Problem in Granting permissions for Signed Applet

Similar Messages

• Problem of granting permissions for a signed applet

  I'm writing an applet, which needs to
  1. write a file into client file system, then
  2. launch an application to edit this file, then
  3. read the edited content from the file
  Obviously, all the above 3 steps are restricted operations, they are not allowed for an applet by default. So I suppose that if the applet is signed, it will get the additional permissions. And because I want this applet work for both IE and NS browser, I choose to use Java Plug-in.
  But base on the Java 2 Security Tutorial, it seems I can't specify the permissions in the jar. I can only sign my applet, let the end user knows this applet comes from me. And it's the end user's job to run the policytool program, and give the "FilePermission" of "read, write, delete, execute" to the code signed by me(or download from a specific codebase, or both), if they decide to "trust" me.
  I can't imagine how to make the business user understand the Security concept of Java, and ask them to configure their system properly. It's just a mission impossible! So, did I miss some important part in the signning process? Is there such a way which keeps the policy setting for this applet in the signed jar, so the business user only need to click "Grant" to allow it running?
  Thank you very much.
  Kevin Zhang
  P.S. some interesting facts confuse me:
  1. I signed the jar (which I'm not sure if I signed it currectly, I will tell you why later), and converted the <applet> tag to <object> tag for IE. It works, which makes me confused :-) Because I didn't specify the permissions at all, neither in the code nor in the signning process. Should I consider that by default it gives all the permissions?
  2. Same jar file. I use the original <applet> tag on Netscape 6.2, which use java plug-in to handle <applet> tags. This time an AccessControlException is thrown. I can understand that's obviously because of no permission. But both this one and the above one are using same JRE 1.3.1_01 plug-in, why they behave differently?

  Hi Kevin
  I have the exactly the same requirement as yours....
  (1. write a file into client file system, then
  2. launch an application to edit this file, then
  3. read the edited content from the file).
  Plz go thru the following. I signed my applet as follows:-
  makecert -sk exec -n "CN=Hemanth" exec.cer
  cert2spc exec.cer exec.spc
  javac ExecNP.java (ExecNP.java is the applet code. I have given the code of the applet)
  cabarc -s 6144 n exec.cab ExecNP.class
  setreg 1 true
  signcode -j javasign.dll -jp exec.ini -spc exec.spc -k exec exec.cab
  chkjava exec.cab
  Code of ExecNP.java :-
  import com.ms.security.*;
  import com.ms.security.permissions.*;
  import java.lang.Runtime.*;
  public class ExecNP extends java.applet.Applet
  public void init()
       try {
            PolicyEngine.assertPermission(PermissionID.EXEC);
            Runtime.getRuntime().exec("c:\\windows\\notepad.exe");
       } catch(Exception e) {
  Here is the html code :-
  <applet code=ExecNP width=800 height=200> <PARAM NAME='cabbase' VALUE='exec.cab'> </applet>
  When I try to open this html file I get the following exception in the Java Console
  java.lang.UnsatisfiedLinkError: initPolicyEngine
  Please tell me whats wrong.
  Hemanth.

• Problem on runtime enviorment for signed applet

  I am using the Java Media Framework for video capturing .Problem which i am facing is i have to configure the client machine so i wanted to download few of the class files which will execute on the client side and then stream the video back to the server .For this i have dezigned a java applet.This applet is signed by myself without any external agency so when ever the application is executed where it was signed this application gives no problem but when a different machine access the applet the user is asked for the verification of the applet but the error is thrown stating that the class not found exception .So please guide me that while making a signed applet which all packages need to be signed and what is the procedure .Do i have to sign the jmf packages also .

  I have signed applets but not with jmf. Your best bet is to put the applet in a jar and sign the jar. Most java runtimes with a self signed applet will prompt the user and ask the user if they want to grant permission. You probably have to use the java html converter to code your html to force the use of suns plugin. I am not sure if you have to sign the jmf jars or they may already be signed.

