Signed applets (are policy files needed!)
I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
Is this the expected behavior?
I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.
I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.
Similar Messages
-
Hi All,
I have developed a Applet to read from local hard disk file. I have signed it. Regarding policy file i hv sm confusion.wihtout policy file also it is working. Isn't must to use policy files. If it is must how and where i will install it on other remote machines.
Reg Certificates, whether we hv to manually give a link in our html. or anyother way is there to let IE automatically pop up that "Plugin Window" asking abt certficate(Grant,deny..\)
Lemme me know the details..I have followed the instuction and signed all other libraries and I have encountered a runtime error in IE.
The title of the message is Microsoft Visual C++ Runtime Library.
The content is
Runtime error!!
Program: C:\program files\internet exploer\iexplorer.exe
Abnormal program termination.
I have tested serval version of IE and Java plug-in. It include:
IE 6.0 sp1 with JRE 1.3.1_10
IE 6.0 sp1 with JRE 1.3.1_06
IE 5.5 sp2 with JRE 1.3.1_05
Could someone can help me? Thanks!! -
There are 3 files in my application folder on my imac called SWTFU_1.2.002.dmgpart.partial and they take up around 11 GB of space. Are these files needed? Should I delete them?
Hello Georgia,
Those are failed/incomplete downloads, you can trash them & empty the trash. -
What are the files needed for downloading the MSS -BusinessPackage
Dear Gurus,
Any body can give me a suggestion for downloading the MSS -BusinessPackage ,and also what are the files needed for the deployment -its in a urgent basis and reward points welcome!
regards,
S.RajeshkumarHi Rajesh,
You have to download and deploy the following through SDM (for NW04s/EP7),
1. Business Package for MSS (contains roles,worksets for your Business Package)
2. PCUI_GP (WebDynpro Component)
3. SAP_MSS (WebDynpro Coponent - your MSS application files)
To use ESS and MSS in Conjunction, you also have to deploy Business Package for Common Parts.
Backend SAP systems should have SAP HR and SAP FIN configured.
<a href="http://help.sap.com/saphelp_erp2005/helpdata/en/29/d7844205625551e10000000a1550b0/frameset.htm">http://help.sap.com/saphelp_erp2005/helpdata/en/29/d7844205625551e10000000a1550b0/frameset.htm</a>
Thanks,
Vamshi -
Include many jars for a complex signed applet in html file??
hello
I'd like to know how it's possible to put a signed applet in an html file, that needs many jar files.
I explain myself: I know that to create a signed applet and to put it in an html file, I need to create a Jar file that contains this applet, create a private key with keytool, sign the jar and include it in my html file with the tag <applet code="....." archive="......jar".... />
This works fine if my applet is a simple program that only uses the clases present by default in the jdk.
In my case, I have a big project, with many packages. In one of these packages, I have my applet that uses some classes of the other packages, which use classes from imported jars, such as BouncyCastle, and others...
There is still no problem when I run the applet from the applet viewer.
The problem appears when I put the JAR file with all these classes in the html file: there is a problem since it doesn't know anything of these classes imported from these jars.. It's quite obvious actually.
My question is: how do I do to make the html file aware of these classes? Is there an html tag that allows us to include many jar files? Do I have to decompress all these jars, take all the directories, add them to the directories of my project and create a BIG jar (that's what I did, but it's really dirty, and heavy! (11M))??
Does anyone have an idea about how I can do it?
Thanks for your help
Philippe11 MB is pretty big for an applet.
Let's say your applet uses java 3d, normally a client would download and
install this seporately, meaning the jars needed end up in lib/ext directory where
any applet can find them.
Check what applets need to be installed (put in lib/ext) and what can be
downloaded:
<object .....
<param name="archive" value="myJar.jar, myOtherjar.jar" /> -
Self signed applets are not supported by plug-in
I am using Windows 2000.I am using self signing applet which i have signed with the help of netscape signing tool with test certificate.I have put the zip file in "c:\program Files\netscape\users\default " directory
after signing..While opening it is giving some exception
"java.lang.SecurityException: cannot verify signature block file META-INF/ZIGBERT".
please help me regarding this.
ashok das
otlsoft, bangalore.First you need to install your self signed sertificat into system - only then you'll be able to start applet without problem.
