Signed Applet VS. Files

Similar Messages

• Problems with signed Applet for File Download under JRE 1.4 (works with 1.3

  Dear all,
  i encountered a very strange behaviour with JRE 1.4x. A signed applet used for file download worked on all platforms (Windows NT, 2000 and XP wth/wthout SP...) until I installed JRE 1.4.x (1.4.1 or 1.4.2)
  I get an EOFException when downloading binary files (for ASCII it works fine) when trying to readByte() from a DataInputStream. But not immideately, but after x bytes in the while-loop. Security is fine (I know there have been changes to that in jre 1.4, the applet itself can be started an runs with ASCII files for transfer)
  Does anyone know, what has changed in jre1.4.
  As I said, it works fine under jre 1.3.x
  The relevant code is below: byte bt = dis.readByte(); causes the error
  try{
  // Get URL from Server
  URL uFile = new URL(sFilename);
  sThisURLFile = uFile.getFile();
  Integer inte = new Integer(i);
  //open input stream for the file on server
  DataInputStream dis = new DataInputStream(new BufferedInputStream
  (uFile.openConnection().getInputStream()));
  //open output stream for the file on local drive
  String sFilenameOnly = sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1);
  int iDotPos = sFilenameOnly.lastIndexOf(".");
  String sExt;
  if (iDotPos > 0) {
  sExt= sFilenameOnly.substring(iDotPos);
  } else {
  sExt = "";
  File fileOut = new File(sDownloadDir + sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1) );
  DataOutputStream dos = new DataOutputStream(new
  BufferedOutputStream(new FileOutputStream(fileOut)));
  //read one byte from input stream, and write that byte to output stream
  long nByte = 0;
  int iCnt = 0;
  iFilesizeDone ++;
  while (nByte < iFilesize){
  String sErrPs = new String();
  try{
  sErrPs = "00";
  byte bt = dis.readByte();
  sErrPs = "01";
  dos.writeByte(bt);
  } catch (EOFException ee)
  System.err.println("internal EOFException: " + ee.getMessage());
  System.out.println("Error Filesize is " nByte " of " iFilesize "---" + sErrPs);
  break;
  nByte++;
  iFilesizeDone ++;
  iCnt ++;
  if(iCnt >= 10240) {
  ShowProgress(nByte, iFilesize, iFilesizeDone, iFilesizeTotal); // repaint does not work during init-procedure
  iCnt = 0;
  line = "Progress: Total: " + ((iFilesizeDone*100)/iFilesizeTotal) + " perc, " + iFilesizeTotal/1024 +" kbytes" ;
  labLine.setText(line);
  //dos.flush(); // improves Client performance (Agent-Call!)
  dis.close();
  dos.close();
  }// End try
  catch (EOFException ee)
  System.err.println("EOFException: " + ee.getMessage()e);
  catch (SecurityException se)
  System.err.println("SecurityException: " + se.getMessage());
  catch (IOException ioe)
  System.err.println("IOException: " + ioe.getMessage());

  perhaps they've changed something with the file blocking.
  btw, you should try to use something like this
  DataInputStream dis = new DataInputStream(is);
  byte[] buffer=new byte[8192];
  int numBytesRead;
  while ( dis.available()>0 ) {
       numBytesRead = dis.read(buffer);
  }               

• Signed applet for file download?

  Hello folks,
  I have a signed applet through which i can upload multiple files to a servlet. I wish to create another applet or enhance this one to enable it to download multiple files from the server to the client m/c. Any idea, how to go about it?
  I will appreciate your helpful replies.
  Thank you,
  Coreli

  which part? You apparently already know how to sign an applet... and use a file chooser... and create servlets that can take files.... seems you need to do the opposite and use input streams where you used output streams before and vice versa...