• Default security context for signed applets using WinXP+IE8

  What is the default security context for signed applets from the internet zone using Java 6 and WinXP+IE8 combination? My guess is that all file and socket access available for the user's Windows account is provided to the applet as well. Is this correct and if so, is there a way to limit these access privileges for signed applets from the internet zone?
  This information is surprisingly difficult to find given how security concious people now are using the internet.

  AntonBoer wrote:
  Thank you for your swift reply.
  Unfortunately your answer reflects to my worst fears. Frankly I find this security model naiive. Anyone with euros can get their applet signed so that is no security control at all.The same naive security model applies to just about anything signed and downloaded; not just to Java Applets.
  >
  Working for a corporate IT how I am supposed to allow Java installations on any of our computers with internet access? That automatically means I am providing them as platforms to whoever wishes to run Java code on them (given that the user of course visits the web site). I would have expected Sun to put more effort into this but it appers nothig have changed in this regard for 10 years.I don't see this as a Sun problem; it is indicative of what I consider to be a general security weakness for all computer systems. For example, for Windows, Vista just added more user involvement in the trust process but it still allows programs to run pretty much unconstrained if the user agrees to them running.
  For some time I have advocated a more fine grained approach. I would like to see ALL programs run in a sandbox that a user can specify what and what cannot be done by each individual program. Unfortunately, this would annoy the hell out of most users so it has little chance of every of ever being accepted. The average user just wants a run-and-forget-about-security model.

• Restriction for signed applet

  Hi all,
  i signed applet which is trying to modify file tmp.txt on client machine. Is there any opportunity for client to forbid this action for signed applet?
  I tried use policy file but i was unlucky. It is ok for unsigned applet but what about signed one?
  Thank you for your response.
  benky

  you need to install the jre, and place the win32.dll at JavaSoft\JRE\1.3.1_06\bin, that properties file place at JavaSoft\JRE\1.3.1_06\lib, comm.jar at JavaSoft\JRE\1.3.1_06\lib\ext\
  and in ur code try to use it to open ur com port
  public String test() {
  String drivername = "com.sun.comm.Win32Driver";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  drivername = "javax.comm.*";
  try
  CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
  catch (Throwable th)
  {* Discard it */}
  portList = CommPortIdentifier.getPortIdentifiers();
  while (portList.hasMoreElements()) {
  portId = (CommPortIdentifier) portList.nextElement();
  if (portId.getPortType() == CommPortIdentifier.PORT_SERIAL) {
  if (portId.getName().equals("COM2")) {
  //if (portId.getName().equals("/dev/term/a")) {
  try {
  serialPort = (SerialPort)
  portId.open("SimpleWriteApp", 2000);
  } catch (PortInUseException e) {}
  try {
  outputStream = serialPort.getOutputStream();
  } catch (IOException e) {}
  try {
  serialPort.setSerialPortParams(9600,
  SerialPort.DATABITS_8,
  SerialPort.STOPBITS_1,
  SerialPort.PARITY_NONE);
  } catch (UnsupportedCommOperationException e) {}
  int i=0;
  while(true)
  try {
  messageString="hi";
  System.out.println(i++);
  outputStream.write(messageString.getBytes());
  } catch (IOException e)
  System.out.println(e);
  messageString=String.valueOf(e);
  return messageString;
  and yet u need to signed the applet
  1. Compile the applet
  2. Create a JAR file
  3. Generate Keys
  4. Sign the JAR file
  5. Export the Public Key Certificate
  6. Import the Certificate as a Trusted Certificate
  7. Create the policy file
  8. Run the applet
  Susan
  Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
  1. Compile the Applet
  In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
  javac SignedAppletDemo.java
  2. Make a JAR File
  Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
  jar cvf SignedApplet.jar SignedAppletDemo.class
  3. Generate Keys
  Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
  In her working directory, Susan creates a keystore database and generates the keys:
  keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c
  This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
  The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).
  The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.
  You can view all keytool options and parameters by typing:
  keytool -help
  4. Sign the JAR File
  JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
  jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5. Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
  5: Export the Public Key Certificate
  The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
  In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:
  keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer
  Ray
  Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.
  6. Import Certificate as a Trusted Certificate
  Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:
  keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh
  7. Create the Policy File
  The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.
  Ray creates the policy file in his home directory using either policytool or an ASCII editor.
  keystore "/home/ray/raystore";
  // A sample policy file that lets a JavaTM program
  // create newfile in user's home directory
  // Satya N Dodda
  grant SignedBy "susan"
  permission java.security.AllPermission;
  8. Run the Applet in Applet Viewer
  Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
  Html code :
  </body>
  </html>
  <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
  width="600" height="400" align="middle"
  codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,1,2">
  <PARAM NAME="code" VALUE="SignedAppletDemo.class">
  <PARAM NAME="archive" VALUE="SSignedApplet.jar">
  <PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
  </OBJECT>
  </body>
  </html>
  appletviewer -J-Djava.security.policy=Write.jp
  http://aURL.com/SignedApplet.html
  Note: Type everything on one line and put a space after Write.jp
  The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
  Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
  9. Run the Applet in Browser
  Download JRE 1.3 from Javasoft
  good luck! [email protected]
  i already give u many tips, i use 2 weeks to try this to success, hopw that u understand that, a result of success is not important, the process of how to get things done is most usefull!

