Home.... | log in.... | Pub my question! | Sign-up....

Java-index >> Security >> Signed Applets

Signed Applet - Grant All/No/Always pop up not displayed

Hi,

I've been trying to make the JICA Citrix client work with the JVM. It works well with IE and the Microsoft java machine, but using Firefox, the applet stops loading raising a AccessControlException.

I've read in some other forums that writing

grant {

permission java.lang.RunTimePermission "usePolicy";

}

in the java.policy would prevent the pop up from displaying. But I haven't granted this permission. I really don't understand, the defaut java.policy and java.security files haven't been modified.

Could anyone help me ?

[583 byte] By [guezeg81a] at [2007-10-1 21:24:01]

«« SimpleDateFormat, year not specified
»» Supporting many languages in a web site

# 1

Full trace would shed some light on this, I dont know where to find the

application data directory in citrix but I am sure you'll find it.

To turn the full trace on (windows) you can start the java console, to be found here:

C:\Program Files\Java\j2re1.4...\bin\jpicpl32.exe

In the advanced tab you can fill in something for runtime parameters fill in this:

-Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect

if you cannot start the java console check here:

C:\Documents and Settings\userName\Application Data\Sun\Java\Deployment\deployment.properties

I think for linux this is somewhere in youruserdir/java (hidden directory)

add or change the following line:

javaplugin.jre.params=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect

for 1.5:

deployment.javapi.jre.1.5.0_03.args=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect

The trace is here:

C:\Documents and Settings\your user\Application Data\Sun\Java\Deployment\log\plugin...log

I think for linux this is somewhere in youruserdir/java (hidden directory)

Print out the full trace of the exception:

try{...}catch(Exception e){e.printStackTrace();}

harmmeijera at 2007-7-13 3:19:53 >

top of Java-index,Security,Signed Applets...

# 2

Here is the trace. Actually it is the French version of the JVM, so some lines are written in French. But most of them are in English. Il hope it won't bother you too much.

Thank you.

Plug-in Java(TM): Version 1.4.2_08

Utilisation de la version JRE 1.4.2_08 Java HotSpot(TM) Client VM

R閜ertoire d'accueil de l'utilisateur = C:\Documents and Settings\guezennecj

Chargement de la configuration du proxy d閒inie par l'utilisateur ...

Termin?

Chargement de la configuration du proxy ?partir de Netscape Navigator ...

Erreur lors de la lecture du fichier du registre : C:\Documents and Settings\guezennecj\Application Data\Mozilla\registry.dat

Termin?

Chargement de la configuration du proxy du navigateur ...

Termin?

Configuration du proxy : Configuration du proxy du navigateur

Le cache est activ?br>Emplacement : C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

Taille maximale : 50 MB

Niveau de compression : 0

Vider les propri閠閟 syst鑝e...

acl.read = +

acl.read.default =

acl.write = +

acl.write.default =

application.home = C:\PROGRA~1\Java\J2RE14~1.2_0

awt.toolkit = sun.awt.windows.WToolkit

browser = sun.plugin

browser.vendor = Sun Microsystems, Inc.

browser.version = 1.1

deployment.system.cacerts = C:\PROGRA~1\Java\J2RE14~1.2_0\lib\security\cacerts

deployment.system.home = C:\WINDOWS\Sun\Java\Deployment

deployment.system.jssecacerts = C:\PROGRA~1\Java\J2RE14~1.2_0\lib\security\cacerts

deployment.system.profile = C:\WINDOWS

deployment.system.security.policy = file:/C:/WINDOWS/Sun/Java/Deployment/security/java.policy

deployment.user.cachedir = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\cache

deployment.user.certs = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\security\deployment.certs

deployment.user.extdir = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\ext

deployment.user.home = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment

deployment.user.jssecerts = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\security\deployment.jssecerts

deployment.user.logdir = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\log

deployment.user.profile = C:\Documents and Settings\guezennecj\Application Data

deployment.user.security.policy = file:/C:/Documents%20and%20Settings/guezennecj/Application%20Data/Sun/Java/Deployment/security/java.policy

deployment.user.tmpdir = C:\Documents and Settings\guezennecj\Application Data\Sun\Java\Deployment\cache\tmp