• AddProvider in a signed applet(cab file)

  Hi,
  I have been trying to sign an applet such that I can use the JCA from within
  an applet.
  My goal is to encrypt a file and then ftp it to a server. I am currently
  able to "read" the file from the client's system and then ftp it. I have
  created a test certificate and signed the applet grandting it "low"
  privileges. I was able to open an input stream on a file without having to
  make use of assertPrivilege(...) !
  I believe the above was possible because I was invoking a method (which
  reads the file and ftps it) on a button click and thus I think the
  checkPermission(...) didn't somehow get to the init(...) ot other default
  methods. I think this is the case because of the following.
  After I had accomplished the above I tried to use the JCA to encrypt the
  file. To be able to do so I had to use addProvider(...). This is where I am
  facing the problem. I used the applet I developed to achieve the above and
  inserted the call to addProvider(..) on the method handling the button
  click. I even used the assertPrivilege(...) and revertPrivilege(...)
  methods. But I get an exception as follows ---
  om.ms.security.SecurityExceptionEx[com/pyrasec/online/pyracrypt/PyraCryptCipher.pyraCryptConnect]
       at com/ms/security/PolicyEngine.deepCheck
       at com/ms/security/PolicyEngine.checkPermission
       at com/ms/security/StandardSecurityManager.chk
       at com/ms/security/StandardSecurityManager.checkSecurityAccess
       at java/security/Security.check
       at java/security/Security.insertProviderAt
       at java/security/Security.addProvider
       at com/pyrasec/online/pyracrypt/PyraCryptCipher.pyraCryptConnect
       at com/pyrasec/online/pyracrypt/PyraCryptGUI.init
       at com/ms/applet/AppletPanel.securedCall0
       at com/ms/applet/AppletPanel.securedCall
       at com/ms/applet/AppletPanel.processSentEvent
       at com/ms/applet/AppletPanel.processSentEvent
       at com/ms/applet/AppletPanel.run
       at java/lang/Thread.run
  ----- the ABOUT TO ASSERT PERMISSION
  PERMISSION ASSERTED are my System.err.printlns.
  I initially invoked assertPrivilege(..) using SECURITY Permission ID and
  later tried using SYSTEM too. But nothing seems to help. I have read and
  re-read the sdkdoc, but just can't come up with any thing I have missed out
  on.
  Could any one help me here, please. I saw someone suggest on the newsgroup
  at the java.sun site to sign the applet. He ssemed pretty confident that the
  above stack trace is a result running an unsigned applet. But after all that
  I have tried I no longer think so.
  What did i have to do to solve this problem ?
  Thanks
  Ralf

  Security is very different for different combinations of web browser and/or Java Plugin. In most cases (unless you are using Plugin 1.3+) you have to have import your certificate into trusted area of your browser/plugin and only then your signature will enable those features.

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• How to resolve problems in policy file of signed Applet

  Hi to All,
  I want to connect the web site through my Signed Applet which is working as a Proxy server. but i m facing certain problems in my policy file:
  this is my policy file :-
  grant {
  permission java.security.AllPermission "", "";
  permission java.net.SocketPermission "http://www.google.com:4321", "connect, accept,resolve";
  permission java.security.UnresolvedPermission;
  n i got such type of exceptions n my Applet prompt applet not initialized.
  Got connection Socket[addr=/192.168.1.232,port=1200,localport=4321]
  Reading request...
  URI is: http://www.google.com/
  Host to contact is: www.google.com at port 80
  Got request...
  java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
  at java.net.InetAddress.getAllByName(InetAddress.java:1061)
  at java.net.InetAddress.getByName(InetAddress.java:958)
  at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
  at java.net.Socket.<init>(Socket.java:179)
  at ProxyApplet.handle(ProxyApplet.java:75)
  at ProxyApplet.<init>(ProxyApplet.java:132)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  at java.lang.Class.newInstance0(Class.java:350)
  at java.lang.Class.newInstance(Class.java:303)
  at sun.applet.AppletPanel.createApplet(AppletPanel.java:721)
  at sun.applet.AppletPanel.runLoader(AppletPanel.java:650)
  at sun.applet.AppletPanel.run(AppletPanel.java:324)
  at java.lang.Thread.run(Thread.java:595)
  here 4321 is Port no. which i've as a random port no.
  plz Help
  thnx in advance
  with regards
  pank_naini

  Please, if you can't help me, could you tell me who can I contact ?