-
Hi,
i signed my applet to access a xml file. That should work so far because the vm doesn't throw AccessDeniedExceptions any longer - as it did, when the applet wasn't signed.
Now my problem are FileNotFoundExceptions: how the hell do I find that xml-file? It is stored in another folder than the jar-file of my applet. Changing the path in the java code (e.g. "../topics.xml" or "../../topics.xml" etc.) doesn't take effect.
But it doesn't work either if the xml-file is in the same folder!
Is there any documentation in which is described how signed jar-applets behave in accessing external files or other resources? It seems, that an applet doesn't work with classpaths in its manifest-file. I tried to use the codebase attribute in the <applet>-tag of my html source, but that was no solution...
I should also tell you, that the code of the applet works fine with the appletviewer!
DukeDollar-Hunters... is any one out there who can help me? :-) ...
ciao, _fLoI have been passing in a string for a URL to the xml file in my applet with the param tag of the applet's jsp page and then calling getParameter() to get get that string.
String xmlUrl = this.getParameter("XmlFileUrl");
URL url = new URL(xmlUrl);
then when parsing xml I use:
DocumentBuilderFactory builderFactory = DocumentBuilderFactoryImpl.newInstance();
builderFactory.setValidating(false);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
Document document = builder.parse(url.openStream());
readXML(document);
inside jsp code was
<APPLET
CODE="com.MyApplet.class"
WIDTH="600" HEIGHT="500" CODEBASE="http://MyIPAddress:8080/MyProject/applets/MyApplet">
<PARAM NAME="XmlFileUrl" VALUE="http://MyIPAddress:8080/MyProject/xml/DemInfo.xml">
</APPLET>
Oh, I also Had some issues with Tomcat and moved my xml folder out of WEB-INF and left it under the WebContent folder of my project -
JRE 1.4.x Plugin - Signed Applets and Weird Behaviour (Policy)
Hello.
I have recently experienced some strange behaviour related to signed applets and policy files in JRE 1.4.2-b28 ( a friend got the same behaviour in a flavour of 1.4.1-xx as well ). Both tests were on Windows 2000 Professional platforms.
Initially my unsigned applet, which attempts socket connections to a server different from the download location, fails with security exceptions ( as expected ). Then I did the following to sign the applet jar and configure my environment
Steps: 1) Import "trusted CA" certificate into ${java.home}/lib/security/cacerts. (JRE home outside the JDK)
2) Signed the jar using jarsigner and a certificate generated from the "trusted CA" (Entrust CA and certificate).
3) Imported the signing certificate into the Java plugin using import in the plugin control panel.
4) Created a new keystore (keytool,jks) and imported the signing certificate into the keystore with alias "developer". The keystore is stored in the user home as .keystore.
5) Created a .java.policy for the user and attaching the keystore in 4) to it. ( also stored in user home ).
6) Used the policy tool to grant socketpermissions to the specific codebase ( testing with file:/C:/test/* initially ) signed by "developer"
After this, when I ran the test page under IE 5.5SP2 and Netscape 7.1 it worked without any security exception. Ditto for using the appletviewer and the policy file I created for the user.
The weird part occurred when I removed the policy entry from the user policy file. After doing this, Netscape and IE still allow the applet to execute - somehow remembering that it was granted permissions at some point. The appletviewer does not allow it to execute, generating security exceptions.
It appears the old policy is being cached somewhere, but I cannot find where. If I replace the applet jar with an unsigned version it does fail in IE and Netscape. I tried cleaning the plugin cache and removing the "deployment.certs" files related to the users but still get the same behaviour.
Does anyone know where the old policy information is being stored ? Does anyone know how to revoke the permissions so that I am restored to my original base environment ( no permissions for "designer" signed applets ) ? Would attempting to utilize the AccessController.doPriveleged( xxxx ) operations in JDK 1.4 avoid all of this confusion with policy files, keystores and certificate storage ? After all the messing about I would like a zero-footprint alternative ( or minimzed footprint anyway ).
Any ideas would be most welcome.
Regards,
James.Hello Again.
I am either enlightened or confused at this point. I found that as long as all of my related Jars are signed ( even by self-signed certificates ) I am granted SocketPermissions for calls outside of the originating server. Unsigned code is refused, but even when the Jars were signed using a self-signed certificate the Socket calls were allowed.
