Applets, Policy Files, jar signing, JNI, etc
Hi,
I need an Applet to be able to connect to sockets and use some JNI. Hence, as far as I can tell, I need to use a Policy File. In a standalone application, I have written my policy file tried it out by switching on the security manager. However I am not sure how I do this with an applet.
I have read many examples of Jar signing, yet every example uses appletviewer and the -J-Djava.security.policy to show the security policy in action.
However I want this to work through a normal browser, so how do I achieve this?
Do I specify a URL to the java.security.file in the embed/object/applet tags in the HTML?
Do I put the policy file in the jar and reference it via the Manifest?
Any ideas much appreciated,
John B
[766 byte] By [
magzya] at [2007-9-29 21:13:33]
I wondered this too, so I tried using signed jar and not worry about policy file.
Hey guess what, my signed jar works, when user downloads from web page, they click agree to signed jar and it works, access clients hardware.
Try it, you'll like it.
I've done this Applet to be able to connect to sockets and you do not need to sign if it is connecting to server.
Well I've tried signing an applet, but that still doesn't work. However this is so ridiculous, as noone seems to know how to apply a policy to an applet without
(i) Altering your default policy in your JVM installation,
(ii) Using appletviewer -J-Djava.security.policy=policyfile
Also, I have shared libraries that I'd like to run. Therefore where would these go in the Applet jar? It seems to me that I want to set environment variables before the applet starts, but I don't know how to do this.
I can't believe there isn't more documentation on this subject.
John
How about you post some error messages from the java console?There might be a clear hint as to what the problem is if someone else looks at it.
>>>Well I've tried signing an applet, but that still doesn't workDoesn't work in what way?Error messages Please
The standard AccessControlException:
java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.ClassLoader.getParent(ClassLoader.java:701)
Or something like that.
That's what I'm trying to solve, I wish to use the Java Security Policy system to allow my applet access to various resources, such as writing files. Now I've seen that signing an applet will give it full access (in my view, this is rather insecure, but anyway), however following the steps to sign an applet two or three times has still presented me with the same problem. The signing is ignored, and the exception is thrown.
Applet signing aside, I fail to see any documentation stating how the policy file is used by the VM when running on a browser. I assumed it might be an entry in the Jar's manifest file, but again, I can find no documentation.
It's all very annoying, and Sun have done quite a bad job at documenting this. For example, their example talkes about -D-Jjava.security.policy=.... being passed to appletviewer. Who on earth uses appletviewer! If policies only work with that, then they are useless. I want them to work with whatever browser the applet is being run within.
Surely this isn't too much to ask? :)
Although I'm beginning to conclude that no major browser supports policy files in a 'per applet' basis. Which is a shame.
Once you've done the tutorial on signing applets allowing the applet to write a file, you'll find it a breeze to sign another.
http://java.sun.com/security/codesign/index.html
this site is down for the moment, but that is where i learned how to sign.
Don't worry so much about the policy file, as when a user clicks they agree, on the signed certificate, the privalages are then granted.
steps to sign a jar.
1) jar all classes
2) keytool to create a store
3) jarsigner to sign jar
hey, your done.:)
It's not the JNI. It is the confusion surrounding policy files, that are not actually currently used by web browsers. Sun needs to document this properly. By using the appletviewer example, it's confusing.
Also, appletview didn't work on my HTML (which is perfectly valid).
Konqueror (KDE, Linux) didn't want to trust my applet (which does surprise me).
But Mozilla did. And so did IE.
My problem is now totally different, how to replace the classloader so I can override findLibrary :-)
//Konqueror (KDE, Linux) didn't want to trust my applet (which does surprise me).
///But Mozilla did. And so did IE.
Were these browsers on different computer?
When i installed certificates on server, applets, I had to manually update the root certifacate for java on the server.
The root certificate from equifax was not up to date in java 1.4.2(using redhat8)
Does this help?