file.encoding = Cp1252

file.encoding.pkg = sun.io

file.separator = \

file.separator.applet = true

http.agent = Mozilla/4.0 (Windows XP 5.1)

http.auth.serializeRequests = true

https.protocols = SSLv3,SSLv2Hello

java.awt.graphicsenv = sun.awt.Win32GraphicsEnvironment

java.awt.printerjob = sun.awt.windows.WPrinterJob

java.class.path = C:\PROGRA~1\Java\J2RE14~1.2_0\classes

java.class.version = 48.0

java.class.version.applet = true

java.endorsed.dirs = C:\PROGRA~1\Java\J2RE14~1.2_0\lib\endorsed

java.ext.dirs = C:\PROGRA~1\Java\J2RE14~1.2_0\lib\ext

java.home = C:\PROGRA~1\Java\J2RE14~1.2_0

java.io.tmpdir = C:\DOCUME~1\GUEZEN~1\LOCALS~1\Temp\

java.library.path = C:\Program Files\Mozilla Firefox;.;C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files\Mozilla Firefox\;C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

java.protocol.handler.pkgs = sun.plugin.net.protocol|sun.plugin.net.protocol

java.runtime.name = Java(TM) 2 Runtime Environment, Standard Edition

java.runtime.version = 1.4.2_08-b03

java.specification.name = Java Platform API Specification

java.specification.vendor = Sun Microsystems Inc.

java.specification.version = 1.4

java.util.prefs.PreferencesFactory = java.util.prefs.WindowsPreferencesFactory

java.vendor = Sun Microsystems Inc.

java.vendor.applet = true

java.vendor.url = http://java.sun.com/

java.vendor.url.applet = true

java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi

java.version = 1.4.2_08

java.version.applet = true

java.vm.info = mixed mode

java.vm.name = Java HotSpot(TM) Client VM

java.vm.specification.name = Java Virtual Machine Specification

java.vm.specification.vendor = Sun Microsystems Inc.

java.vm.specification.version = 1.0

java.vm.vendor = Sun Microsystems Inc.

java.vm.version = 1.4.2_08-b03

javaplugin.console = hide

javaplugin.exception = false

javaplugin.jre.params = -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect

javaplugin.jre.path = Default

javaplugin.jre.type = Default

javaplugin.maxHeapSize = 96m

javaplugin.nodotversion = 142_08

javaplugin.proxy.config.list =

javaplugin.proxy.config.type = browser

javaplugin.proxy.usebrowsersettings = true

javaplugin.trace = true

javaplugin.trace.option = basic|net|security|ext|liveconnect

javaplugin.version = 1.4.2_08

javaplugin.vm.options = -Djava.class.path=C:\PROGRA~1\Java\J2RE14~1.2_0\classes -Xbootclasspath/a:C:\PROGRA~1\Java\J2RE14~1.2_0\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.4.2_08 -Djavaplugin.nodotversion=142_08 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\J2RE14~1.2_0 -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect -Djava.protocol.handler.pkgs=sun.plugin.net.protocol

line.separator = \r\n

line.separator.applet = true

os.arch = x86

os.arch.applet = true

os.name = Windows XP

os.name.applet = true

os.version = 5.1

os.version.applet = true

package.restrict.access.netscape = false

package.restrict.access.sun = true

package.restrict.definition.java = true

package.restrict.definition.netscape = true

package.restrict.definition.sun = true

path.separator = ;

path.separator.applet = true

sun.arch.data.model = 32

sun.boot.class.path = C:\PROGRA~1\Java\J2RE14~1.2_0\lib\rt.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\i18n.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\sunrsasign.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\jsse.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\jce.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\charsets.jar;C:\PROGRA~1\Java\J2RE14~1.2_0\classes;C:\PROGRA~1\Java\J2RE14~1.2_0\lib\plugin.jar

sun.boot.library.path = C:\PROGRA~1\Java\J2RE14~1.2_0\bin

sun.cpu.endian = little

sun.cpu.isalist = pentium i486 i386

sun.io.unicode.encoding = UnicodeLittle

sun.java2d.fontpath =

sun.net.client.defaultConnectTimeout = 120000

sun.os.patch.level = Service Pack 2

trustProxy = true

user.country = FR

user.dir = C:\Program Files\Mozilla Firefox

user.home = C:\Documents and Settings\guezennecj

user.language = fr

user.name = Guezennecj

user.timezone =

user.variant =

Termin?