• Signed applet : problem signing jar files that are in build path

  Hello,
  I have a problem while trying to create an ftp applet.
  I use org.apache.commons.net.ftp and i build path for commons-net-1.1.4.jar and then i build my classes.
  When i create a jar file with my classes and after signing it, it works under eclipse but not on a web page.
  I had signed commons-net-1.1.4.jar before to build the path in eclipse but commons-net-1.1.4.jar is not in my jar file.
  What is the way to sign applet correctly even if some jar ressources are in eclipse build path.
  Thank you

  You were right!!!
  I'm not sure what to write down in the formsweb.cfg (configuration file) , following the instructions on the on-line help of Developer Forms 10g , in step 9..
  The step 9 says...
  Because in this release the JACOB code is in an external Jar file and not incorporated into frmwebutil.jar, it needs to be downloaded. To do this, change the WebUtilArchive setting to read: webUtilArchive=/forms/webutil/frmwebutil.jar,/forms/webutil/jacob.jar
  The doudt is pointed to the fact that the frmwebutil.jar isn't in the ORACLE_HOME\forms\webutil path but it is ORACLE_HOME\forms\java path.
  Also , these paths referenced in webUtilArchive are physical paths in a Unix system or they are logical paths in a url?
  Simon

• Question about Java Applet Jar file signing.

  These questions pertain to Java 6 Standard Edition 1.6.0_22-b04 and later.
  I have gone through the Oracle Java Tutorial for generate public and private key information
  to sign a jar file, and how to sign the jar itself, all at
  [http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html]
  , and seek some clarification on the following related questions:
  -In order to "escape" the java applet sandbox that exists around the client's
  copy of the applet running in their web browser, ie.
  (something forbidden by default), is verification of the signed applet enough, or is a policy file required
  to stipulate these details?
  -using the policytool policy file generator, what do I need to add under "Principals"
  (if anything) when dealing with a Java applet? Are Codebase and SignedBy simply author information?
  -If I choose to use a java.security.Permission subclass object set up in equivalent fashion within the Applet,
  which class within the Applet jar do I instantiate that object in? Does it need to be mentioned
  in the applet's jar Manifest.MF file?
  -Is the "keystore database" a java language service/process which runs in
  the Server's memory and is simply accessed and started by default
  by the client verifier program (appletview/web browser)?
  -The public key certificate file (*.cer) is put in the webserver directory holding
  the Applet jar file (ie. Apache Tomcat, for example).
  -Presumably, the web browser detects the signed jar
  and certificate file, and provides the browser pop up menu asking the user
  about a new, non recognised certificate (initially).
  Is this so?
  -With this being the case, can the applet now escape
  the sandbox, be it with or without the stipulated
  policy permissions?

  848439 wrote:
  -In order to "escape" the java applet sandbox that exists around the client's
  copy of the applet running in their web browser, ie.
  (something forbidden by default), is verification of the signed applet enough, or is a policy file required
  to stipulate these details?Just sign the applet, the policy file is not necessary.
  -Is the "keystore database" a java language service/process which runs in
  the Server's memory and is simply accessed and started by default
  by the client verifier program (appletview/web browser)?No.
  -The public key certificate file (*.cer) is put in the webserver directory holding
  the Applet jar file (ie. Apache Tomcat, for example).No. For a signed Jar, all the information is contained inside the Jar.
  -Presumably, the web browser detects the signed jar
  and certificate file, and provides the browser pop up menu asking the user
  about a new, non recognised certificate (initially).
  Is this so?No. It is the JVM that determines when to pop the confirmation dialog.
  -With this being the case, can the applet now escape
  the sandbox, ..Assuming the end-user OK's the trust prompt, yes.
  ..be it with or without the stipulated
  policy permissions?Huh?

• Include many jars for a complex signed applet in html file??

  hello
  I'd like to know how it's possible to put a signed applet in an html file, that needs many jar files.
  I explain myself: I know that to create a signed applet and to put it in an html file, I need to create a Jar file that contains this applet, create a private key with keytool, sign the jar and include it in my html file with the tag <applet code="....." archive="......jar".... />
  This works fine if my applet is a simple program that only uses the clases present by default in the jdk.
  In my case, I have a big project, with many packages. In one of these packages, I have my applet that uses some classes of the other packages, which use classes from imported jars, such as BouncyCastle, and others...
  There is still no problem when I run the applet from the applet viewer.
  The problem appears when I put the JAR file with all these classes in the html file: there is a problem since it doesn't know anything of these classes imported from these jars.. It's quite obvious actually.
  My question is: how do I do to make the html file aware of these classes? Is there an html tag that allows us to include many jar files? Do I have to decompress all these jars, take all the directories, add them to the directories of my project and create a BIG jar (that's what I did, but it's really dirty, and heavy! (11M))??
  Does anyone have an idea about how I can do it?
  Thanks for your help
  Philippe

