Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Signed Applets

Problems with CodeBase in .java.policy

Hi all,

I'm having all sorts of problems with my (signed) applet and premissions.

JVM 1.5.0_06

I am trying all possible combinations of Codebase to make it work, and it doesn't seem to work according to the docs. Here is what tried so far:

The applet is stuck in a jar file on the following URL

http://server/rdp/properJavaRDP-1.1.jar

And this is what I tried for my Codebase (with the results):

http://doesn't work - security exceptions

http://*works <--!!

http://serverworks <--!!

http://server/*doesn't work - security exceptions

http://server/-doesn't work - security exceptions

http://server/rdpdoesn't work - security exceptions

http://server/rdp/doesn't work - security exceptions

http://server/rdp/*doesn't work - security exceptions

http://server/rdp/-doesn't work - security exceptions

Of course I would like to set the most restrictive permissions possible, but somehow this doesn't seem to work for me (I am willing to take into consideration that I am stupid :)

Does anybody know what I am doing wrong?

Cheers, Miha Vitorovic

[1170 byte] By [Miha.Vitorovica] at [2007-10-2 11:38:31]
«« Compiling to 1.4 with Ant under 1.5?
»» Java and MySQL
# 1

1, what policy file did you edit?

C:\Program Files\Java\jre1.5.0_06\lib\security\java.policy is the one that my jre

uses when I run applets in a browser.

2. What exception do you get?

A Full trace might help us out:

http://forum.java.sun.com/thread.jspa?threadID=656028

Say I have an applet wanting to print out my home.direcoty

import java.applet.*;

public class test extends Applet {

public void start() {

System.out.println("this is start");

try{

System.out.println(System.getProperty("java.version"));

System.out.println(System.getProperty("java.home"));

System.out.println(System.getProperty("user.home"));

}catch(Exception e){

e.printStackTrace();

}

}

public void init(){

System.out.println("this is init");

}

}

here is the java.policy:

// .... what is allready in the policy .

grant codeBase "http://localhost/-" {

permission java.util.PropertyPermission "java.home", "read";

permission java.util.PropertyPermission "user.home", "read";

};

Here is the output:

this is init

this is start

1.5.0_06

C:\PROGRA~1\Java\JRE15~2.0_0

C:\Documents and Settings\ME

Now close all browsers and comment out the line that allows read on user.home.

Start the page @ localhost again and find out you'll get an exception.

harmmeijera at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 2

I'll do the full trace tomorrow.

I created my personal policy

C:\Documents and Settings\miha\.java.policy

Which seems to work for some CodeBase settings. I would rather make it work with personal policy, as this is something a user can change without the need for Administrative rights.

Cheers, Miha Vitorovic

Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 3

Hi,

To test this, I am starting with the following setup:

grant codeBase "http://server/-" {

permission java.lang.RuntimePermission "getClassLoader";

permission java.util.PropertyPermission "gnu.posixly_correct", "read";

permission java.awt.AWTPermission "accessClipboard";

permission java.net.SocketPermission "*.domain", "resolve, connect";

};

grant codeBase "http://server" {

};

And for each test I will move one permission to the lower section, closing Firefox between tests.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://server/rdp/properJavaRDP-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP-1.1.jar is read from JAR cache

security: Accessing keys and certificate in Mozilla user profile: null

security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loading Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loaded Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

[lines "

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

" repeat 1921 times]

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

liveconnect: JavaScript: UniversalBrowserRead enabled

liveconnect: JavaScript: default security policy = http://server

network: Connecting http://server/rdp/properJavaRDP12-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP12-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP12-1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/log4j-java1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/log4j-java1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/log4j-java1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

log4j:WARN Caught Exception while in Loader.getResource. This may be innocuous.

java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at org.apache.log4j.helpers.Loader.getTCL(Unknown Source)

at org.apache.log4j.helpers.Loader.getResource(Unknown Source)

at org.apache.log4j.LogManager.<clinit>(Unknown Source)

at org.apache.log4j.Logger.getLogger(Unknown Source)

at net.propero.rdp.Rdesktop.<init>(Rdesktop.java:158)

at net.propero.rdp.applet.RdpThread.<init>(RdpApplet.java:157)

at net.propero.rdp.applet.RdpApplet.openTSWindow(RdpApplet.java:101)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at sun.plugin.javascript.invoke.JSInvoke.invoke(Unknown Source)

at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)

at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin.liveconnect.SecureInvocation$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)

at sun.plugin.liveconnect.SecureInvocation.access$300(Unknown Source)

at sun.plugin.liveconnect.SecureInvocation$CallMethodThread.run(Unknown Source)

Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.Thread.getContextClassLoader(Unknown Source)

... 27 more

log4j:WARN Caught Exception while in Loader.getResource. This may be innocuous.

java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at org.apache.log4j.helpers.Loader.getTCL(Unknown Source)

at org.apache.log4j.helpers.Loader.getResource(Unknown Source)

at org.apache.log4j.LogManager.<clinit>(Unknown Source)

at org.apache.log4j.Logger.getLogger(Unknown Source)

at net.propero.rdp.Rdesktop.<init>(Rdesktop.java:158)

at net.propero.rdp.applet.RdpThread.<init>(RdpApplet.java:157)

at net.propero.rdp.applet.RdpApplet.openTSWindow(RdpApplet.java:101)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at sun.plugin.javascript.invoke.JSInvoke.invoke(Unknown Source)

at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)

at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin.liveconnect.SecureInvocation$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)

at sun.plugin.liveconnect.SecureInvocation.access$300(Unknown Source)

at sun.plugin.liveconnect.SecureInvocation$CallMethodThread.run(Unknown Source)

Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.Thread.getContextClassLoader(Unknown Source)

... 27 more

network: Connecting http://server/rdp/java-getopt-1.0.11.jar with proxy=DIRECT

basic: Loading http://server/rdp/java-getopt-1.0.11.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/java-getopt-1.0.11.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.properties with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.properties with proxy=DIRECT

Exception in thread "Thread-1929" java.security.AccessControlException: access denied (java.util.PropertyPermission gnu.posixly_correct read)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

at java.lang.System.getProperty(Unknown Source)

at gnu.getopt.Getopt.<init>(Getopt.java:617)

at gnu.getopt.Getopt.<init>(Getopt.java:581)

at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:279)

at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:164)

- - - - - - - - - - - - - Next test - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

grant codeBase "http://server/-" {

permission java.util.PropertyPermission "gnu.posixly_correct", "read";

permission java.awt.AWTPermission "accessClipboard";

permission java.net.SocketPermission "*.domain", "resolve, connect";

};

grant codeBase "http://server" {

permission java.lang.RuntimePermission "getClassLoader";

};

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://server/rdp/properJavaRDP-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP-1.1.jar is read from JAR cache

security: Accessing keys and certificate in Mozilla user profile: null

security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loading Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loaded Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

[lines "

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

" repeat 1921 times]

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

liveconnect: JavaScript: UniversalBrowserRead enabled

liveconnect: JavaScript: default security policy = http://server

network: Connecting http://server/rdp/properJavaRDP12-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP12-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP12-1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/log4j-java1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/log4j-java1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/log4j-java1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/java-getopt-1.0.11.jar with proxy=DIRECT

basic: Loading http://server/rdp/java-getopt-1.0.11.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/java-getopt-1.0.11.jar is read from JAR cache

network: Connecting http://server/rdp/log4j.xml with proxy=DIRECT

network: Connecting http://server/rdp/log4j.properties with proxy=DIRECT

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.properties with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.properties with proxy=DIRECT

Exception in thread "Thread-1929" java.security.AccessControlException: access denied (java.util.PropertyPermission gnu.posixly_correct read)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

at java.lang.System.getProperty(Unknown Source)

at gnu.getopt.Getopt.<init>(Getopt.java:617)

at gnu.getopt.Getopt.<init>(Getopt.java:581)

at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:279)

at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:164)

- - - - - - - - - - - - - Next test - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

grant codeBase "http://server/-" {

permission java.awt.AWTPermission "accessClipboard";

permission java.net.SocketPermission "*.domain", "resolve, connect";

};

grant codeBase "http://server" {

permission java.lang.RuntimePermission "getClassLoader";

permission java.util.PropertyPermission "gnu.posixly_correct", "read";

};

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://server/rdp/properJavaRDP-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP-1.1.jar is read from JAR cache

security: Accessing keys and certificate in Mozilla user profile: null

security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loading Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loaded Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

