug-ins and additions
  - Sun Java System Portlet Builder 2.0
  - Sun Java System Application Server 7 Standard
  Edition, Update 1 plug-in
  - Sun Java System Web Server 6.1, Service Pack 1
  plug-in
  - Sun Java Studio's Web Application Framework
  * Sun Java Enterprise System Servers as follows:
  - Sun Java System Application Server 7 Standard
  Edition, Update 1
  - Sun Java System Message Queue 3.0.1 Service
  Pack 2 Platform Edition
  - Sun Java System Web Server 6.1, Service Pack 1
  - Sun Java System Directory Server 5.2
  - Sun Java System Identity Server 6.1
  - Sun Java System Portal Server 6.2
  * Sun Java System Identity Server Policy Agent 2.1 for
  Sun Java System Application Server 7 Standard
  Edition, Update 1
  Hope it helps!

• Java.policy code delays JVM loading

  Hello All!!
  My java.policy code has 46 grant lines due to different permissions of different applets and servers.
  When I want to run some of this applets I've a delay of 90 seconds to load the JVM.
  I think I'm verifying that exist all of my servers in java.policy because i've a very high delay, but I think it wouldn't be that way.
  My questions are: will do I encrease the delay if I encrease the number of applets or servers? I'm working with JDK1.3, does anybody knows if this verssion is limited?

  Nowhere. Use the -Xbootclasspath option of 'java'.

• Java takes too long to load if java.policy has many sites to grant acess to

  The problem is that we noticed that the time Java takes to load when it's invoked by any applet from the very first time on IE, is directly proportional to the size of the java.policy file.
  You can have many sites to grant access to inside your java.policy file. As you know, it's typically done like this:
  grant codeBase "http://<url>/<dir>/*" {
       permission java.security.AllPermission;
  The more entries I add to this file, the slower the performance gets (as of java loading time).
  We have more than 10 entries on our java.policy file, and we are getting a 40-seconds penalty time each time java is loading.
  Having gone further with this problem, we have discovered that time is being lost when Java is trying to resolve (netBios and DNS) ALL of the sites specified on the java.policy file, BEFORE running any applet of ANY site (when Java loads). We cannot understand why Java is trying to resolve those names, even though you are not trying to visit them....
  Is there a workaround for this issue ?
  We've tried to:
  a) Use IP's instead of names on the java.policy: this resolves the problem but it creates another one: IP maintenance. It's not applicable because IP's can change without notice.
  b) Use more patterns like "*", for example:
  grant codeBase "http://*mysit*/<dir>/*" {
  so that Java will not be able to "guess" the name, nor resolve it.
  But unfortunately, this didn't work :-(
  c) Include the java.policy file on each applet (inside the jar file), instead of an unique java.policy file on each Windows machine. This solution doesn't fit our requirements, because we cannot ask applications to manage their own permissions. We want to control them with an unique & protected & secured java.policy file.
  d) Sign applets: Same reason of c)
  Is there a workaround for this issue ?
  We need Java to load in few seconds, but mantain java.policy funcionality.
  Thank you.
  Marc.

  >
  Try putting the domain names in the Windows hosts files with their numeric addresses. That should bypass any DNS lookup. If you have central maintenance you can update all the hosts files when IP address change.
  We have considered this option, but then we have the same problem described on c). IP maintentance. IPs change often and we cannot control it.
  Malcolmmc, paul.miner, jschell,
  I think the problem is Netbios resolution, rather than DNS one. The sites that figure on java.policy file, are not available in terms of Netbios (they are not LAN clients), so they are only visibles on DNS resolution. But Java still tries to resolve them with Netbios first, so I think there's a timeout on this resolution (not the DNS one) . This timeout causes the problem.
  But, anyway .... Why is Java trying to resolve those names ??? In fact, Java will only have to match the site you are visiting with the site specified on java.policy (just a String comparison). Why does Java need to resolve (netbios & dns) the names on java.policy? I cannot figure out why.
  Thank you all.
  Marc

• How to handle the java.policy file ?

  Can somebody tell me how to handle the java.policy file?
  I always get java.net.SocketExceptions and java.security.AccessControlExceptions while connecting to an appserver from an applet.
  What do I have to write in the java.policy file, where do I have to place it and do I have to call it in some way form my applet?
  Thanks in advance.
  don call

  The java.policy file goes in your jre installation directory in .../jre/lib/security (there should be one there already).
  I used it to allow otherwise restricted permissions for an applet using javax.comm. Add something like the following to the file:
  grant codeBase "URL:http://yourDomainName/rootDirectoryOfYourApp/*" {
       permission java.security.AllPermission;
  This will give the applet downloaded from your site all permissions. You might want to give only certain permissions, I don't know.
  Teri