  11 MB is pretty big for an applet.
  Let's say your applet uses java 3d, normally a client would download and
  install this seporately, meaning the jars needed end up in lib/ext directory where
  any applet can find them.
  Check what applets need to be installed (put in lib/ext) and what can be
  downloaded:
  <object .....
  <param name="archive" value="myJar.jar, myOtherjar.jar" />

• Write file with signed applet

  Hi!
  I have a signed applet which has to write a file to the server, but i still get permission exceptions. I guess I still have to add permissions to the applet but I realy can't find how to do that. Can anyone give me a short tutorial on how to add permissions to the applet?
  greetings

  As stated, applets are only able to write files in the machine that the applet is running on. They can't write files to other machines. They can communicate to the machine that they originate from (its host) - but not other, random machines.
  To place a file on its host, the applet sends the file contents to its host (typically using sockets for this) which receives the data with a server program. Then another program on the host writes the data to a file. If you want the file on another, random machine then it can be transferred using the same approach (sockets, etc.)
  There are alternatives, but this is the least complicated approach. This tutorial walks you through creating an applet and the host it communicates with.
  [http://java.sun.com/docs/books/tutorial/deployment/applet/server.html]
  Note that the tutorial also has a link to a more detailed tutorial, the Custom Networking Trail.

• Signed applets (are policy files needed!)

  I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
  Is this the expected behavior?
  I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

  I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
  Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
  Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
  There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
  Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
  The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
  RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
  In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
  I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

• How to read client's home directory files using  signed applets

  hi
  i want to konw the exact procedure for the creation of signed applets . using that i want to read my client files....
  Thanks
  Dileep

  google: http://www.google.com/search?q=how+to+sign+an+applet

• Signed applet to open local file problem with IE6 / Firefox

  Hello
  I have a signed applet to open a local file, with this code :
  try{
     URL destination=null;
     File f=new File(adresse);
     destination=f.toURL();
     AppletContext ac=applet.getAppletContext();
     ac.showDocument(destination,"_blank");
  catch (MalformedURLException e)
     System.out.println(e.toString());
  ...It works perfectly with Netscape 7.01 and IE 5.5, but not with IE6.0 or Firefox 1.0...
  (using SUN JVM 1.4.2_04), and there is no trace/error message
  With a http link, it works for all browsers...
  try{
     URL destination=new URL("http://my.site/mypage.htm");
     AppletContext ac=applet.getAppletContext();
     ac.showDocument(destination,"_blank");
  catch (MalformedURLException e)
     System.out.println(e.toString());
  ...Any idea ??
  Thanks

  Hello again
  There's something I don't undestand...
  java applet code
  import java.applet.*;
  import java.net.*;
  public class test extends Applet {
       public void init() {
            try {          
                 String path = "file:/C:/Temp/";
                 URL destination = new URL(new URL(path) ,"test.jpg");
                 System.out.println("URL is now: " + destination.getPath() );          
                 AppletContext ac = this.getAppletContext();
                 ac.showDocument(destination, "_blank");
            } catch (Exception e) {
                 e.printStackTrace();
  html code
  <html>
  <head>
  <title>test</title>
  </head>
  <body>
  <applet CODE = "test.class" ARCHIVE = "sTest.jar" width=350 height=200></applet>
  </body>
  </html>
  Signature
  javac -classpath ".;D:\Program Files\Java\j2re1.4.2_04\lib\plugin.jar" test.java
  keytool -genkey -keystore mag -keyalg rsa -alias harm -validity 3600 -keypass password -storepass password
  jar cf0 test.jar *.class
  jarsigner -keystore mag -storepass password -keypass password -signedjar sTest.jar test.jar harm With a debug the signature looks good in the logs (translation by google, not sure of the correct words...)
  The checking of the certificate using the certificates CA root failed
  Piled up method
  Unstacked method
  Selected user: 0
  The user granted the rights of access to the code for this session only
  Addition of the certificate in the storage section of the certificates of session JPI
  Certificate added in the storage section of the certificates of session JPI
  Recording of the certificates in the storage section of the certificates of session JPI
  Certificates recorded in the storage section of the certificates of session JPI
  URL is now: /C:/Temp/test.jpg
  Javascript: Activated UniversalBrowserRead
  Javascript: Activated UniversalJavaPermission
  What are the 2 last line ?? (appears only in firefox, not in IE55...don't have another browser yet 'cause my graphic card and motherboard are out of order :-(
  Why in firefox, in the javascript console, there is a "message" (again translation by google...) but everything is alright in the java console ??
  Error of safety: the contents located at http://www.distantserver.com/Demo/test/test.html cannot charge of data or establish a bond towards file:///C:/Temp/test.jpg.
  Thanks in advance (and sorry if I only don't understand something from your link because of my english level...)

