IS there code to avoid policy file push in a VeriSign Signed applet?

Similar Messages

• How can I access the Server file system without using any signed applet?

  Is it possible for me to run an applet on the client machine such that the client can view my server file system and perform uploading and downloading of files through the applet without signing the applet?

  Add the following in your java.policy file, your plug in accesses.
  grant {
  permission java.permission.AllPermission;

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• .java.policy file problem

  Is there someone who knows how to reinitialise the java policy file at runtime?
  My signed applet writes a policy file to the users home directory, but that file is only used after closing the browser and surfing back to our page. It should immediatly use that new file.
  Someone who got some experience with that...?
  Regards

  And is it true that if you use a Thawte or verisign certificate, you will not have to change the .java.policy file?

• Java.policy file  - Must I change it?

  I just got a certificate from Verisign with which I signed my applet. It works fine and now I want to distribute it to a group of users.
  Back when I was developing the applet with a self-signed cert, I changed the java.policy file to allow the applet to do things 'outside the sandbox'.
  I thought, perhaps mistakenly, that when I got the Verisign ceritifcate I would not need to concern myself with java.policy in any way. But now, even with the Verisign cert, my applet won't run correctly w/o the updated policy file.
  This is only important to me as I do not want to go around to 'x' number of user workstations and modify each java.policy file.
  Am I missing something??
  thanks

  You mention
  "you should be able to remove the policy file and users can just accept the certificate "
  I experience the same, remove all policy files, signed applets can then access resopurces on the local machine. However, practically all the documentation I read regarding JAVA 2 (I'm using 1.4.1_02) says you must have a policy file when using a signed applet. At least they say sign your applet and then indicate what the policy file should look like to grant specific permissions for that applet. I find no policy file will still allow a signed applet to access local files... Is this a bug in JAVA 2 1.4.1_02, or the correct behavior. thanks in advance.

• Associating policy files with license server

  [ Problem ]
  I’m going through the sample and documentation for FA 2.0.  It mentions that whenever a policy is created/updated that the license server has to be informed.  In the reference implementation, there are the model usage policy samples that I see being loaded.  In the non-refimpl of flash access, how does the license server load/know about the policies available?  I looked at the sample flashaccess-tenant.xml, I didn’t see any section where policy files are configured.  Would it have to be done outside of the app?
  [ Solution ]
  If you update a policy after it was used to package content, and you want the new policy to be used when the user requests a license for that content, the license server needs access to the latest version of the policy. 
  In the Reference Implementation, there are two modes demonstrating possible business logic implementations (but of course, you may choose a different approach in your implementation).  The typical workflow for the Reference Implementation is that it will use the policy that was embedded at packaging time to generate the license.  If more than one policy was embedded, it will try each one in order until it is able to successfully generate a license (for example, if the first policy requires authentication and the user did not authenticate, the server will try the second policy in the list.  If the second policy allows anonymous access (possibly with more restrictions), it will generate a license using that policy.  The Reference Implementation supports updating policies through a Policy Update List.  The Policy Update List would be generated when a policy is updated, and contains the latest version of any policy that has changed.  If you point the server to a Policy Update List in flashacccess-refimpl.properties, the Reference Implementation server will automatically check this list for updates any time it issues a license.  Alternatively, if you had an implementation that stores all your policies in a database, you could implement your server to check the database for an updated policy before issuing a license.
  As you mentioned, there is another mode which demonstrates four different usage models and uses policy files stored on the server to determine what the license will look like.  In this "demo" mode, the server only looks at the policies used at packaging time to determine if anonymous access is allowed or if authentication is required.  The rest of the attributes used to generate the license come from one of the four policy files configured on the server (see the "Implementing the usage models" section of Protecting Content for more details). 
  The License Server for Protected Streaming addresses a slightly different use case (see Flash Access Server Deployment Guide for details).  Here, we expect the minimum policy information to be specified at packaging time, and the license server determines the actual usage rules for generating the license.  In the PolicyOverrides section of flashaccess-tenant.xml, you specify the usage rules (license caching, output protection, etc.).  The license server ignores the policy embedded during packaging and only uses the attributes in the tenant configuration file.  If you want to update the usage rules, you simple modify the tenant configuration file -- in this case there is no separate policy file.

  anu1106 wrote:
  I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.Why? Why not just install the unlimited strength files in the normal way according to the installation instructions given in the distribution file?

• How can I change the policy file?