• Loading problem for Signed applet on MAC OS

  Hi All
  I�m trying to test my application on MAC OS (For versions: 10.2.6 as well as 10.4.x)
  For MAC 10.2.6 OS Java version is 1.4.1_01 and
  For MAC 10.4.x OS Java version is 1.4.2_07
  The code is compiled on Windows machine having Java version 1.4.2_07
  There�s a functionality which is calling signed applet (signed JAR for applet) and when this functionality is called, following error encounters:
  Java(TM) Plug-in: Version 1.4.1_01
  Using JRE version 1.4.1_01 Java HotSpot(TM) Client VM
  java.io.IOException: Server returned HTTP response code: 403 for URL: http://myMachineName: port/appName/UploadDownloadAppletJava.jar
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:709)
  at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:384)
  at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
  at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:302)
  at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:128)
  at sun.plugin.cache.JarCache.get(JarCache.java:172)
  at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:93)
  at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:78)
  at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:580)
  at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:541)
  at sun.misc.URLClassPath$3.run(URLClassPath.java:319)
  at java.security.AccessController.doPrivileged(Native Method)
  at sun.misc.URLClassPath.getLoader(URLClassPath.java:308)
  at sun.misc.URLClassPath.getLoader(URLClassPath.java:285)
  at sun.misc.URLClassPath.getResource(URLClassPath.java:155)
  at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
  at java.security.AccessController.doPrivileged(Native Method)
  Due to which cannot access Applet class (which is inside UploadDownloadAppletJava.jar) and operation is failed.
  (It works perfectly fine on Windows XP with both IE 6 and Firefox browsers).
  On MAC I'm testing on FireFox.
  Code which calls to applet is:
  <applet
  name=UploadDownloadApplet
  code="UploadDownloadApplet.class"
  codebase=/appName/
  archive=UploadDownloadAppletJava.jar
  width=0 height=0>
  <PARAM NAME=cabbase VALUE=UploadDownloadApplet.cab>
  <PARAM NAME=action VALUE=<%= action %>>
  <PARAM NAME=workingAreaMac VALUE="<%= workingAreaMac %>">
  <PARAM NAME=workingAreaPC VALUE="<%= workingAreaPC %>">
  <PARAM NAME=processId VALUE=<%= processId %>>
  <PARAM NAME=downloadBaseProductInd VALUE=<%= downloadBaseProductInd %>>
  <PARAM NAME=initTime VALUE=<%= initTime %>>
  <PARAM NAME=httpSessionId VALUE="<%= httpSessionId %>">
  <PARAM NAME=userId VALUE="<%= userId %>">
  </applet>
  Please suggest some guidelines

  java.io.IOException: Server returned HTTP response code: 403 for URL:
  http://myMachineName: port/appName/UploadDownloadAppletJava.jar
  Have you tried entering the URL into a browser window and see what happens?
  Message was edited by:
  wangwj