c:effacer la fen阾re de la console

f:finaliser les objets de la file d'attente de finalisation

g:lib閞er la m閙oire

h:afficher ce message d'aide

l:vider la liste de chargeurs de classes

m:imprimer le relev?d'utilisation de la m閙oire

o:d閏lencher la consignation

p:recharger la configuration du proxy

q:masquer la console

r:recharger la configuration des politiques

s:vider les propri閠閟 syst鑝e

t:vider la liste des threads

v:vider la pile des threads

x:effacer le cache de chargeurs de classes

0-5: fixer le niveau de tra鏰ge ?<n>

R閏epteur de modalit閟 enregistr?br>R閒閞ence au chargeur de classes : sun.plugin.ClassLoaderInfo@1c74f37, refcount=1

Chargement de l'applet...

Initialisation de l'applet...

D閙arrage de l'applet...

Connexion http://home.projection.nit:13082/Applets/V80/JICA-CoreN.jar sans proxy

Connexion http://home.projection.nit:13082/Applets/V80/JICA-CoreN.jar avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Connexion http://home.projection.nit:13082/Applets/V80/JICA-ConfigN.jar sans proxy

Connexion http://home.projection.nit:13082/Applets/V80/JICA-ConfigN.jar avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/JICA.class sans proxy

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/JICA.class avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Chargement de http://home.projection.nit:13082/Applets/V80/com/citrix/JICA.class ?partir du cache

...

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/warning.gif sans proxy

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/warning.gif avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Chargement de http://home.projection.nit:13082/Applets/V80/com/citrix/client/warning.gif ?partir du cache

Modalit?empil閑

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/widgets/j.class sans proxy

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/widgets/j.class avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Chargement de http://home.projection.nit:13082/Applets/V80/com/citrix/client/widgets/j.class ?partir du cache

Modalit?empil閑

Modalit?d閟empil閑

java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThread)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at sun.applet.AppletSecurity.checkAccess(Unknown Source)

at java.lang.Thread.checkAccess(Unknown Source)

at java.lang.Thread.interrupt(Unknown Source)

at com.citrix.client.module.t.p(Unknown Source)

at com.citrix.client.session.s.h(Unknown Source)

at com.citrix.client.module.wd.WinstationDriver.a(Unknown Source)

at com.citrix.client.module.wd.ica30.ICA30WinstationDriver.a(Unknown Source)

at com.citrix.client.module.wd.p.a(Unknown Source)

at com.citrix.client.module.p.a(Unknown Source)

at com.citrix.client.module.wd.d.a(Unknown Source)

at com.citrix.client.module.pd.ProtocolDriver.a(Unknown Source)

at com.citrix.client.module.td.TransportDriver.a(Unknown Source)

at com.citrix.client.module.td.TransportDriver.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Arr阾 de l'applet...

R閏epteur de modalit閟 non enregistr?br>Jointure du thread d'applet...

Destruction de l'applet...

Elimination de l'applet...

Sortie de l'applet...

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/module/y.class sans proxy

Impossible de traiter les cookies - utilisez le cache pour d閠erminer le "cookie"

Connexion http://home.projection.nit:13082/Applets/V80/com/citrix/client/module/y.class avec cookie "WS_LastUid=SIPROG.APPR20; WS_UsrRef=APPR20-S; WS_UsrLng=FR; WS_UsrSid=14; WS_UsrAut=AAAAClBiRTt7Nz59IjBsXAXFbyYHdtcAAAAAAAhFXGRgKllvSwAAAFdxJTo1N3A5bnNTJU1yc2VpLj1wQjR%2bRTxLOE1qOG8mLWBLLT46KCMnYSJMTThSIW0="

Nom du fichier mis en cache : y.class-4e6191de-5d50c44d.class

Thread d'applet joint...

guezeg82a at 2007-7-13 3:19:53 >

# 3

When running the applet with the msjvm do you get a do you trust popup?