Am I experiencing the appropriate behaviour in this case ( which would mean not having to utilize policy files to distribute an applet that uses calls to arbitrary servers - e.g. JavaMail ) or am I suffering from something damaged in my environment ?
It has been a long time since I played with signed applets and I am having difficulty determining what operations require policy file entries/AccessController.doPrivileged() calls and which are granted when a user elects to trust a signed applet without policy.
Any assistance in clearing up my confusion would be appreciated.
Regards,
James. -
Problems with signed Applet for File Download under JRE 1.4 (works with 1.3
Dear all,
i encountered a very strange behaviour with JRE 1.4x. A signed applet used for file download worked on all platforms (Windows NT, 2000 and XP wth/wthout SP...) until I installed JRE 1.4.x (1.4.1 or 1.4.2)
I get an EOFException when downloading binary files (for ASCII it works fine) when trying to readByte() from a DataInputStream. But not immideately, but after x bytes in the while-loop. Security is fine (I know there have been changes to that in jre 1.4, the applet itself can be started an runs with ASCII files for transfer)
Does anyone know, what has changed in jre1.4.
As I said, it works fine under jre 1.3.x
The relevant code is below: byte bt = dis.readByte(); causes the error
try{
// Get URL from Server
URL uFile = new URL(sFilename);
sThisURLFile = uFile.getFile();
Integer inte = new Integer(i);
//open input stream for the file on server
DataInputStream dis = new DataInputStream(new BufferedInputStream
(uFile.openConnection().getInputStream()));
//open output stream for the file on local drive
String sFilenameOnly = sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1);
int iDotPos = sFilenameOnly.lastIndexOf(".");
String sExt;
if (iDotPos > 0) {
sExt= sFilenameOnly.substring(iDotPos);
} else {
sExt = "";
File fileOut = new File(sDownloadDir + sThisURLFile.substring(sThisURLFile.lastIndexOf('/')+1) );
DataOutputStream dos = new DataOutputStream(new
BufferedOutputStream(new FileOutputStream(fileOut)));
//read one byte from input stream, and write that byte to output stream
long nByte = 0;
int iCnt = 0;
iFilesizeDone ++;
while (nByte < iFilesize){
String sErrPs = new String();
try{
sErrPs = "00";
byte bt = dis.readByte();
sErrPs = "01";
dos.writeByte(bt);
} catch (EOFException ee)
System.err.println("internal EOFException: " + ee.getMessage());
System.out.println("Error Filesize is " nByte " of " iFilesize "---" + sErrPs);
break;
nByte++;
iFilesizeDone ++;
iCnt ++;
if(iCnt >= 10240) {
ShowProgress(nByte, iFilesize, iFilesizeDone, iFilesizeTotal); // repaint does not work during init-procedure
iCnt = 0;
line = "Progress: Total: " + ((iFilesizeDone*100)/iFilesizeTotal) + " perc, " + iFilesizeTotal/1024 +" kbytes" ;
labLine.setText(line);
//dos.flush(); // improves Client performance (Agent-Call!)
dis.close();
dos.close();
}// End try
catch (EOFException ee)
System.err.println("EOFException: " + ee.getMessage()e);
catch (SecurityException se)
System.err.println("SecurityException: " + se.getMessage());
catch (IOException ioe)
System.err.println("IOException: " + ioe.getMessage());perhaps they've changed something with the file blocking.
btw, you should try to use something like this
DataInputStream dis = new DataInputStream(is);
byte[] buffer=new byte[8192];
int numBytesRead;
while ( dis.available()>0 ) {
numBytesRead = dis.read(buffer);
} -
Load XML file from addon domain without cross-domain Policy file
Hello.
Assuming that there are two addon domains on the same server: /public_html/domain1.com and /public_html/domain2.com
I try to load XML file from domain2.com into domain1.com without using cross-domain policy file (since it doesn’t work on xml files in my case).
So the idea is to use php file in order to load XML and read it back to flash.
I’ve found an interesting scripts that seems to do the job but unfortunately I can't get it to work. In my opinion there is somewhere problem with AS3 part. Please take a look.