• Granting SocketPermission using signed applet

  I have had a dream of locally caching a jar file for an applet so that all the code will be on the client machine after the first time the applet was loaded. Basically, I have a very thin applet composed of a jar class loader and a tiny applet which will check for a jar file on the client and download it from the server if it does not exist. These simple classes are in a signed jar file. Basically, this thin applet does the following:
  1) Check for the big, app jar file in c:\Temp
  2) If it does not exist, open a URL input stream and get the big jar
  3) instantiate a jar class loader object on the now local, big jar file
  4) load the "main" class
  5) use reflection to run its initialization method
  6) the application then attempts to open a socket to the server
  I get all the way to step 6 and this is where things go bad. As far as I can tell, the "thin" app loader class has permission to do anything it wants since it was downloaded from a signed jar - I haven't tried to do anything I was not able to do with this class. I think the problem arises because the app class came from a non-signed jar file and it appears to have all the typical applet restrictions. I can make URL connections to the local client (since that's where the code was loaded from), but not anywhere else.
  I was hoping all classes the "thin", privileged class loaded would inherit these privileges, but obviously the class permissions come from where the class was loaded from. This is a bummer and my guesses for solving this problem are:
  1) grant permission to the entry class for the app somehow (I tried something like this by executing the entry method for the app in a AccessController.doPrivieleged block - no luck)
  2) sign the app jar and somehow read and accept its certificate so that all classes loaded from this jar are privileged (I am not sure of how to do this)
  I am hoping someone might have an elegant solution to this problem as this is really the last step in my caching solution. By the way, the entry app class is not an applet itself if this is useful information to anyone. The "thin" applet is the only applet and just hands control off to the entry method of the main app class in the jar.
  TIA!

  Signing an applet provides it with the ability to run outside the sandbox. This does not automatically give the applet permission to do anything it wants. The applet must still request the desired permission before actually attempting an operation that requires that permission. Depending on the browser or whether you are relying on the Java plugin, you need to call the necesary security method first. I wrote a signed applet back in May 2000 which also needed socket permission. I don't have access to the code anymore so I cannot recall exactly the classes and methods you need to invoke. If you search the Signed Applets forum for my name, there are several messages that should help you.
  For example:
  http://forums.java.sun.com/thread.jsp?forum=63&thread=132336

• Interpret Yes/No (accept/deny) for signed applets

  Hi,
  I have signed my applet .jar file with an RSA certificate. The applet is working just fine except when the user is to grant access for it. If he waits for a while an exception occurs. It seems like the applet runs EVEN if it has not been granted.
  My question is why and how I can prevent this from happening. Is there a clear way of reading user input from the permission dialog? Can I put the applet on hold in some way?! This seems quite basic to me, but still I can't find a solution.
  It is very crusial for me to know whether the user grants the applet permission or not. The flow of the applet depends upon this.
  Btw I get the following exception:
  java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkExec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at java.lang.Runtime.exec(Unknown Source)
       at se.infogate.hitnet.client.ip.impl.Win2KXPIPConfig.config(Win2KXPIPConfig.java:31)
       at se.infogate.hitnet.client.ip.IPConfigApplet.changeIP(IPConfigApplet.java:66)
       at se.infogate.hitnet.client.ip.IPConfigApplet.start(IPConfigApplet.java:46)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Many thanks in advance!
  /Henrik

  You can't access the dialog, but you can always use AccessController.checkPermission(perm); to check whether you have permissions or not. You could place the check in the applet initialisation and display a notice to the user that he/she must grant the privileges.