• File Access with unsigned Applet through editing the java.policy file

  I'am starting to lose my hair on this...
  I am trying to get an applet to run so that it can access the file system to move files on my local maschin. Because this applet is only running on my VM i can change the java.policy to avoid the signing of the applet.
  first of all, if i wrote in the java.policy file
  grant {
    permission java.security.AllPermission; 
  };everything is working perfekt.
  But I have not the intention to open the gates for any applet out there, so i want to limit the access to my applet. With every of the following versions I get at best an
  java.security.AccessControlException: access denied (java.io.FilePermission...
  My Setup
  My Java Version: jre1.6.0_02
  My applet is located unter the url
  http://admin.mydomain.com/applet.jar
  In Html i tryed the following different versions of loading the applet - none worked
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet codebase="http://admin.mydomain.com" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet name="shortcut" code="start.class" archive="http://admin.mydomain.com/applet.jar" width="0" height="0"></applet>in java.policy i tryed following versions with every html applet load version
  grant codeBase "http://admin.x-press.de/-" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/+" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/applet.jar" {
    permission java.security.AllPermission; 
  };why is it with
  grant {
    permission java.security.AllPermission; 
  };working, and not with the other versions?
  i am almost bold now, please try to save my last hair from falling down.
  any suggestion would be nice
  thanks, feyyaz
  Message was edited by:
  feyyazdogu

  I read the mentioned documentation and your right, some of my versions were wrong, but after reading the doumentation again i came to following result which should had worked but didn't.
  java.policy
  grant codeBase "http://admin.mydomain.com/*" {
    permission java.security.AllPermission;
  HTML File
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" height="0" width="0"></applet>if I am entering http://admin.mydomain.com/applet.jar i can download the jar, so the archive lays in the correct directory.
  what i am doing wrong? do i have to change an additional file somewhere else?

• Explicitly installin java.policy problem

  is there any one who knows how to explicitly install the java.policy. What i have been doing is set the policy of the RMI server through a file like java.policy which contains this
  grant {
  permission java.security.AllPermission
  "*:1024-65535","connect,accept,resolve";
  and run the server through a batch file where the java.policy file is loaded through the system. is there anyone who knows to load the policy in the server code itself, that is, installing it explicitly?
  thanks..

  Yes, this is true ...but there is a saying about hardcode ...it makes things hard to code. Hardcoding the policy file eliminates flexibility for your clients and makes things harder to deploy. It certainly breaks from the standard. I just wouldn't want the poster to think one way is just as good as the other. But you do have a choice, this is true.

• Java File Permissions

  I'm relatively new to Java. I'm creating a program that will be running on 40 terminals, and will simulate a wireless mobile network. Our teacher has instructed that we should simply use a text file to keep track of where all the nodes are in the network, and when a node moves, it simply updates that text file. I'm looking to have some sort of system where the process checks to see if the text file has write permission, and if so, it will turn the permission to read-only, update the file, then set it back to write so nodes will be able to access the file and update locations while another node is updating, but another node will not be able to write to it until the node holding it has finished.
  I have looked in Class File, and I see checkWrite(), setReadOnly(), and checkRead(), but I'm not sure how to change the file permissions back to write.
  Am I going about this in the right way? If so, how do I change a file back to write access?
  Thanks, and if any more ingo is needed, let me know.

  java fully supports writable files. Look at class java.io.FilePermission. Your default java policy file may not allow you to write to files, but that can be edited manually or via the policytool . This forum should have several posts about how to modify the policy file so that you can write files. Once you edit that file, you will have read/write access, when appropriate.

• Auto upgrade jre and auto retain java.policy

  Hello,
  I need to automatically update clients with jre 1.4.2_07 and also retain the existing java.policy from the previous version (1.4.2_04). I have the jre installation kicking off correctly (with IE and XP) using
  codebase = "http://myserver/jinstall-1_4_2_07-windows-i586.cab#Version=1,4,2,70"
  but I also need to use my existing java.policy before the rest of the applet loads.
  I am not familiar with cab files, but is it possible to add a subsequent step to the jre install which would replace the generic java.policy with my specific java.policy? or any other way ??
  Thanks, Sari

  851004 wrote:
  ..It has been re-written from spec="1.0" to spec="1.5" ..Who changed it, and why?
  ..Does anybody else have an answer, solution, or suggestion ..?I suggest:
  <ul>
  <li>Change the spec. number back to something that 1.4 JWS claims to understand (i.e. "1.0").
  <li>Checking the launch file using JaNeLA
  </ul>
  Edited by: Andrew Thompson on Apr 9, 2011 7:54 AM

• Java policy

  Has anybody experience problem with the java policy setting using the latest java plugin (1.4.2_03) for IE?
  I have a simple applet to that performs local file io, and grant all the File permission to the codebase, but it doesn't work. It will work if I grant it to all the codebases. The applet also works on one of my college's PC with earlier plugin installed (1.4.0....). Any suggestion?

  I forgot to mention this problem only happens when calling public method of an applet from Javascript doing file IO.

• Java applet permissions (allow access to ports 1024 )

  Hello everyone,
  Not sure if this is the place to post this question but this forum has been extremely helpful to me in the past.
  I'm interested in allowing a java applet to both edit my hosts file and bind to privileged ports (this is for a trusted corporate SSL VPN connection). I've tried editting my java.policy file, but it doesn't seem to affect anything. Even if I set a policy rule to temporarly allow ALL java applets to use privileged ports, it still won't work. Ditto for allowing write file permissions to /etc/hosts:
  grant {
    permission java.io.FilePermission "/etc/hosts", "write";
  The only thing that seems to work is running firefox in root, which I really don't want to do.
  Am I going about this the right way? Thanks!

  If applet is signed, Change in Java Control Panel tab Security, Security Level to High.