applet security issue
Achilleas Mantzios
achill at smadev.internal.net
Mon Jan 9 17:09:39 UTC 2012
Solved!
i had to manually sign all jars involved.
Also i had tried a packaging scheme like this:
achill at smadev:~/workspace/SMA> jar tvf SMA_APPLETS.jar
1523 Mon Jan 09 18:55:28 EET 2012 META-INF/MANIFEST.MF
1517 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.SF
1100 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.DSA
0 Mon Jan 09 18:55:30 EET 2012 META-INF/
0 Mon Jan 09 17:02:06 EET 2012 com/
0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/
0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/web/
0 Mon Jan 09 17:47:04 EET 2012 com/gatewaynet/web/applets/
1835 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/DirectoryJApplet.class
441 Mon Jan 09 18:55:28 EET 2012 com/gatewaynet/web/applets/Photo.class
1118 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoJApplet$1.class
665 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoJApplet$2.class
638 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoJApplet$3.class
9393 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoJApplet.class
834 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoJAppletTest.class
469 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoWorker$1.class
1011 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoWorker$2.class
427 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
1552 Mon Jan 09 18:55:28 EET 2012
com/gatewaynet/web/applets/PhotoWorker.class
64667 Mon Jan 09 18:55:10 EET 2012 commons-logging-1.1.1.jar
248764 Mon Jan 09 18:55:26 EET 2012 commons-codec-1.6.jar
290818 Mon Jan 09 16:18:22 EET 2012 commons-httpclient-3.0.1.jar
with META-INF/MANIFEST.MF reading :
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Class-Path: commons-logging-1.1.1.jar commons-codec-1.6.jar commons-ht
tpclient-3.0.1.jar
Created-By: 20.0-b12 (Sun Microsystems Inc.)
Name: com/gatewaynet/web/applets/PhotoJAppletTest.class
SHA1-Digest: tVdZkLaPBO+2K7sXumm/UFrV33I=
Name: com/gatewaynet/web/applets/PhotoWorker.class
SHA1-Digest: ngl173D/yVdeVBNla7eA/g+pwns=
Name: com/gatewaynet/web/applets/PhotoWorker$1.class
SHA1-Digest: WA31AIKyDPK2YpyNkLVc8l+qyUc=
Name: com/gatewaynet/web/applets/Photo.class
SHA1-Digest: 9javBv5dnwqKgvP8lCRmYw/HvJM=
Name: commons-httpclient-3.0.1.jar
SHA1-Digest: y+YbW9oPtpE966w60dHhdMHJ/yk=
Name: com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
SHA1-Digest: ZJhQ7ihMCWoeehE78Zr4vAE2lic=
Name: com/gatewaynet/web/applets/PhotoJApplet.class
SHA1-Digest: y1hVH2FJi0wjHb10IWdWCq4UYcU=
Name: com/gatewaynet/web/applets/PhotoWorker$2.class
SHA1-Digest: r8xW1aPUaXrwuL6QnPLYkOj+hts=
........
and applet tag like :
<applet name="PhotoJApplet"
archive="../SMA_APPLETS.jar"
code="com.gatewaynet.web.applets.PhotoJApplet.class"
MAYSCRIPT
width="800"
height="300">
<PARAM NAME="ImgPath" VALUE="<%=photopath%>">
<PARAM NAME="cookiename" VALUE="JSESSIONID">
<PARAM NAME="cookievalue" VALUE="<%=session.getId()%>">
<PARAM NAME="cookiehost" VALUE="<%=request.getServerName()%>">
<PARAM NAME="cookieport" VALUE="<%=request.getServerPort()%>">
<PARAM NAME="cookiepath" VALUE="<%=request.getContextPath()%>">
<PARAM NAME="MaxPhotos" VALUE="4">
<PARAM NAME="marinerid" VALUE="<%=id%>">
</applet>
well, this worked *ONLY* in FreeBSD....
So, when packaging the other 3 apache libs in my applet jar, this worked for
icedtea only, but for no windows plugin (jre 1.5, jre 1.6 U20, jre 1.6 U30).
When i exported the 3 apache libs independently like in :
<applet name="PhotoJApplet"
archive="../SMA_APPLETS.jar, ../commons-httpclient-3.0.1.jar,
../commons-logging-1.1.1.jar, ../commons-codec-1.6.jar"
code="com.gatewaynet.web.applets.PhotoJApplet.class"
MAYSCRIPT
width="800"
height="300">
<PARAM NAME="ImgPath" VALUE="<%=photopath%>">
<PARAM NAME="cookiename" VALUE="JSESSIONID">
<PARAM NAME="cookievalue" VALUE="<%=session.getId()%>">
<PARAM NAME="cookiehost" VALUE="<%=request.getServerName()%>">
<PARAM NAME="cookieport" VALUE="<%=request.getServerPort()%>">
<PARAM NAME="cookiepath" VALUE="<%=request.getContextPath()%>">
<PARAM NAME="MaxPhotos" VALUE="4">
<PARAM NAME="marinerid" VALUE="<%=id%>">
</applet>
all worked fine.....
However, in any case *all* the jars where signed.... Forgetting to do so ended
in errors....
On Δευ 09 Ιαν 2012 15:34:46 Achilleas Mantzios wrote:
> Hello java freebsd-ers!
>
> After struggling for hours in order to even see the digital signature
> security window appearing for my applet (and i did a lot of things,
> bundling all libs in one jar, re-signing, etc...)
> i got to the point where the applet starts, but then gives me a :
> java.security.AccessControlException: access denied (java.io.FilePermission
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
>
> the stack trace is like :
>
> java.security.AccessControlException: access denied (java.io.FilePermission
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.jav
> a:393) at
> java.security.AccessController.checkPermission(AccessController.java:553)
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at
> net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecuri
> tyManager.java:284) at
> java.lang.SecurityManager.checkRead(SecurityManager.java:888) at
> java.io.File.isFile(File.java:793)
> at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(FileP
> artSource.java:67) at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(FileP
> artSource.java:88) at
> org.apache.commons.httpclient.methods.multipart.FilePart.<init>(FilePart.ja
> va:178) at
> com.gatewaynet.web.applets.PhotoJApplet.actionPerformed(PhotoJApplet.java:2
> 85)
>
> PhotoJApplet.java:285 reads :
>
> FilePart filePart = new
> FilePart(thisfile.getName(),thisfile.getName(),thisfile,"image/jpeg",null);
>
> The funny thing is that the very same signed applet reads the contents of
> the /usr/local/jboss-6.0.0.Final/ without problem:
>
> String fname=imgPath + "/"+photos[i].filename;
> ImageIcon icon = new ImageIcon(fname);
>
> Its only when the IO is called from within apache's httpclient that i get
> the problem.
>
> (pls do not get confused, here jboss wears the hat of the dummy firefox
> user, nothing j2ee involved!)
>
>
> Any info would be great.
--
Achilleas Mantzios
IT DEPT
More information about the freebsd-java
mailing list