Wwsbr_api.add_folder and grant access/

Similar Messages

• Grant access to application

  Hi All,
  I am working with Olite 10gR2;
  I created and deployed my application with data subsetting parameter using wtgpack; I published the application successfully.
  I then created a group and granted access to my application to the group.
  I created user's and added the users to the group. This worked fine last week in dev and I was able to add all 90 users to the group.
  Problem: I was able to add two users now; when I tried adding a third user I got this error message -
  "Error in executing " Save application ":oracle.lite.web.resource.ResourceException: CONS-10049: Consolidator Exception: Closed Statement "
  When I tried granting access to my application, to individual users as an alternative to adding users to group with access to the application, I get this error;
  Error Message: "Virtual Path Is Null"
  I will appreciate any solution on this error message. I need to be able to add more users to the group.
  Thanks for your time.

  I created a servlet filter for faces-servlet
  Don't map filter to servlet.
  Use URL mapping, something like:
    <filter-mapping>
      <filter-name>YourFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
  Also have a question about ReadOnlySQLAuthenticator. Mentioning sensitive queries like query to get the password of the user from the table etc, is it secure? will it lead to any type of security threat like if a user get access to console and get the query etc?
  Your sql queries shouldn't be 'sensitive'
  Best practice is to store secure hash(for example: SHA1 or better) instead of encrypted password.
  (ReadOnly)SQLAuthenticator can use encrypted passwords or secure hash(check Provider Specific Configuration). To make this to work, you will need to create secure hash and append {ALGORITHM_TYPE} to begin of hash.
  For example: {SHA1}asdsijifndfbj=
  And of course, you need to protect your WLS admin console(and enterprise manager, if deployed).
  Use strong admin password and restrict access to console url (if possible).
  Dario

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow.

  update to IOS 6 has been a nightmare. Facebook would allow me to save pictures unless I granted access to my foto album. Does this mean my pictures are going be planted all over the web? The safari keeps crashing and loading is slow. Most infuriating is that YouTube was deleted from my entertainment apps and I now have to pay for it if I want it back!! This is a bloody disgrace.

  Back up all data.
  Boot into Recovery by holding down the key combination command-R at the startup chime. Release the keys when you see a gray screen with a spinning dial.
  Note: You need an always-on Ethernet or Wi-Fi connection to the Internet to use Recovery. It won’t work with USB or PPPoE modems, or with proxy servers, or with networks that require a certificate for authentication.
  When the OS X Utilities screen appears, follow the prompts to reinstall the OS. You don't need to erase the boot volume, and you won't need your backup unless something goes wrong. If your Mac was upgraded from an older version of OS X, you’ll need the Apple ID and password you used to upgrade, so make a note of those before you begin.

• Why doesn't Photoshop touch ask for access to local photos on my iPad so I can grant access and edit?

  Why doesn't Photoshop touch ask for access to local photos on my iPad so I can grant access and edit?

  That's odd. Does this mean that you want to have the request or that you can't see the photos even though you enabled it over the privacy/photos?
  If you enable it - it's not necessary to get the request. If you want the request the safest way to get it back is to reset the privacy settings by going to iPad settings/General/Reset/Reset Location & Privacy
  thanks,
  Ignacio

• How am I to be able a user to grant access only to see a procedure / function without execute,compile,edit and drop?

  how am I to be able a user to grant access only to see a procedure / function without execute,compile,edit and drop?

  Sorry GregV but thank you, are you sure you can only be done by setting a PC? Can not by giving them certain privileges of a PC?
  PL \ SQL that we use a portable version.
  So actually like this, user A is only used by the X, user A wants to provide read-only access to user B is only used by Y (another PC) to the procedures / functions held user A. How do you?

• Grant Access to folder for everyone - URGENT!!!!

  I've created a folder with the "wwsbr_api.add_folder" function, and I want to add privileges to another group or user. The problem arises when a user, different from the one who created the folder, tries to access to the documents contained in that folder. He/she won't be able to access this documents as there is no grant access for them.
  Can I give a grant access in that folder to another group or user with another API function?
  Version Portal 3.0.9.8.0
  It is very urgent so I would appreciate some help from you,
  Thanks in advance
  kind regards,
  Enrique

  Just a suggestion:
  This question has been asked several times on this forum, and there are some good answers out there. Please try to use the search function before posting a question.
  Hint: search on the the word "privilege".