[lines "

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

" repeat 1921 times]

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

liveconnect: JavaScript: UniversalBrowserRead enabled

liveconnect: JavaScript: default security policy = http://server

network: Connecting http://server/rdp/properJavaRDP12-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP12-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP12-1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/log4j-java1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/log4j-java1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/log4j-java1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/java-getopt-1.0.11.jar with proxy=DIRECT

basic: Loading http://server/rdp/java-getopt-1.0.11.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/java-getopt-1.0.11.jar is read from JAR cache

network: Connecting http://server/rdp/log4j.xml with proxy=DIRECT

network: Connecting http://server/rdp/log4j.properties with proxy=DIRECT

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.properties with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.properties with proxy=DIRECT

Exception in thread "Thread-1929" java.security.AccessControlException: access denied (java.awt.AWTPermission accessClipboard)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkSystemClipboardAccess(Unknown Source)

at sun.awt.windows.WToolkit.getSystemClipboard(Unknown Source)

at net.propero.rdp.rdp5.cliprdr.ClipChannel.<init>(ClipChannel.java:67)

at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:281)

at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:164)

- - - - - - - - - - - - - Next test - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

grant codeBase "http://server/-" {

permission java.net.SocketPermission "*.domain", "resolve, connect";

};

grant codeBase "http://server" {

permission java.lang.RuntimePermission "getClassLoader";

permission java.util.PropertyPermission "gnu.posixly_correct", "read";

permission java.awt.AWTPermission "accessClipboard";

};

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://server/rdp/properJavaRDP-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP-1.1.jar is read from JAR cache

security: Accessing keys and certificate in Mozilla user profile: null

security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loading Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loaded Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

[lines "

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

" repeat 1921 times]

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

liveconnect: JavaScript: UniversalBrowserRead enabled

liveconnect: JavaScript: default security policy = http://server

network: Connecting http://server/rdp/properJavaRDP12-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP12-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP12-1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/log4j-java1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/log4j-java1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/log4j-java1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/java-getopt-1.0.11.jar with proxy=DIRECT

basic: Loading http://server/rdp/java-getopt-1.0.11.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/java-getopt-1.0.11.jar is read from JAR cache

network: Connecting http://server/rdp/log4j.xml with proxy=DIRECT

network: Connecting http://server/rdp/log4j.properties with proxy=DIRECT

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.properties with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.properties with proxy=DIRECT

0 [Thread-1929] INFO net.propero.rdp - properJavaRDP version 1.1

0 [Thread-1929] INFO net.propero.rdp - Java version is 1.5

0 [Thread-1929] INFO net.propero.rdp - Operating System is Windows XP version 5.1

328 [Thread-1929] INFO net.propero.rdp - Connecting to server2:3389 ...

344 [Thread-1929] WARN net.propero.rdp - java.security.AccessControlException access denied (java.net.SocketPermission server2 resolve)

java.security.AccessControlException: access denied (java.net.SocketPermission server2 resolve)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkConnect(Unknown Source)

at java.net.InetAddress.getAllByName0(Unknown Source)

at java.net.InetAddress.getAllByName0(Unknown Source)

at java.net.InetAddress.getAllByName(Unknown Source)

at java.net.InetAddress.getByName(Unknown Source)

at net.propero.rdp.Rdesktop.main_nonstatic(Rdesktop.java:561)

at net.propero.rdp.applet.RdpThread.run(RdpApplet.java:164)

344 [Thread-1929] FATAL net.propero.rdp - java.security.AccessControlException: access denied (java.net.SocketPermission server2 resolve)

basic: Modality pushed

basic: Modality popped

- - - - - - - - - - - - - Next test - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

grant codeBase "http://server/-" {

};

grant codeBase "http://server" {

permission java.lang.RuntimePermission "getClassLoader";

permission java.util.PropertyPermission "gnu.posixly_correct", "read";

permission java.awt.AWTPermission "accessClipboard";

permission java.net.SocketPermission "*.domain", "resolve, connect";

};

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://server/rdp/properJavaRDP-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP-1.1.jar is read from JAR cache

security: Accessing keys and certificate in Mozilla user profile: null

security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts

security: Loading Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loaded Deployment certificates from C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\security\trusted.certs