  I have designed an applet to read a file from the local Machine.
  This applet thro a servlet reads the contents of the file specified.
  I use Tomcat 4.1.12 server and this is an client-server application.
  To read the file in the local machine, I set the permission as follows in the .java.policy file in the Local Machine.
  grant codeBase "http://MyMachine:8080/Example" {
  permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete, execute";
  as the applet file is in the Example of the server "MyMachine".
  Its working and my applet is able to read the file from the local machine it runs.
  Now my problem is I cannot set/change the policy file in every machine where my applet runs.
  Instead if there is a way to change the policy when the applet downloads,that'll be effective.
  That is I donot want to go and change the policy file manually in each and every machine where my applet runs(I donot even know which are the machines going to run the applet).
  Is there any means to acheieve my need?
  Please explain me in detail or direct me to the relevent web sites or links.
  Thank you

  Hi Hosuke,
  I had the same problem, thanks for the advise.
  Still I have a remark to make.
  The thing is that, in order for the applet to have the permission granted (for whatever), you need to have a policy file which you can include in the JAR file (like you explained before) AND also you need to add an entry in the java.security file (located for me: "C:\Program Files\Java\j2re1.4.1_01\lib\security\java.security") that tells the applet where to find all the .policy files.
  Something like: policy.url.4=file:/c:/java.policy
  But since we are talking about an applet we are not able to make changes to this file.
  Maybe you or anyone else knows a workaround for this problem.
  Thanks in advance,
  Ronald Vromans.

• Self sign applet without doing any change in policy file at client end

  Hi all,
  I developed an applet which make some webservice calls,
  I have given following permission in policy file at client end
  grant codeBase "http://nta2311:7001/-" {
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.util.PropertyPermission "*", "read, write";
  permission java.net.SocketPermission "*", "connect, resolve";
  with these settings applet is working fine
  Now I want to make applet signed in order to avoid policy file modifications
  for testing I want to self sign it
  please help me

  Signing applets:
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and reply 18 for the java class file using doprivileged
  http://forum.java.sun.com/thread.jsp?forum=63&thread=409341
  4th post explaining how to set up your own policy with your own keystore
  Still problems?
  A Full trace might help us out:
  http://forum.java.sun.com/thread.jspa?threadID=656028

• 100$ Bounty Question: How do I request a socket policy file?

  I'll send you 100$ via paypal or check in the mail for the person who solves this problem for me:
  4 years ago, my code requested a policy file fine, but it doesn't anymore.
  Here is my code:
                  Security.allowInsecureDomain("*");
                  Security.allowDomain("*");
                  Security.loadPolicyFile("xmlsocket://127.0.0.1:843");
              xmls.send("yo");   
              xmls.send("yo2");   
  My server receives "yo" and not "yo2".
  My server does not receive "<policy-file-request/>"
  What do I need to do on the Flash AS3 side to send "<policy-file-request/>" to my server?
  Other forums where I request this information:
  http://forums.adobe.com/message/6178906#6178906

  If your company doesn't let you do bounties, I'll donate the 100$ to fruit trees for Haiti.

• Can i set the policy in code not in a policy file

  normally starting rmi client with a policy file. and start the client with such JVM parameters: java.security.policy and java.rmi.codebase.
  But in jsp how can i specify these JVM parameters.Or can i make the policy in code not in
  a file.

  You can specifiy inline with code otherwise malicious code would use it the grant all permissions before it wrecks havoc on the system.
  When your Servlet engine starts (Tomcat, JBoss, depends on which you are using) there will either be an option to pass in additional policy file, or a policy file will exist inthe servlet engine directory path for you to edit and add your entries to.

• Is there any way to upload Tariff Code (with multiple XML files) from application server?

  Hi All,
  Is there any way to upload Tariff Code (with multiple XML files) from application server?. Its urgent.
  Regards,
  Jatin

  Hi Jatin,
  Yes, of course you can upload multiple files for tariff codes.
  This can be done by the below path:-
  SAP GTS Cockpit(tcode-/sapsll/menu_legal)-->Customs Management-->Classification-->Classification Master Data-->Upload Tariff Code Numbers from XML file(tocde- /SAPSLL/LLNS_UPL101).
  In the above area after browsing and choosing the first file, please select multiple check box to choose more files as well. Then you can further select your application server and upload all those files in one go.
  PS:- Although, we have an option to upload multiple such files but actually we should avoid multiple file uploads due to various reasons. Hence, please take utmost care during such procedure.
  Regards,
  Aman

• Batch Code to trigger bat file whenever there is an error in Eventvwr log error

  Batch Code to trigger bat file whenever there is an error in Eventvwr log error

  Hello,
  You can create a windows service which can look into EventVwr and update you accordingly
  Sample code:
  using System.Linq;
  using System.Text;
  using System.Threading.Tasks;
  namespace EventViewer
      class Program
          static void Main(string[] args)
              //logType can be Application, Security, System or any other Custom Log.
              string logType = "Application";
              EventLog ev = new EventLog(logType, System.Environment.MachineName);
              int LastLogToShow = ev.Entries.Count;
              if (LastLogToShow <= 0)
                  Console.WriteLine("No Event Logs in the Log :" + logType);
              // Read the last 2 records in the specified log.
              int i;
              for (i = ev.Entries.Count - 1; i >= LastLogToShow - 10; i--)
                  EventLogEntry CurrentEntry = ev.Entries[i];
                  Console.WriteLine("Event ID : " + CurrentEntry.EventID);
                  Console.WriteLine("Entry Type : " + CurrentEntry.EntryType.ToString());
                  Console.WriteLine("Message :  " + CurrentEntry.Message + "\n");
                  Console.ReadKey();
              ev.Close();
  Alternative way is to use below link
  http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
  Thanks
  Abhishek

• Is there any way to block or disable usb access to avoid copy files from ipad to other dispositive?