• Sql server grants access to specific login to database.

  i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
  to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
  as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
  operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help me

  I think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
  As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
  If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
  Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
  to perform the tasks needed.
  The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
  If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
  question on this topic I will be glad to assist.
  I hope this information helps,
  -Raul Garcia
   SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Need help understanding MS SQL Server 2008R2 and Report Builder 3.0 and user access / priviledges.

  Having Problems with connections and access.  I have spent the last 2 days reading various threads regarding SQL Reporting Services pertaining to access and connections.
  First, let me explain what I have done to date.
  1)  I am using Windows 7 - Home Premium.
  2)  I downloaded and installed MS SQL Server 2008 R2 Express.  This was successful.
  3)  I downloaded Report Server 3.0 - This was successful.
  4)  In IE, I tried logging onto http://servername/reports, but this failed.  After logging into IE
  via ' Run Administrator', I was able to access URL.  
         Next, I updated the security / trust sites as explained in the
  threads
  Next, I went to Folder Setting and added my user name and granted all roles (Browser,
  Content Manager, My
  Reports, Publisher and Report Builder).
  5)  Now, I can log into Http://servername/reports using my normal windows 7 user account.
  6)  Next, I opened Report Builder 3.0.  However, I am having trouble connecting to report  
  server.  I tried connecting with
  http://servername/reports, but this failed. 
         However, If I change URL to http://servername/reportserver, it works.  BUT NOW, I have
  another problem.  When I
  execute the RUN button to create report, I get a  permission
  error.  "PERMISSION GRANTED TO USER ARE
  INSUFFICIENT FOR  PERFORMING THIS OPERATION".
  7)  Finally, I can not save reports to http://servername/reportserver when I select "Recent
  Site and Servers".  ERROR
  MESSAGE:  UNABLE TO OPEN OR SAVE REPORT
  8)  In my Reporting Services Configuration Manager:
  Web URL = http://servername:80/ReportServer
  Report Manager URL = http://servername:80/reports.
              What is strange, the Report Manager URL works for IE URL and WEB URL works for
  Report Builder connect (Even though it really does not work). 
  THREE QUESTIONS:
  1)  What URL should I use to connect in Report Builder.  
  2)  How do I update my normal Windows 7 user so I can run reports when I connect to report
  builder.        
  3)  How can I save my reports so they are displayed in IE Reporting services.  Note:  I was
  able to save report to
  documents folder and import into IE Reporting Services.
  4)  And finally, is it possible to add report builder 3.0 as a tab in my IE Reporting Services.  I
  save seen samples of Reporting Services screens where the instructor has Report Builder
  tab.
  Thanks
  Dan

  To answer question 1... it should connect through /ReportServer
  http://bretstateham.com/reporting-services-architecture-diagram%E2%80%A6/
  Report Builder 3.0 is not a web application, it is a client side application can be used using the click-once or downloaded from Microsoft's website.  If you are having issues, you might download and install it and try running it as an administrator.

