Unsigned applet and javascript
For various reasons, I need to deploy an unsigned applet which executes some minor javascript. I've been led to believe that the applet need not be signed to do this, but when I try to load my applet, I get the exception at the end of this message.
Commenting out the following line in code makes the exception go away. There is no indication anywhere I can find that this particular javascript call is privileged - so why am I seeing this exception?
code:
JSObject win = (JSObject) JSObject.getWindow(this);
exception:
basic: No certificate info, this is unsigned JAR file.
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.plugin.javascript)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
[...]
Thanks,
Mike Dahmus
mdahmus@potomacfusion.com
[967 byte] By [
mdahmus2a] at [2007-11-27 7:34:25]
# 1
> exception:
>
> basic: No certificate info, this is unsigned JAR
> file.
> java.security.AccessControlException: access denied
> (java.lang.RuntimePermission
> accessClassInPackage.sun.plugin.javascript)
> at
> java.security.AccessControlContext.checkPermission(Unk
> nown Source)
> at
> java.security.AccessController.checkPermission(Unknown
> Source)
This gives code access to classes in packages to which it normally does not have access. Malicious code may use these classes to help in its attempt to compromise security in the system.
So in other words, you are gonna have to sign the applet, unless there is a work around that i don't know about.
Here is a site for signing applets
http://java.sun.com/developer/technicalArticles/Security/Signed/
HTH
:)
Message was edited by:
monk3y
# 2
Yes, but how else can one get the window handle in order to execute javascript? Again, nobody else seems to believe your applet must be signed in order to call javascript methods in the page from which you were launched - but as soon as I try to get the handle to actually DO so, I run into this security wall.
# 3
> Commenting out the following line in code makes the
> exception go away. There is no indication anywhere I
> can find that this particular javascript call is
> privileged - so why am I seeing this exception?
Here an online example
http://64.18.163.122/rgagnon/examples/InJava5.html
You type a Javascript statement and the Applet do an eval() on it.
Works without exception in FF or IE7 with Java 5.
The example is usinga class and not a JAR.
import java.applet.*;
import java.awt.*;
import java.awt.event.*;
import netscape.javascript.*;
public class InJava5 extends Applet implements ActionListener {
Button b;
TextField t;
public void init() {
t = new TextField(20);
add(t);
b = new Button("execute Javascript");
add(b);
b.addActionListener(this);
}
public void actionPerformed(ActionEvent ae) {
if (ae.getSource() == b) {
JSObject win = (JSObject) JSObject.getWindow(this);
win.eval(t.getText());
}
}
}
I think you think you need to sign only if you deal directly with HTML object on the page.
Bye.
RG.