• Restricting Permissions in signed applet jar

  I have an applet, created a signed jar and when I run it in my browser a dialog box asking me to grant all permissions... which is nice...
  However, is it possible to limit the permissions of that jar WITHOUT doing anything to the policy files on the client machine? Is it possible for an applet to specify which permissions it would like?
  Any ideas!!

  as far as I know you can only restrict the permissions
  when you create the policy file, but if there where in
  the next revision a kind of option during the signing
  process it would be great.Hummh... I don't know if I understand this well. You are saying that it's from the responsability of the Applet provider/developer to restrict the permissions that the Applet will have or not on the computer client?!
  I don't think that makes sense! The client itself should be the only authority to say what permissions he would like to give to the Applet or not.
  For instance, I made an Applet and I signed. When I opened it on a browser, it asks only if I trust on the certificate. If yes, the Applet will run. If not, it won't run at all.
  Question:
  -In my tests, why is that my Java plugin didn't shown what is the special grants that the Applet needs? There is only give or not give? I would like to know what kind of special permissions the Applet gives to decide if I would let it run or not? By default the client has no .java.policy file...
  Thanks,
  Pedro Salazar.
  P.S.-I'm running (testing) on jdk1.4.2+Mozilla+Linux.

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• How to resolve problems in policy file of signed Applet

  Hi to All,
  I want to connect the web site through my Signed Applet which is working as a Proxy server. but i m facing certain problems in my policy file:
  this is my policy file :-
  grant {
  permission java.security.AllPermission "", "";
  permission java.net.SocketPermission "http://www.google.com:4321", "connect, accept,resolve";
  permission java.security.UnresolvedPermission;
  n i got such type of exceptions n my Applet prompt applet not initialized.
  Got connection Socket[addr=/192.168.1.232,port=1200,localport=4321]
  Reading request...
  URI is: http://www.google.com/
  Host to contact is: www.google.com at port 80
  Got request...
  java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
  at java.net.InetAddress.getAllByName(InetAddress.java:1061)
  at java.net.InetAddress.getByName(InetAddress.java:958)
  at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
  at java.net.Socket.<init>(Socket.java:179)
  at ProxyApplet.handle(ProxyApplet.java:75)
  at ProxyApplet.<init>(ProxyApplet.java:132)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  at java.lang.Class.newInstance0(Class.java:350)
  at java.lang.Class.newInstance(Class.java:303)
  at sun.applet.AppletPanel.createApplet(AppletPanel.java:721)
  at sun.applet.AppletPanel.runLoader(AppletPanel.java:650)
  at sun.applet.AppletPanel.run(AppletPanel.java:324)
  at java.lang.Thread.run(Thread.java:595)
  here 4321 is Port no. which i've as a random port no.
  plz Help
  thnx in advance
  with regards
  pank_naini

  Please, if you can't help me, could you tell me who can I contact ?

• What permissions do signed applets get? And how can I tell?

  This could be a JNLP question, but it's really about signing versus not signing.
  I find that if I sign the applet's jar, I get permissions I don't get if I don't sign it, even though I haven't asked for any permissions. What's disturbing about this is that neither the JNLP spec (look under Launch) nor the Permissions spec (look here [http://download.oracle.com/javase/1.4.2/docs/guide/security/permissions.html#SecMgrChecks] -- I don't know if there's a more recent version) make any mention of signing. (Well, the JNLP spec says you need to sign if you ask for permissions, but I'm not asking for any permissions in the JNLP.)
  So, my question is: Where is the set if permissions that an applet gets solely by virtue of being signed documented? Failing that, is it possible to get the security manager to list out the permissions I have?

  bump
  having the same existential question about the secret mysteries of jnlp applets, I'd be highly interested by the answer :)