• Send As, Send on Behalf and Full Access for Exchange server 2010/2013

  [This FAQ contains 2 parts]
  Testing and watching the behavior of Send As, Send On Behalf and Full Access permission.
  Common issue and Troubleshooting on the three permission.
  [Testing and Watching]
  Based on following blog, I decide to test on my lab:
  Full Mailbox Access Rights + Send On Behalf = Send As ?
  http://blogs.technet.com/b/ehlro/archive/2012/04/06/full-mailbox-access-rights-send-on-behalf-send-as.aspx
  Description on my lab and test:
  Exchange 2010 + Outlook 2010
  Exchange 2013 + Outlook 2013
  Senders: A01, A02, … , A07, A08
  Recipient: A09
  A01 grand permission to other senders.
  Two methods:
  a. Use A0x’s credential configure A01’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
  b. Use A0x’s credential configure A0x’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
  Result as following forms:
  1. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
  Using A0x’s credential configure A01’s mailbox, then send From both A01 and A0x
  To A09.
  2. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
  Using A0x’s credential configure A0x’s mailbox, then send From both A01 and A0x
  To A09.
  [Common Issue]
  1. [Issue]
  Exchange 2010 + Outlook 2010. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
  You can’t send a message on behalf of this user unless you have permission to do so. Please make sure you’re sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.
  Details as following pic:
  [Troubleshooting]
  1) Based on the NDR, it seems a permission issue. Check Send As permission, however the Send As permission configured correctly. Pic as below:
  2) ince the Send As permission configured correctly, it seems the permission hasn’t been replicated. Try to restart Microsoft Exchange Information Store service. It works.
  Note: The Send As permission isn’t granted until after replication has occurred. Replication times depend on your Exchange and network configuration. To grant the permission immediately, stop and then restart the Microsoft Exchange Information
  Store service.
  2. [Issue]
  Exchange 2013 + Outlook 2013. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
  Your message did not reach some or all of the intended recipients.
  Subject: xxx
  Sent: xx/xx/2014 8:20 AM
  The following recipient(s) cannot be reached: A09
  This message could not be sent. Try sending the message again later, or contact your network administrator. Error is [0x80070005-00000000-00000000].
  Details as below:
  [Troubleshooting]
  1) Also check the Send As permission configuration first.
  2) Then try to use A03 send as A01 to A09 via OWA. If OWA works well, it seems and issue on the Outlook client side.
  3) This behavior may occur if the OAB in Outlook isn’t updated. Try to download OAB manually.
  4) If doesn’t work, please close Outlook and try to delete all the OAB folder on your computer. The path of OAB folder in Win7, Win8 as below:
  \Users\<UserName>\AppData\Local\Microsoft\Outlook\Offline Address Books
  5) Restart Outlook.
  Note: Be aware that you cannot send e-mail messages on behalf of a mailbox if the mailbox is hidden from address list. When sending a message, Exchange requires that e-mail address is resolved in the
  From field.
  3. [Issue]
  Exchange 2010. A01 grant A0x “Send As” or “Send on Behalf” permission. A0x send as/ send on behalf of A01. The message is only copied to the Sent Items folder in A0x’s mailbox (same as the result of my test). Also cannot configure Exchange 2010 so that the
  message is copied to the Sent Items folder of both A01 and A0x.
  [Troubleshooting]
  This issue occurs because Exchange server 2010 was designed to copy message to the Sent Items folder of the sender only. This issue can be solved by installing Exchange 2010 SP2 UR4. More details in the following KB:
  Messages that are sent by using the "Send As" and "Send on behalf" permissions are copied only to the Sent Items folder of the sender in an Exchange Server 2010 environment
  http://support.microsoft.com/kb/2632409/en-us
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Nice guide Mavis, I recently explored the same topic. Few things you might want to add is the type of connectivity (Cached vs Online will produce different results) and to expand further on the methods of adding the other mailbox in Outlook (additional mailbox
  vs additional account defaults to different methods). Check the screenshot:
  And please post this somewhere more visible, like blog/wiki page.

• Grant access to all the views created in user schema to another schema

  How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
  Oracle Grant Privileges
  ===============
  Object privileges assign the right to perform a particular operation on a specific object
  I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
  Is this right
  Oracle System Privileges
  ===============
  System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
  Role based security
  ============
  Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
  [http://www.dba-oracle.com/art_builder_grant_sec.htm]
  can we grant select update to all the views at a time to the other schema.
  Are there any other ways to secure the data other than creating users and assigning roles.
  Thank you
  Edited by: Trooper on Dec 23, 2008 9:24 AM

  I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
  If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
  To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
  Example using SQL to generate SQL
  How do I find out which users have the rights, or privileges, to access a given object ?
  http://www.jlcomp.demon.co.uk/faq/privileges.html
  HTH -- Mark D Powell --

• Create new page using wwsbr_api.add_folder.

