The Security Problem of RMI-Applet?

Similar Messages

• Security problem when signed applet dynamically load plugins

  Hi!
  I have one problem : "security problem when signed applet dynamically load plugins"
  This is the scenario:
  the main program [app.jar]
  . contain applet and shared library (interface & implement of common class)
  . it is signed and run normally on browser
  . it can draw image loaded from other URL [ex] http://bp1.blogger.com/image.jpg
  . the image loader is in the shared library
  . dynamically load amazon.jar through URLClassLoader and reflection
  the plugin [amazon.jar]
  . search amazon product [ex] Harry Potter book
  . draw image on applet
  . use image loader from shared library, BUT CANNOT LOAD IMAGE
  The question: "Why it cannot load image, because the image loader is in the shared library which has been signed and working?" I tried to sign the amazon.jar too, but it did not work.
  Your reply would be very helpful. Thank you.
  Sovann

  hello. i have create a signed applet for A.jar. A.jar include two package B and C. the main applet class is within B.
  B need some classes in C to run the applet. but i got the error that class in package c are not found.
  what shall i do?

• HT4623 Why isn't Apple talking about the security problem and the iOS software patch?

  Why isn't Apple telling us about the iOS security problem and the software patch?

  There's an iOS security problem already?
  They just issued an iOS update...

• Security Problems with Signed Applet

  Hello All,
  I need help with signed applets.
  I have an applet pkged in a jar that uses other jars. I have signed the jar containing applet and all the other jars being used. However, when I try to run the applet in IE 6.0.xx, I get the following error
  java.lang.ExceptionInInitializerError
       at aaa.aaa.somemethod(xxx.java:192)
       at aaa.aaa.aaa.access$000(xxx.java:27)
       at aaa.aaa.aaa.$1.run(xxx.java:467)
  Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       ... 3 moreMy application is using Java 1.4.2.xx.
  Any help or pointers would be greatly appreciated.
  Thanks.

  Thanks harmmeijer and mjparme for your responses.
  I made some changes to my application and it does not now require the system property information. But now I am getting another exception related to class loader.
  I made the changes to the console as suggested by harmmeijer, and here is the stack trace. Also, I am not using any JavaScript explicitly.
  Registered modality listener
  Invoking JS method: document
  Invoking JS method: URL
  Referencing classloader: sun.plugin.ClassLoaderInfo@e0a386, refcount=1
  Loading applet ...
  Initializing applet ...
  Starting applet ...
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
       at xxx.xxx.a...<init>(a.java:39)
       at  xxx.xxx.b...<init>(b.java:42)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
       at xxx.xxx.a...ToolBus.<init>(a.java:39)
       at xxx.xxx.b....<init>(b.java:42)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Modality pushed
  Modality poppedmjparme as to your second point, the action is taking place in the same jar only. No other jar is involved at the stage where I am getting exception.
  Thankyou again and will appreciate your help.
  AC

• Problems with RMI tutorials using Tomcat 4.1.24

  Hi
  I have some problem when I try the rmi Hello example tutorial (http://java.sun.com/j2se/1.4.2/docs/guide/rmi/getstart.doc.html)
  When I start rmi server as follows:
  java -Djava.rmi.server.useCodebaseOnly=true -Djava.security.policy=file:E:\Rmi\Hello\mysrc\bin\policy.policy -Djav
  a.rmi.server.codebase=http://127.0.0.1/classes/ examples.hello.HelloImpl
  I got the following errors:
  HelloImpl err: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
  at java.security.AccessController.checkPermission(AccessController.java:401)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1044)
  at java.net.Socket.connect(Socket.java:420)
  at java.net.Socket.connect(Socket.java:376)
  at java.net.Socket.<init>(Socket.java:291)
  at java.net.Socket.<init>(Socket.java:119)
  at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:22)
  at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:128)
  at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:562)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:185)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:171)
  at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:313)
  at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
  at java.rmi.Naming.rebind(Naming.java:160)
  at examples.hello.HelloImpl.main(HelloImpl.java:67)
  I have granted all permission in the policy file. I have put all the classes in a subfolder call classes just after the Root directoy Can someone enlighten me. Thanks.

  i don't know if it helps but i had the following problem:
  an rmi-component software plus a servlet contacting the system.
  and rmi from the servlet in tomcat did not seem to work ...
  java.rmi.MarshalException: error marshalling arguments; nested exception is:
       java.net.SocketException: Software caused connection abort: socket write error
       at sun.rmi.server.UnicastRef.invoke(Unknown Source)
       at net.metamagix.essence.Agents.DataAgentI_Stub.storeObjects(Unknown Source)
       at net.metamagix.essence.CAgents.ParameterSaviour.save(ParameterSaviour.java:1556)
  finaly i changed back to tomcat 4.0.x but it still was not any better, when i found out that most of the problems resulted from pathnames...
  tomcat 4.1.24 had a problem with pathnames getting too long (2k on win 2000) and tomcat 4.0 produced errors because of the blank in it's path name "Tomcat 4.0" so i made a new installation with C:\Tomcat4 as home directory and - what a surprise - things turned out fine and rmi worked.