Here are the AS3/PHP scripts:
AS3 (.swf in www.domain1.com):
// location of the xml that you would like to load, full http address
var xmlLoc:String = "http://www.domain2.com/MyFile.xml";
// location of the php xml grabber file, in relation to the .swf
var phpLoc:String = "loadXML.php";
var xml:XML;
var loader:URLLoader = new URLLoader();
var request:URLRequest = new URLRequest(phpLoc+"?location="+escape(xmlLoc) );
loader.addEventListener(Event.COMPLETE, onXMLLoaded);
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHandler);
loader.load(request);
function onIOErrorHandler(e:IOErrorEvent):void {
trace("There was an error with the xml file "+e);
function onXMLLoaded(e:Event):void {
trace("the rss feed has been loaded");
xml = new XML(loader.data);
// set to string, since it is passed back from php as an object
xml = XML(xml.toString());
xml_txt.text = xml;
PHP (loadXML.php in www.domain1.com):
<?php
header("Content-type: text/xml");
$location = "";
if(isset($_GET["location"])) {
$location = $_GET["location"];
$location = urldecode($location);
$xml_string = getData($location);
// pass the url encoded vars back to Flash
echo $xml_string;
//cURLs a URL and returns it
function getData($query) {
// create curl resource
$ch = curl_init();
// cURL url
curl_setopt($ch, CURLOPT_URL, $query);
//Set some necessary params for using CURL
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//Execute the curl function, and decode the returned JSON data
$result = curl_exec($ch);
return $result;
// close curl resource to free up system resources
curl_close($ch);
?>I think you might be right about permissions/settings on the server for php. Unfortunately I'm not allowed to adjust them.
So I wrote my own script - this time I used file path instead of http address of the XML file. It works fine in my case.
Here it is:
XML file on domain2.com:
<?xml version="1.0" encoding="UTF-8"?>
<gallery>
<image imagePath="galleries/gallery_1/images/1.jpg" thumbPath="galleries/gallery_1/thumbs/1.jpg" file_name= "1"> </image>
<image imagePath="galleries/gallery_1/images/2.jpg" thumbPath="galleries/gallery_1/thumbs/2.jpg" file_name= "2"> </image>
<image imagePath="galleries/gallery_1/images/3.jpg" thumbPath="galleries/gallery_1/thumbs/3.jpg" file_name= "3"> </image>
</gallery>
swf on domain1.com:
var imagesXML:XML;
var variables:URLVariables = new URLVariables();
var varURL:URLRequest = new URLRequest("MyPHPfile.php");
varURL.method = URLRequestMethod.POST;
varURL.data = variables;
var MyLoader:URLLoader = new URLLoader;
MyLoader.dataFormat =URLLoaderDataFormat.VARIABLES;
MyLoader.addEventListener(Event.COMPLETE, XMLDone);
MyLoader.load(varURL);
function XMLDone(event:Event):void {
var imported_XML:Object = event.target.data.imported_XML;
imagesXML = new XML(imported_XML);
MyTextfield_1.text = imagesXML;
MyTextfield_2.text = imagesXML.image[0].attribute("thumbPath"); // sample reference to attribute "thumbPath" of the first element
php file on domain1.com:
<?php
$xml_file = simplexml_load_file('../../domain2.com/galleries/gallery_1/MyXMLfile.xml'); // directory to XML file on the same server
$imported_XML = $xml_file->asXML();
print "imported_XML=" . $imported_XML;
?>
Regards
PS: for those who read the above discussion: the first and the second script work but you must test which one is better in your situation. The first script will also work between two domains on different servers. No cross domain policy file needed. -
Hi All,
I have an Intranet application that uses a signed applet to access files on the client. It all works fine using JDK1.3 or 1.4 and signing the Applet with keytool.
I now need to support an older server that only has JDK1.1 available. Does anyone have any tips on how to sign my Applet with javakey?
Also what JRE version should be installed on the clients?
Thanks in advance.
P.S. I have followed the example at http://java.sun.com/security/usingJavakey.html but not got it to work.try this..
http://forums.java.sun.com/thread.jsp?forum=63&thread=132769 -
Sign Applet to write on LPT1 port - permission error
Hi,
I have this simple applet
import java.awt.*;
import java.applet.*;
import java.util.*;
import java.io.*;
public class TestJavaXp extends Applet{
public void putJavaArray(String arrayAsAString) {
int i = 0;
String s = "Stampa questo testo";
try {
FileWriter out = new FileWriter("LPT1");
out.write(s);
out.flush();
out.close();
catch (IOException e) {
e.printStackTrace();
}I signed the applet but I receive this error:
uncaught exception: Error calling method on NPObject!