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

[lines "

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

" repeat 1921 times]

liveconnect: JavaScript: calling Java system code

liveconnect: JavaScript: default security policy = http://server

liveconnect: JavaScript: UniversalBrowserRead enabled

liveconnect: JavaScript: default security policy = http://server

network: Connecting http://server/rdp/properJavaRDP12-1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/properJavaRDP12-1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/properJavaRDP12-1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/log4j-java1.1.jar with proxy=DIRECT

basic: Loading http://server/rdp/log4j-java1.1.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/log4j-java1.1.jar is read from JAR cache

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/java-getopt-1.0.11.jar with proxy=DIRECT

basic: Loading http://server/rdp/java-getopt-1.0.11.jar from cache

basic: Reading cached JAR file from JRE 1.5 release

basic: Certificates for http://server/rdp/java-getopt-1.0.11.jar is read from JAR cache

network: Connecting http://server/rdp/log4j.xml with proxy=DIRECT

network: Connecting http://server/rdp/log4j.properties with proxy=DIRECT

security: Loading certificates from Deployment session certificate store

security: Loaded certificates from Deployment session certificate store

security: Checking if certificate is in Deployment permanent certificate store

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl.properties with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.class with proxy=DIRECT

network: Connecting http://server/rdp/gnu/getopt/MessagesBundle_sl_SI.properties with proxy=DIRECT

0 [Thread-1929] INFO net.propero.rdp - properJavaRDP version 1.1

0 [Thread-1929] INFO net.propero.rdp - Java version is 1.5

0 [Thread-1929] INFO net.propero.rdp - Operating System is Windows XP version 5.1

344 [Thread-1929] INFO net.propero.rdp - Connecting to server2:3389 ...

network: Connecting socket://server2:3389 with proxy=DIRECT

359 [Thread-1929] INFO net.propero.rdp.Secure - 40 Bit Encryption enabled

375 [Thread-1929] INFO net.propero.rdp - Connection successful

875 [Thread-1929] WARN net.propero.rdp.Rdp processData - Server limited colour depth to 8 bits

11438 [Thread-1929] INFO net.propero.rdp - Disconnecting ...

11438 [Thread-1929] INFO net.propero.rdp - Disconnected

Works!!!! Sorry for the lengthy post :)

Regards, Miha Vitorovic

Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 4

Could you do the tests with the example provided above?

You've reached the conclusion that it must be the policy but the example above

should test that without running complicated code that might be called from

javascript:

http://forum.java.sun.com/thread.jsp?forum=63&thread=524815

second post and reply 18 for the java class file using doprivileged

If you want to use your own policy make sure it can be found by the jre using the

[java.home]\lib\security\java.security

For example:

policy.url.2=file:${user.home}/other.policy

harmmeijera at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 5
Tnx, I'll test, just one observation regarding policy file.The policy examples given in the tests are both in my private policy file (the same file), so obviously JVM reads this file, since moving the permissions from one section to another helps.Regrads, Miha Vitorovic
Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 6
Thanks for the link also, I indeed am passing the parameters from the JavaScript, so I now understand why Applet Signing doesn't help in this case.But my problem with CodeBase still remains... :(Regards, Miha Vitorovic
Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 7

Funny, trying with simple applet it works....

But obviously "use simlpler applets" does not apply here...

Class file only!!!!

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@f3d6a5, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

network: Connecting http://vercingetorix.nil.si/test/Test.class with proxy=DIRECT

basic: Cached copy of http://vercingetorix.nil.si/test/Test.class is out of date

Cached copy: 10.2.2006 14:40:39

Server copy: 10.2.2006 14:49:14

basic: Cached file name: Test.class-2a4e71f8-16dc5d62.class

this is init

this is start

1.5.0_06

C:\PROGRA~1\Java\JRE15~1.0_0

C:\Documents and Settings\miha

Reload policy configuration ... completed.

basic: Stopping applet ...

basic: Removed progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Finding information ...

basic: Releasing classloader: sun.plugin.ClassLoaderInfo@f3d6a5, refcount=0

basic: Caching classloader: sun.plugin.ClassLoaderInfo@f3d6a5

basic: Current classloader cache size: 1

basic: Done ...