• Problem with granting permissions in the security policy file

  Hi,
  I have a security policy file. I am granting permissions to some files. Now even if I have given permissions explicitly it doesnt taking it and gives error. My code snippet is as follows:
  grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ws4ee.sar/-"{
       permission java.security.AllPermission;
  The stack-trace for the same is as follows:
  11:09:49,518 ERROR [MainDeployer] Could not initialise deployment: file:/C:/Java/jboss-4.0.2/server/all/deploy/jboss-ws4ee.sar/jboss-ws4ee.war
  java.security.AccessControlException: access denied (java.io.FilePermission C:\Java\jboss-4.0.2\server\all\tmp\deploy\tmp17221jboss-ws4ee.war read)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
       at java.security.AccessController.checkPermission(AccessController.java:401)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
       at java.io.File.lastModified(File.java:771)
       at org.jboss.deployment.MainDeployer.init(MainDeployer.java:866)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:765)
       at org.jboss.deployment.MainDeployer.addDeployer(MainDeployer.java:360)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:121)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
       at $Proxy37.addDeployer(Unknown Source)
       at org.jboss.deployment.SubDeployerSupport.startService(SubDeployerSupport.java:111)
       at org.jboss.web.AbstractWebContainer.startService(AbstractWebContainer.java:600)
       at org.jboss.web.tomcat.tc5.Tomcat5.startService(Tomcat5.java:409)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:272)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:222)
       at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:897)
       at $Proxy0.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:418)
       at org.jboss.system.ServiceController.start(ServiceController.java:440)
       at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
       at $Proxy4.start(Unknown Source)
       at org.jboss.deployment.SARDeployer.start(SARDeployer.java:273)
       at org.jboss.deployment.MainDeployer.start(MainDeployer.java:964)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:775)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:738)
       at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:121)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
       at $Proxy8.deploy(Unknown Source)
       at org.jboss.deployment.scanner.URLDeploymentScanner.deploy
  Here I am giving all permission which in turn encapsulate FilePermission also. So this should work. But why it is bypassing this permission?
  Any clues?!
  Thanks.
  Jahnvi

  grant codeBase
  "file:${jboss.server.home.dir}/deploy/jboss-ws4ee.sar/-"{That's not a codebase, it's a specification for a FilePermission. A codebase is a list of one or more directories or JAR files expressed as URLs.

• Granting permissions for JAVA STORED PROCS

  If I imported a java class file as user test and created a stored proc, how can I grant permissions to all the users in the DB? Do I have to grant permissions on JAVA CLASS itself when I load it or Do I have to grant permissions on the Stored proc or Both?
  Any help will be greatly appreciated.
  null

  Note: I can manually add the file with the command -
  loadjava -v -user user/password@sid sqljdbc.jar (pg 261 in Oracle Database Programming using Java and Web Services by Kuassi Mensah)
  Which is what I have done to get this to work. But the question still stands - How do I get the sqljdbc.jar file to be loaded when deployed using the deployment descriptor?
  Thanks, Ken

• Java applet warning keeps coming back for signed applet

  I have an applet signed with certificate issued by a public CA cert verisign. This applet prints document to the printer. When it loads everything looks good and checks on the screen and the user is prompted to allow access to the printer. Even, though the user selects "Allways allow this applet to print" the warning keeps coming back everytime the applet attempts to access the printer.
  I notice other applets work correctly. I veriy the signed jar and it all looks correct every class file comes with smk marking.
  What is going, can someone please help???
  Manuel

  I appreciate the help. but i was able to resolve the problem. Our web page called the applet print method directly from scripting. Apparently that causes the java plugin to warn the user every time.
  To avoid this issue the new print method queues up a print job and a separate thread watches for the queue and picks up the job and prints it. In order to support the same original function, the new print method is syncronized and waits for the job to be queued before it returns.
  Now, there are no warnings even the first time you use the applet.
  [Here is another similar thread.|http://forum.java.sun.com/thread.jspa?forumID=63&threadID=524815]
  Thanks,
  Manuel