• Signed applet can't read image file..

  Hello
  My English ability is very poor.. sorry
  I make a signed applet
  and I open Internet Exploere
  I connect to my web page
  when I connect to my web page
  my signed applet upload "c:\blahbalh...\image.gif" automatically
  but It's not work
  java.security.AccessControlException: access denied (java.io.FilePermission C:\DOCUME~1\krict\LOCALS~1\Temp\Hnc\BinData\EMB00000cac2143.jpg read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkRead(Unknown Source)
       at java.io.FileInputStream.<init>(Unknown Source)
       at java.io.FileInputStream.<init>(Unknown Source)
       at EchoApplet.onSendData(EchoApplet.java:61)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at sun.plugin.javascript.invoke.JSInvoke.invoke(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
       at sun.plugin.com.MethodDispatcher.invoke(Unknown Source)
       at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
       at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
  signed applet can't not read file..
  how can I solve my problem?

  Trace please.
  http://forum.java.sun.com/thread.jspa?threadID=656028
  Maybe some relevant code
  Signing applets:
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and reply 18 for the java class file using doprivileged

• Signed applets called from javascript - how/where to load policy file?

  I'm running into some apparently well-known problems with signed applets accessing a client machine's hard drive.
  So, I can get things to work if I place the following two lines in my 'local' JDK installation:
  permission java.io.FilePermission "${user.home}/x.properties", "read,write";
  permission java.util.PropertyPermission "user.home", "read";These let me a) read the user's home directory and b) read/write a file that's located there.
  What I don't want to do is edit the java.policy file, but I'm having problems loading a separate policy file. The app server we run with our product is jetty, and I'm assuming I would be passing in the '-Djava.security.policy=='filename' with the other jetty start-up parameters- is this a correct assumption? And, what path do I give for the file, will I need to put it somewhere in the .war file we distribute, or in the JDK installation on the server? If it's on the server, will client machine's know about these extra rights?
  I'd REALLY appreciate any help I could get on this...
  thanks in advance,
  +0^^

  Maybe you didn't realize but my previous post was sarcastically ment:
  "hello SUN security stop bugging me in writhing this malicious program"
  and
  "hello SUN security, I'm a good boy now trust what I'm doing"
  Are in a practical sense exactly the same.
  SUN should either remove the stack check or the doprivileged. The stack check takes up
  valuable resources for nothing since a malicious program can easily circumvent that.
  Your post about a malicious user abusing your (CA) signed applet to ruine someone's
  system is correct, it would not be difficult. A CA signed applet will not even ask a user to
  trust or not. This is one of the reasons we have the usepolicy in affect, but this cannot be
  used on "grandma's old PC" since it's too complicated for users to do such things.
  YOU seem to be the one to blame, not the hacker! (The user accepted YOUR
  certificate!).Actually you are to blame, because you made software that exposes a vonurability
  other people can take advantage of.
  what you can do before calling the doprivileged private method is check the call stack.
  So your signed applet has a public method checking the callstack, if this lookes OK
  that method will call the private doprivileged method.
  Here is the example
  package t;
  import java.util.Properties;
  import java.applet.Applet;
  public class test extends Applet {
           public test(){
                 startingPrivileged();
           public void startingPrivileged(){
                 System.out.println("this is the stack");
                 try{
                      throw new Exception("get the call stack");
                 }catch(Exception e){
                      StackTraceElement stack[] = e.getStackTrace();
                      for (int i=0; i<stack.length; i++) {
                           System.out.println("file: " + stack.getFileName() + " method: " + stack[i].getMethodName() + " class: " + stack[i].getClassName() + " at " + new Integer(i).toString());
                      // this is a really simple check to see if this method was started from the t. package
                      // a good hacker can just create it's own package named t and take advantage of this method
                      // if this method was started from the same package there is no reason to make this method
                      // public, protected would work.
                      // there must be a better way to check if this method was called by "your" or "trusted" code
                      if(stack[1].getClassName().startsWith("t.")){
                           dosomePrivileged();
            private void dosomePrivileged(){
                 System.out.println("this is the method that does privileged stuff");
       public static void main(String args[]) {
            new test();