• SAP ERP Security Problems

  Hello,
  We are searching and investigating the security problems and needs in SAP Systems (the NetWeaver and R3).
  We are looking for vulnerabilities from the network level up to the application and SAP-GUI level.
  We would like to hear and learn from users on case studies and problems that occurred during implementing and running the SAP systems.
  We would appreciate if you could contact us for further details.
  Thank you.
  <Contact information removed by forum moderator>
  Message was edited by: Christian Wippermann

  Dear Alon,
  Thank you for your interest in SAP Security. You are very welcome to investigate product security and to share your results with SAP ([email protected]). But this is exactly the place where SAP users should report security problems they may find. They should not report to other companies! That is why I removed your contact information and closed this thread.
  To make myself clear: Please report security problems directly to [email protected] My collegues there will support to solve the issues.
  Best regards,
  Christian

• Security problem on below left side screen dont exist

  How can I remove the "security problem"on the below left side screen my phone lenovo A806
  PLSE HELP ME

  hannahhfoskett wrote:
   I would gladly upgrade to the next model if my contract was due!
  This has no impact on the ability to purchase a new iPhone... it simply means that the newer one will not be at a fully subsidized price.
  You could always take it to Apple and do an Out of Warranty exchange (I'm assuming the device is out of warranty) for $149 US.

• Will the security update be available for IOS 6?

  Will the security update be available for IOS 6?

  linrey wrote:
  Not so - Apple says they have release iOS 6.1.6 to address the security problem. However no one seems to know how to get it since every request for an update only offers iOS 7. Very strange...
  Nothing strange about it.  iOS update only allows the installation of the latest release based on the hardware it detects you are using.  The 6.1.6 update is only available to those devices that CANNOT run iOS 7, like the iPhone 3Gs.  For any device capable of running iOS 7, the iOS update system will ONLY offer the option of updating to iOS 7.0.6, regardless of whether the device is still running iOS 6 at the time you try to update it.
  That is how the iOS update system has always worked - you simply cannot update to a lesser iOS release then the most recent for your particular hardware.

• Please help me regarding RMI Applet Application?

  Hi Friends..
  Please help me describe the work-flow of RMI Applet Application..
  Currently, i use Java Card 2.2.1.. In the package Java Card 2.2.1 there's an example of RMI Applet Application..
  in that RMI Applet Application there are 3 Java files, namely :
  1. public interface Purse extends Remote
  2. public class PurseImpl extends CardRemoteObject implements Purse
  3. public class PurseApplet extends Applet
  There's also RMIDemo.opt file.. and in the contain of that RMIDemo.opt file, there's only PurseApplet class that would be converted to CAP file..
  so, what is the use of Purse Interface and PurseImp class?.. and how to use both of them?..
  Please help me regarding this..
  Thanks in advance..

  Hi Shane, thanks for clarifying that.. :).. Ok. i'm going to learn hard..
  Sorry, i've a doubt regarding this thread ..
  In that thread, that's mentioned purse.jar containing :
  - Purse.class
  - PurseApplet.class
  - PurseImpl_Stub.class
  - PurseImpl.class
  The only class that i'm wondering is PurseImpl_Stub.class..
  Why this class required, whereas i don't found it in the RMIDemo application that shipped with JCDK 2.2.1, and JCDK 2.2.2 as well..
  I've tried to create other Java Card RMI Application, but it requires the "Stub" class..
  Here's the error message :
  java.rmi.StubNotFoundException: com.latihan.rmi.DataMahasiswaImpl_Stub
       at com.sun.javacard.ocfrmiclientimpl.JCCardObjectFactory.getRemoteObject(Unknown Source)
       at com.sun.javacard.javax.smartcard.rmiclient.CardObjectFactory.getObject(Unknown Source)
       at com.sun.javacard.javax.smartcard.rmiclient.JavaCardRMIConnect.getInitialReference(Unknown Source)
       at testRMIClient.DataMahasiswaClient.main(DataMahasiswaClient.java:43)How to create and what's the contain of that "Stub" class?..
  Can i know the source code of PurseImpl_Stub.java file?..
  Thanks in advance..
  Edited by: Leonardo_Carreira on Apr 13, 2010 8:27 PM

• Latest mail security problems

  There we were thinking that the switch to Critical Path would solve the security problems of BT Yahoo mail.  It appears not:
  http://www.theregister.co.uk/2014/03/13/bt_likely_to_have_breached_data_protection_act_after_email_a...