basic: Joining applet thread ...

basic: Destroying applet ...

basic: Disposing applet ...

basic: Quiting applet ...

basic: Joined applet thread ...

basic: Unregistered modality listener

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@f3d6a5, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@122cdb6

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

this is init

this is start

1.5.0_06

C:\PROGRA~1\Java\JRE15~1.0_0

java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

at java.lang.System.getProperty(Unknown Source)

at Test.start(Test.java:10)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

- - JAR - -

Java Plug-in 1.5.0_06

Using JRE version 1.5.0_06 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\miha

basic: Cache is enabled

basic: Location: C:\Documents and Settings\miha\Application Data\Sun\Java\Deployment\cache\javapi\v1.0

basic: Maximum size: unlimited

basic: Compression level: 0

-

c:clear console window

f:finalize objects on finalization queue

g:garbage collect

h:display this help message

l:dump classloader list

m:print memory usage

o:trigger logging

p:reload proxy configuration

q:hide console

r:reload policy configuration

s:dump system and deployment properties

t:dump thread list

v:dump thread stack

x:clear classloader cache

0-5: set trace level to <n>

-

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

basic: httpCompression = true

network: Connecting http://vercingetorix.nil.si/test/Test.jar with proxy=DIRECT

basic: Downloading http://vercingetorix.nil.si/test/Test.jar to cache

basic: encoding = null for http://vercingetorix.nil.si/test/Test.jar

basic: Cached file name: Test.jar-77ba8f1b-4de5e367.zip

this is init

this is start

1.5.0_06

C:\PROGRA~1\Java\JRE15~1.0_0

java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)

at java.security.AccessControlContext.checkPermission(Unknown Source)

at java.security.AccessController.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

at java.lang.System.getProperty(Unknown Source)

at Test.start(Test.java:10)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

basic: Stopping applet ...

basic: Removed progress listener: sun.plugin.util.GrayBoxPainter@19bd03e

basic: Finding information ...

basic: Releasing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=0

basic: Caching classloader: sun.plugin.ClassLoaderInfo@18fef3d

basic: Current classloader cache size: 1

basic: Done ...

basic: Joining applet thread ...

basic: Destroying applet ...

basic: Disposing applet ...

basic: Quiting applet ...

basic: Joined applet thread ...

basic: Unregistered modality listener

Reload policy configuration ... completed.

basic: Stopping applet ...

basic: Removed progress listener: sun.plugin.util.GrayBoxPainter@ba6c83

basic: Finding information ...

basic: Releasing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=0

basic: Caching classloader: sun.plugin.ClassLoaderInfo@18fef3d

basic: Current classloader cache size: 1

basic: Done ...

basic: Joining applet thread ...

basic: Destroying applet ...

basic: Disposing applet ...

basic: Quiting applet ...

basic: Joined applet thread ...

basic: Unregistered modality listener

basic: Registered modality listener

basic: Referencing classloader: sun.plugin.ClassLoaderInfo@18fef3d, refcount=1

basic: Added progress listener: sun.plugin.util.GrayBoxPainter@d80be3

basic: Loading applet ...

basic: Initializing applet ...

basic: Starting applet ...

this is init

this is start

1.5.0_06

C:\PROGRA~1\Java\JRE15~1.0_0

C:\Documents and Settings\miha

Regards, Miha Vitorovic

Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 8

Well, we could say the policy is OK because the example works. It could be the stack.

> I indeed am passing the parameters from the JavaScript

Methods called from other classes (beans) or javascript might be in a trusted

codebase but the calling code is not.

Current code is only "trusted/allowed" if the entire stack is.

You might try doprivileged or a threaded version (second post of the link below)

http://forum.java.sun.com/thread.jsp?forum=63&thread=524815

second post and reply 18 for the java class file using doprivileged

harmmeijera at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
# 9
Well, you might still want to check what exactly happens when you call Java from JavaScript, because as my example shows, CodeBase gets all strange in that case - so maybe some later version of JVM won't behave unexpetedly :)Thank you for all your help.Miha Vitorovic
Miha.Vitorovica at 2007-7-13 5:23:14 > top of Java-index,Security,Signed Applets...
Security
Signed Applets

Security New Topic

Security Hot Topic

Security

All Classified