• Signed Applet - Problem reading large local files

  Hello,
  I am using a signed applet (self-signed) to read files from a clients machine (local file system). Following is the code for buffered reading (the meat):
  String thisLine, ret = "";
  try{
       BufferedReader myInput = new BufferedReader(new FileReader(fn));
       while ((thisLine = myInput.readLine()) != null) {
       ret += thisLine + "\n";
       myInput.close();
  catch (Exception e) {
       ret = "Cannot load, exception!";
  When I read a file <= 512KB, it runs fine/as expected. Now, when I read a file, say for example 1024KB in size, I expect the application to take twice as much time (than 512KB file) and read the file, but instead the applet/browser hangs. As a matter of fact I am not able to read files > 512KB.
  So, is there a limit on file size (from local file system) when reading from an applet, or is it to do with the way I am reading it?
  Any help, suggestions or comments would be highly appreciated.
  Thanks in advance.

  Here is how I read a file from my applet:
       private String getData(String u) {
            URL url = null;
            InputStream in = null;
            String ret = null;
            try {
                 // the following line wil read a file @ the same location as your class file
                 // this way your applet does not need any special privileges
                 // you could change the url to a file if so needed
                 url = new URL(this.getCodeBase(), u);
                 URLConnection conn = url.openConnection();
                 // next line is optional and just tells the http server
                 // a utf-8 response is accepted
                 // some servers will return a bad request
                 conn.setRequestProperty("Accept-Charset","utf-8");
                 // first try to find out if the server has
                 // provided us with the charset of the response
                 // since this doesn't work with the msjvp (version 1.1.2)
                 // it's commented out
                 // instead provide a charEncoding yourselve
                 String charEncoding = "UTF8";
  //               int i = conn.getHeaderFields().size()-1;
  //               while(i>-1){
  //                    System.out.print(conn.getHeaderFieldKey(i));
  //                    System.out.print("=");
  //                    System.out.println(conn.getHeaderField(i));
  //                    if(conn.getHeaderField(i).toLowerCase().indexOf("charset")!=-1){
  //                         String charsetLine = conn.getHeaderField(i).toUpperCase();
  //                         if(charsetLine.indexOf("SHIFT_JIS")!=-1){
  //                              charEncoding = "Shift_JIS";
  //                         if(charsetLine.indexOf("EUC-JP")!=-1){
  //                              charEncoding = "EUC-JP";
  //                    i--;
                 // here is the value for char encoding (as a parameter in the <object html tag)
                 if(this.getParameter("dataCharset")!=null){
                      charEncoding=this.getParameter("dataCharset");
                 // wither you have a file or an url you read from an inputstream
                 // here is how it's done
                 // read the whole file and than turn it into a string
                 in = conn.getInputStream();
                 ByteArrayOutputStream bos = new ByteArrayOutputStream();
                 int len;
                 byte[] buf = new byte[1024];
                 while ((len = in.read(buf)) > 0) {
                      bos.write(buf, 0, len);
                 in.close();
                 // you have the file as a byte array (bos.toByteArray()
                 // here is how you turn it into a string
                 ret = new String(bos.toByteArray(),charEncoding);
            } catch (Exception e) {
                 e.printStackTrace(System.out);
            return ret;
       }