  Hi, i just want if there is exist any way to disable, turn off, block usb transfer on ipad3 to avoid copy files from ipad to another dispositive?
  Any idea?

  Use an MDM to put the device in supervisory mode.  This mean you can only copy via USB to the device that put the device in supervisory mode.
  See all the complaints by teachers with Supervised mode on their ipad:
  https://discussions.apple.com/message/22153837#22153837
  The question would have been better in:
  https://discussions.apple.com/community/ipad/ipad_in_the_enterprise
  MDM  -- moble device management 
  MDMs
  Airwatch, Meraki, MobileIron, Profile Manager on OS X Server, or Zenprise
  For a comparison see this page:
  http://www.enterpriseios.com/wiki/Comparison_MDM_Providers
  Airwatch
    http://www.air-watch.com/
  Meraki -- A free MDM   [ expect lots of email and phone calls about upgrades ]
    http://www.meraki.com/products/systems-manager/
    https://discussions.apple.com/thread/4067210?tstart=0
    Good howto by Sergio Sosa.
    https://discussions.apple.com/thread/2594001?start=15&tstart=0
  MobileIron
    http://www.mobileiron.com/
  Profile Manager by Apple
  Zenprise
    http://www.zenprise.com/

• File Access with unsigned Applet through editing the java.policy file

  I'am starting to lose my hair on this...
  I am trying to get an applet to run so that it can access the file system to move files on my local maschin. Because this applet is only running on my VM i can change the java.policy to avoid the signing of the applet.
  first of all, if i wrote in the java.policy file
  grant {
    permission java.security.AllPermission; 
  };everything is working perfekt.
  But I have not the intention to open the gates for any applet out there, so i want to limit the access to my applet. With every of the following versions I get at best an
  java.security.AccessControlException: access denied (java.io.FilePermission...
  My Setup
  My Java Version: jre1.6.0_02
  My applet is located unter the url
  http://admin.mydomain.com/applet.jar
  In Html i tryed the following different versions of loading the applet - none worked
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet codebase="http://admin.mydomain.com" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet name="shortcut" code="start.class" archive="http://admin.mydomain.com/applet.jar" width="0" height="0"></applet>in java.policy i tryed following versions with every html applet load version
  grant codeBase "http://admin.x-press.de/-" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/+" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/applet.jar" {
    permission java.security.AllPermission; 
  };why is it with
  grant {
    permission java.security.AllPermission; 
  };working, and not with the other versions?
  i am almost bold now, please try to save my last hair from falling down.
  any suggestion would be nice
  thanks, feyyaz
  Message was edited by:
  feyyazdogu

  I read the mentioned documentation and your right, some of my versions were wrong, but after reading the doumentation again i came to following result which should had worked but didn't.
  java.policy
  grant codeBase "http://admin.mydomain.com/*" {
    permission java.security.AllPermission;
  HTML File
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" height="0" width="0"></applet>if I am entering http://admin.mydomain.com/applet.jar i can download the jar, so the archive lays in the correct directory.
  what i am doing wrong? do i have to change an additional file somewhere else?

• How to use a custum permission in the .policy file

  Hi,
  I am stuck with the problem of having a custum permission that extands java.security.BasicPermission.
  I really want this permission to be checked from my .policy file, but when I try to include its location : c:\java_project\server\SpecialPolicy.class
  it pops a message that file is not found. I have tried dots, different slashes (back and forward) and still have no luck. I need this custum permission to be checked so that I can allow special access from a certain codebase so that say if I try a dangerous method I can just simply check in the code;
  this.getSecurityManager.checkPermission(new SpecialPermission("lol"));
  Also I need a paramater option, but I cant think of any since its not a FilePermission that takes a name and attributes (read, write..) what does BasicPermission take and if I extend it what attribute should I pass in. I dont really care about how this permission works, i just use it to restrict access to a certain functions in code that are ran from specific codeBAse.
  Please dont ask why I need this :)
  Thanks in advance, the documentation on how to add custum policies is simply NOT THERE. thus I have to bug people around.

  Hi
  If you just have to add another permission it is easy.
  Create a class extending the BasicPermission. Have an entry into
  the policy file like
  grant <Principal> {
  permission <CumstomPermission> "lol"
  }that should be all. If you do have a specific Principal, please
  do not forget to add the Principal to the relevant Subject after login.
  cheers
  Projyal