It looks like the ICA Classes and jar files aren't signed, you can give it

permission like this:

grant codeBase "http://home.projection.nit:13082/-" {

permission java.security.AllPermission;

};

You can temporary add the allpermission to the all code part "grant {":

grant {

permission java.security.AllPermission; // temporary add this line in the java.security

....

the java.policy should be located in the java.home (C:\Program Files\Java\jreVERSION\)

lib\security\

Close all browsers so the jre will exit and then test if changing the policy fixed it.

There is a change that the applet works ONLY with msjvm and you'll get some

other exception.

harmmeijera at 2007-7-13 3:19:53 >

# 4

> When running the applet with the msjvm do you get a

> do you trust popup?

I do, that's what I don't understand.

> It looks like the ICA Classes and jar files aren't

> signed,

Which lines make you thilk so ? The administrator's guide asks to check that the browser is configured to run signed applets, and the MSJVM lets me read a certificate

>you can give it

> permission like this:

> > grant codeBase "http://home.projection.nit:13082/-"

> {

> permission java.security.AllPermission;

> };

I've already tries this, it doesn't work

> You can temporary add the allpermission to the all

> code part "grant {":

> > grant {

> permission java.security.AllPermission; // temporary

> y add this line in the java.security

> ....

This permission makes the applet work correctly.

> There is a change that the applet works ONLY with

> msjvm and you'll get some

> other exception.

The administrator's guide explains that the ICA client is designed to work with the JVM for Mozilla and Netscape

guezeg81a at 2007-7-13 3:19:53 >

# 5

I think the jars aren't signed because 1. you told us that usepolicy is not an the java.policy

and the trace is missing any checking of signatures:

http://forum.java.sun.com/thread.jspa?threadID=600033&tstart=135

3rd post

The line security: Loading Root CA certificates is completely missing from the trace.

The trace allso suggest that a jar file is downloaded first so the html code is not

referencing a class file for it's applet (class file cannot be signed only archives (=jar))

It is downloading this file first:

http://home.projection.nit:13082/Applets/V80/JICA-CoreN.jar s

But later it is downloading some .class files which cannot be signed, I

wonder if the html code can be wrong.

I've checked the following pages:

http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=13033&pID=186

http://support.citrix.com/servlet/KbServlet/download/4259-102-11012/ICAJava.pdf

Does your html code look like this?

<applet name="javaclient"

codebase="../"

code="com.citrix.JICA"

archive="JICA-coreN.jar,JICA-configN.jar"

width="640"

height="480">

</applet>

harmmeijera at 2007-7-13 3:19:53 >

# 6

> Does your html code look like this?

> > <applet name="javaclient"

> codebase="../"

> code="com.citrix.JICA"

> archive="JICA-coreN.jar,JICA-configN.jar"

> width="640"

> height="480">

> <param name="cabinets"

> value="JICA-coreM.cab,JICA-configM.cab">

> <param name="Address" value="plateau">

> <param name="End" value="end.html">

> </applet>

Yes, but I use the complete archive JICAEngM.cab in the cabinets param

I've tried the

grant codeBase "http://..." {

...Allpermission

}

It works with Java 1.4 but not in 1.3. It's no big deal, it must work with 1.4

But I would still like the grant pop up to display.

guezeg81a at 2007-7-13 3:19:53 >

# 7

I must say, we have citrix and I tried it with mozilla and jre 5 here, no problem

Got the pupup if I didn't have the grant codebase thing:

grant codeBase "http://server-name-of-the-server-hosting-the-jar-files/-" {

permission java.security.AllPermission;

};

If I had the above mentioned policy the popup didn't even show but the applet worked fine.

I am sure you've changed something in the policy somewhere that prevents the

popup form showing.

If you make a self signed applet does the popup show?

Signing applets:

http://forum.java.sun.com/thread.jsp?forum=63&thread=524815

second post and last post for the java class file using doprivileged

harmmeijera at 2007-7-13 3:19:53 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Signed Applet - Grant All/No/Always pop up not displayed

Security New Topic

Security Hot Topic

Security

All Classified