  The Backup likely would only help if it were a full Backup of the OS.
  Try these 2 1st...
  Using Disk Utility in Mac OS X 10.4.3 or later to verify or repair disks...
  http://docs.info.apple.com/article.html?artnum=302672
  About Disk Utility's Repair Disk Permissions feature...
  http://docs.info.apple.com/article.html?artnum=25751

• Login security problem during fast user switching

  Here are the steps to reproduce the security problem I'm seeing on my system:
  1) Users A and B are logged in.
  2) User A was the last user and user A put the system to sleep.
  3) User B wakes the computer from sleep and sees the login prompt asking for user A's password.
  4) Instead of clicking "Switch Users," user B enters his username into the username field (where user A's is already provided) and user B enters his password.
  5) User B then goes to user A's account.
  In short, user B is getting into user A's account. More about my particular setup: I have two accounts on the computer, one for work and one for personal use. Though they're both mine, the accounts have different usernames, long names and passwords. Both are administrator accounts. The above isn't reproducible with a standard user account, only administrator accounts.
  I created a third administrator account and tried the same steps to get access to an account. The third admin account could also be sent into the last user's account (the user who put the system to sleep). A new standard account could not.
  I'm guessing this is something peculiar to my setup, but can anyone else reproduce this on their system? Or it could be my search didn't pull up a thread where this is already discussed.
  thanks in advance,
  jody

  Joseph Tate wrote:
  Both are administrator accounts.
  That's why.
  This is a well known phenomenon. It isn't a bug. Admin users pretty much own the machine, they can do anything they want with their own admin password.
  It is not a good idea to use an admin account for everyday use because it introduces security risks. Admin accounts should only be logged into for admin purposes. I recomment keeping your newly created admin account, and changing your other two accounts to standard, and then continue using them normally. This is a much more secure setup, it is what Apple recommends, and will solve the "problem" of User A unlocking User B's screen and vice versa.
  Even when you need to do an admin task like installing software, there's no need to actually log in to the admin account. You can do this from either of your non-admin accounts simply by entering the admin username/password when prompted. I do admin and even root tasks from my non-admin account this way all the time. It has been months since I actually logged in to my admin account.

• Opening and closing a frame from an applet security problem

  can I open a frame or a window from an applet and close the frame by using
  System.exit(0) for the frame or will it throw a security problem.

  I am using system.exit(0) to exit the JVM.
  dispose()
  Releases all of the native screen resources used by this Window, its subcomponents, and all of its owned children. That is, the resources for these Components will be destroyed, any memory they consume will be returned to the OS, and they will be marked as undisplayable.
  If this frame have to be close and open again don't use dispose.
  there is no check whether a frame is active? what you can do is set the the new frame to null (frame = null) and also when you dispose it, this will let you know if the frame is active or not.
  Noah

• Applet problem with FileWriter() (security problem?)

  btBut1.addActionListener(new ActionListener()
     public void actionPerformed(ActionEvent e)
         FilePermission perm = new FilePermission("<<ALL FILES>>" , "write");
        try {
              FileWriter outputStream = null;
              outputStream = new FileWriter("./bandiere/testouno.txt");
         catch (IOException eX) {
     });This is a bit of code from an APPLET which I'm working on. The code does not work...
  I smell it is a security problem, but I'm not sure...

  You are trying to write to the local file system which is not allowed unless the applet is signed.
  Unless you think you are trying to write to the server, in which case, you can't do that with FileWriters. You'd have to make a connection to the server via a socket or URLConnection or something to pass the data over.

• Signed applets in 1.4.1: non-trust ignored: severe security problem?

  Hello all,
  I am signing applets with a developer certificate.
  Until know everything worked fine with Plugin 1.3.1.
  Know I changed to Plugin 1.4.1 and encountered a strange behaviour: When I open the HTML page with a browser (tried IE 5.5 and Mozilla 1.1) the certificate-question pops up. The problem: if I choose not to trust the certificate, the applets starts nevertheless and I can use the system clipboard inside my Applet (for what applets needs to be signed)!
  This looks like a severe security problem!
  Does anyone know anything about this? Can you reproduce this?
  thanx!
  Marcus

  Hi,
  I tried to reproduce what you said with plugin 1.4.0 (I don't have 1.4.1 yet) and IE6.0 (It doesn't have anything to do with the browser)
  My Java console said :
  "User has denied the priviledges to the code
  writeFile: caught security exception"
  The security seems to work OK in 1.4.0.
  I will have to try 1.4.1.
  Patrick

• Applet security problems while connecting with database

  i hav problem in the japplet connecting with sql database
  it gives security access denied error while running program as my driver is jdbc:odbc:bridge driver
  so for resolving this error how can i turn off security of applet and also which security permission to be change?
  plz reply

  baftos wrote:
  Maybe I should question the need to access a local database on the client PC.
  But anyway, the normal way to obtain security clearance is to use a signed applet.
  Another possibility is to grant the applet all permissions by modifying the security policy file of each client to grant your applet 'all permissions'. Note that in this case you must have access to each and every client PC or ask them to do so before running the applet.Database access at client's machine is ridiculous. I doubt this is what OP wants.
  @OP: request you to post the original security issue and the environment details.
  Thanks,
  Mrityunjoy