*[plugin exception: java.security.AccessControlException: access denied (java.ioFilePermission LPT1 write)]*
It works perfectly only if I grant permissions in the java.policies file.
Why?
I've no problem signing applets that write files on disk, I've troubles only with LPT1 port but I need it.
I tried different browsers.
Can anyone help me?
Thanks.New foundings!
As the server is running Netware 4.2, is that possible if i just install JVM on the server and problem will be solved?
J. -
Problem on runtime enviorment for signed applet
I am using the Java Media Framework for video capturing .Problem which i am facing is i have to configure the client machine so i wanted to download few of the class files which will execute on the client side and then stream the video back to the server .For this i have dezigned a java applet.This applet is signed by myself without any external agency so when ever the application is executed where it was signed this application gives no problem but when a different machine access the applet the user is asked for the verification of the applet but the error is thrown stating that the class not found exception .So please guide me that while making a signed applet which all packages need to be signed and what is the procedure .Do i have to sign the jmf packages also .
I have signed applets but not with jmf. Your best bet is to put the applet in a jar and sign the jar. Most java runtimes with a self signed applet will prompt the user and ask the user if they want to grant permission. You probably have to use the java html converter to code your html to force the use of suns plugin. I am not sure if you have to sign the jmf jars or they may already be signed.
-
1. How to config virtual host in weblogic server?
2. Is Policy files needed for weblogic cluster?
1. Virtual host is a new feature in WLAS6.0. It is not in WLAS451 & 510
2. Every instance in WLAS cluster needs policy file. However, you can use
share disk and config a global policy file so that every instance can access
it. Personally, I prefer every instance accesses its own disk
Hope it helps.
Cheers - Wei
"Andy Ping" <[email protected]> wrote in message
news:[email protected]..
> 1. How to config virtual host in weblogic server?
> 2. Is Policy files needed for weblogic cluster?
-
Applet accessing local files under Vista
I have a signed applet that accesses files on the client machine. This applet is not able to open files when running under Windows Vista (I get an "Access denied" message). I found that in C++ there is a function called GetTempPath, which returns a path to a directory where and OCX control can access files. So here is my question:
Is there some Java function that will return the path to the directory mentioned above?
Thanks for your help.Sorry, DrClap, but...
Post 1: "I have a signed applet that accesses files on the client machine. This applet is not able to open files when running under Windows Vista (I get an "Access denied" message)." While he mentions temp files/dirs, that is not, IMO the issue, because...
Post 6: "Under these OSs [XP, 2000], my applet uses a directory called c:\program files\mydir. This applet is not able to access files in the same directory under Windows Vista, access is denied in this case." The specified directory is not a "temp" dir as typically returned by the system parameters that I've ever seen, so I'm assuming he's using this explicitly. In which case, access is denied writing to it. In which case, it appears to be a signed applet permission issue.
While the java.io.tmpDir system param may be giving an issue to, that doesn't seem to be the key point in what I'm reading. Otherwise it's not written entirely clearly.
Maybe you are looking for
-
Firefox seems unresponsive today and I can't open a webpage (I'm using explorer to write this). I have followed the advice on the trouble shoot page and nothing has helped or applied to my problem. If I uninstall (to reinstall) I do not want to lose
-
How to install Oracle 11gR2 on Windows 7
Hi friend; There are many questions about *"how we can make instalaltion on win7"*. Thatswhy i made one video tutorial which is mention *"How to install Oracle 11gR2 on Windows 7* Its avaliable at my blog: *http://heliosguneserol.wordpress.com/* Hope
-
Problem in Customer Interaction Center
Hi All, I have an issue related to CIC win client. While using the Customer Interaction Centre, enter Partner number and performs a search, the sold to party and bill to party customers brings up the incorrect details. Where should I need to check re
-
To hide a button in a column field depending on the condition in ALV
Hai, I have a column in ALV with buttons.I need to make that button Visible or invisible based on a condition. i have fiels with value x and blank. if the value is x i need to make the button visible and viceversa. Cheers, Madhu.
-
What is the best plan for me? *please read details*
My parents are getting me a 4S for my birthday but I have to pay for the plan. - I live in Alberta - I will use less than 500MB data - I have many friends in different provinces I will be texting - I never talk on the phone for more than 200 min a mo