  Hi,
  When i try and create a new page and assign values to custom parameters using the API mentioned above i receive the following error:
  ORA-20100:
  ORA-06512: at "PORTAL.WWSBR_STDERR", line 45
  ORA-06512: at "PORTAL.WWPOB_API_PAGE", line 5818
  ORA-01403: no data found.
  This is the code that i am using:
  Pass in the following parameters to procedure:
  p_site_id in number,
       p_parent_id in number,
       p_f_type_id in number,
       p_f_type_caid in number,
       p_name in varchar2,
       p_title in varchar2
  declare
  folder_id NUMBER;
  l_attributes_ids Portal.wwsbr_type.array;
  l_attribute_caids Portal.wwsbr_type.array;
  l_attributes_data_type Portal.wwsbr_type.array;
  l_attributes_values Portal.wwsbr_type.array;
  BEGIN
  --build up the custom attributes arrays to assign to the page
  l_attributes_ids(1) := 1222;
  l_attribute_caids(1) := 36;
  l_attributes_data_type(1) := 'boolean';
  l_attributes_values(1) := '1';          
  l_attributes_ids(2) := 1031;
  l_attribute_caids(2) := 36;
  l_attributes_data_type(2) := 'text';
  l_attributes_values(2) := 'test';
  folder_id := wwsbr_api.add_folder(
            p_caid => p_site_id,
            p_parent_id => p_parent_id,
            p_name => p_name,
            p_display_name => p_title,
            p_type_id => p_f_type_id,
            p_type_caid => p_f_type_caid,
            p_attribute_id => l_attributes_ids,
            p_attribute_caid => l_attribute_caids,
            p_attribute_data_type => l_attributes_data_type,
            p_attribute_value => l_attributes_values
  RETURN folder_id;
  EXCEPTION
  WHEN NO_DATA_FOUND THEN
       dbms_output.put_line(substr(sqlerrm,1,500));
  return -1;
       when wwsbr_api.INVALID_NAME then
       dbms_output.put_line('INVALID_NAME');
       return -1;
       when wwsbr_api.DUPLICATE_NAME then
       dbms_output.put_line('duplicate name');
       return -1;
       when wwsbr_api.MISSING_NAME then
       dbms_output.put_line('MISSING_NAME');
       return -1;
       when wwsbr_api.MISSING_DISPLAY_NAME then
       dbms_output.put_line('MISSING_DISPLAY_NAME');
       return -1;
       when wwsbr_api.NAME_TOO_LONG then
       dbms_output.put_line('NAME_TOO_LONG');
       return -1;
       when wwsbr_api.URL_REQUIRED then
       dbms_output.put_line('URL_REQUIRED');
       return -1;
       when wwsbr_api.PLSQL_REQUIRED then
       dbms_output.put_line('PLSQL_REQUIRED');
       return -1;
       when wwsbr_api.INVALID_PLSQL_EXECUTE_USER then
       dbms_output.put_line('INVALID_PLSQL_EXECUTE_USER');
       return -1;
       when wwsbr_api.MISSING_PLSQL_EXECUTE_USER then
       dbms_output.put_line('MISSING_PLSQL_EXECUTE_USER');
       return -1;
       when wwsbr_api.INVALID_FOLDER then
       dbms_output.put_line('INVALID_FOLDER');
       return -1;
       WHEN OTHERS THEN
       dbms_output.put_line(substr(sqlerrm,1,500));
       return -1;
  Any help would be appriciated.

  Did you ever figure out your issue? I'm having the same issue after I try to set attributes.

• Granting access to SharePoint Designer on a SubSite but not the Site Collection

  Is it safe in SharePoint 2010 to give a user the ability to use SharePoint Designer on a SubSite of a Site Collection and not give them permission, other than Visitor access, to the root Site Collection (Parent Site collection)?
  Most importantly, I want to make sure the only damage a user can do is to their own subsite, and not do anything that will impact the Site Collection. 
  I created a test user and granted it FULL access on a test subsite and only view on the parent site collection and was able to use designer logged in as the test user.  I was able to modify the subsite pages and create workflow.  I was not expecting
  this to work based on the following statement in KB article
  http://support.microsoft.com/kb/2592376
  Overall, an user needs to be a member of one of the following groups at the site collection
  level to be able to use SharePoint Designer and modify SharePoint content:
  - Site Collection Administrators
  - Designers
  - Owners
  Does anyone have any advice on this?
  Thanks!

  I think I just found out why in SharePoint 2010 I'm able to give a user "Designer" permissions on a subsite and "Read"  only permission on the parent Site Collection root site and they can still use SharePoint Designer with
  no permission issues in the subsite.
  http://suehernandez.wordpress.com/2013/02/15/sharepoint-designer-2010-you-do-not-have-permission-to-do-this-operation/
  From the Article: "Turns out the reason for these varying behaviors is this:  In 2007, new sites would automatically inherit their
  master pages from their parents.  If you made no changes to that, it inherited right up to the top.  So it’s looking at the master page from the top, in those circumstances.  And as we’ve seen here, if you don’t have Design permissions to it,
  it doesn’t work.
  In the case of a new 2010 site (just a regular Team Site), the new 2010 behavior is to use the Master Page in the gallery it has in its own site.  And since the user is an Administrator (Full Control) of that
  site, then no problem getting to the Master Page!"
  Does anyone have any experience with this?

• Problem Granting access on Business Area to Role

  Hello everybody,
  I am trying to grant access on a Business Area to a role but when I try to do so, the role does not appear in role list. It only shows role connect and resource.
  The version of Discoverer I am using is 10.1.2.
  Anyone has the same issue?
  Phil
  Message was edited by:
  [email protected]
  Message was edited by:
  [email protected]

  Hello everybody,
  I am trying to grant access on a Business Area to a role but when I try to do so, the role does not appear in role list. It only shows role connect and resource.
  The version of Discoverer I am using is 10.1.2.
  Anyone has the same issue?
  Phil
  Message was edited by:
  [email protected]
  Message was edited by:
  [email protected]

• Why signed and get "access denied (java.io.FilePermission hello.txt read)"?

  I am learning the Java tools and policy to create some local browser application for personal use. So I signed a jar file with jarsigner, keytool and policytool and still trying to figure out why my browser application cannot read a simple local text file.
  My question are
  1. Why use java policy tool (policytool.exe)? If I signed a .jar with keytool and jarsigner, do I really need java policytool to write a policy?
  2. What is the maximum validity days? 365? or more? Do I need to sign again when validity expire?
  3. I don't want any of my local browser application gets to internet but only work with local files (read, write, or execute). how do I do that?
  4. how to use java security policy to grant access to the jar applet? where do I place and import the policy file so the hosting web browser and the applet can work?
  My java applet is a simple class that read a text line from a local file in the same folder, and pass the result to a calling web browser Javascript.
  Currently the result in the web page is the error message below, even though the jar is signed correctly.
  access denied (java.io.FilePermission hello.txt read)
  Someone please help and enlight the newbie!

  leoku wrote:
  I am learning the Java tools and policy to create some local browser application for personal use.Why would you wrap a mostly useless and unhelpful browser window around a Java app. for 'local' use?
  .. So I signed a jar file with jarsigner, keytool and policytool and still trying to figure out why my browser application cannot read a simple local text file.
  My question are
  1. Why use java policy tool (policytool.exe)? If I signed a .jar with keytool and jarsigner, do I really need java policytool to write a policy?No. In fact, don't stuff around with policy files - they are a path to madness.
  2. What is the maximum validity days? 365? or more?Keytool accepts an argument for the number of days to remain valid. I do not believe it has an upper limit, but it might be best to experiment with it and find out for yourself. Please report your findings back.
  (2a) Do I need to sign again when validity expire?No, but the end user gets a huge warning that the certificate has expired. Further, if it was a certificate that was certified by a CA, the 'always trust' check box which used to default to true, would now default to false.
  3. I don't want any of my local browser application gets to internet but only work with local files (read, write, or execute). how do I do that?I am not sure I understand, but if you only offer a JFileChooser for the applet to access resources, that should restrict it to resources off the local file-system. Of course, that would not restrict the end user from downloading something from the internet to their local disks, then accessing it using the applet.
  4. how to use java security policy to grant access to the jar applet? where do I place and import the policy file so the hosting web browser and the applet can work?The only place it will work is in the JRE directories of the end-user's machine. Even if you find a way to install your local policy file, do not go messing with the end-user's policy files.
  My java applet is a simple class that read a text line from a local file in the same folder,.. In the 'same folder' as what? (1)
  ..and pass the result to a calling web browser Javascript. That might be the problem. AFAIR, using JS with trusted applets causes the security to be tightened. Perhaps it could be fixed by calling System.setSecurityManager(null) on applet init(), but I have also seen references to using [AccessController.doPrivileged()|http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html] to wrap the problematic code. I am hazy on the details of how/if that works.
  Currently the result in the web page is the error message below, even though the jar is signed correctly.
  access denied (java.io.FilePermission hello.txt read)
  1) If the answer to my question is what I suspect, there may be better ways to access the resource that are usable even in a sand-boxed app.