applet security issue

Achilleas Mantzios achill at smadev.internal.net
Mon Jan 9 17:09:39 UTC 2012 

Solved!

i had to manually sign all jars involved.

Also i had tried a packaging scheme like this:

achill at smadev:~/workspace/SMA> jar tvf SMA_APPLETS.jar 
  1523 Mon Jan 09 18:55:28 EET 2012 META-INF/MANIFEST.MF
  1517 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.SF
  1100 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.DSA
     0 Mon Jan 09 18:55:30 EET 2012 META-INF/
     0 Mon Jan 09 17:02:06 EET 2012 com/
     0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/
     0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/web/
     0 Mon Jan 09 17:47:04 EET 2012 com/gatewaynet/web/applets/
  1835 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/DirectoryJApplet.class
   441 Mon Jan 09 18:55:28 EET 2012 com/gatewaynet/web/applets/Photo.class
  1118 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoJApplet$1.class
   665 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoJApplet$2.class
   638 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoJApplet$3.class
  9393 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoJApplet.class
   834 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoJAppletTest.class
   469 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoWorker$1.class
  1011 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoWorker$2.class
   427 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
  1552 Mon Jan 09 18:55:28 EET 2012 
com/gatewaynet/web/applets/PhotoWorker.class
 64667 Mon Jan 09 18:55:10 EET 2012 commons-logging-1.1.1.jar
248764 Mon Jan 09 18:55:26 EET 2012 commons-codec-1.6.jar
290818 Mon Jan 09 16:18:22 EET 2012 commons-httpclient-3.0.1.jar

with META-INF/MANIFEST.MF  reading :

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Class-Path: commons-logging-1.1.1.jar commons-codec-1.6.jar commons-ht
 tpclient-3.0.1.jar
Created-By: 20.0-b12 (Sun Microsystems Inc.)

Name: com/gatewaynet/web/applets/PhotoJAppletTest.class
SHA1-Digest: tVdZkLaPBO+2K7sXumm/UFrV33I=

Name: com/gatewaynet/web/applets/PhotoWorker.class
SHA1-Digest: ngl173D/yVdeVBNla7eA/g+pwns=

Name: com/gatewaynet/web/applets/PhotoWorker$1.class
SHA1-Digest: WA31AIKyDPK2YpyNkLVc8l+qyUc=

Name: com/gatewaynet/web/applets/Photo.class
SHA1-Digest: 9javBv5dnwqKgvP8lCRmYw/HvJM=

Name: commons-httpclient-3.0.1.jar
SHA1-Digest: y+YbW9oPtpE966w60dHhdMHJ/yk=

Name: com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
SHA1-Digest: ZJhQ7ihMCWoeehE78Zr4vAE2lic=

Name: com/gatewaynet/web/applets/PhotoJApplet.class
SHA1-Digest: y1hVH2FJi0wjHb10IWdWCq4UYcU=

Name: com/gatewaynet/web/applets/PhotoWorker$2.class
SHA1-Digest: r8xW1aPUaXrwuL6QnPLYkOj+hts=
........

and applet tag like :

<applet name="PhotoJApplet"
		archive="../SMA_APPLETS.jar"
		code="com.gatewaynet.web.applets.PhotoJApplet.class"
		MAYSCRIPT
		width="800"
		height="300">
<PARAM NAME="ImgPath" VALUE="<%=photopath%>">
<PARAM NAME="cookiename" VALUE="JSESSIONID">
<PARAM NAME="cookievalue" VALUE="<%=session.getId()%>">
<PARAM NAME="cookiehost" VALUE="<%=request.getServerName()%>">
<PARAM NAME="cookieport" VALUE="<%=request.getServerPort()%>">
<PARAM NAME="cookiepath" VALUE="<%=request.getContextPath()%>">
<PARAM NAME="MaxPhotos" VALUE="4">
<PARAM NAME="marinerid" VALUE="<%=id%>">
</applet>

well, this worked *ONLY* in FreeBSD....

So, when packaging the other 3 apache libs in my applet jar, this worked for 
icedtea only, but for no windows plugin (jre 1.5, jre 1.6 U20, jre 1.6 U30).

When i exported the 3 apache libs independently like in :

<applet name="PhotoJApplet"
		archive="../SMA_APPLETS.jar, ../commons-httpclient-3.0.1.jar, 
../commons-logging-1.1.1.jar, ../commons-codec-1.6.jar"
		code="com.gatewaynet.web.applets.PhotoJApplet.class"
		MAYSCRIPT
		width="800"
		height="300">
<PARAM NAME="ImgPath" VALUE="<%=photopath%>">
<PARAM NAME="cookiename" VALUE="JSESSIONID">
<PARAM NAME="cookievalue" VALUE="<%=session.getId()%>">
<PARAM NAME="cookiehost" VALUE="<%=request.getServerName()%>">
<PARAM NAME="cookieport" VALUE="<%=request.getServerPort()%>">
<PARAM NAME="cookiepath" VALUE="<%=request.getContextPath()%>">
<PARAM NAME="MaxPhotos" VALUE="4">
<PARAM NAME="marinerid" VALUE="<%=id%>">
</applet>

all worked fine.....

However, in any case *all* the jars where signed.... Forgetting to do so ended 
in errors....

On Δευ 09 Ιαν 2012 15:34:46 Achilleas Mantzios wrote:
> Hello java freebsd-ers!
> 
> After struggling for hours in order to even see the digital signature
> security window appearing for my applet (and i did a lot of things,
> bundling all libs in one jar, re-signing, etc...)
> i got to the point where the applet starts, but then gives me a :
> java.security.AccessControlException: access denied (java.io.FilePermission
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
> 
> the stack trace is like :
> 
> java.security.AccessControlException: access denied (java.io.FilePermission
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.jav
> a:393) at
> java.security.AccessController.checkPermission(AccessController.java:553)
>         at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at
> net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecuri
> tyManager.java:284) at
> java.lang.SecurityManager.checkRead(SecurityManager.java:888) at
> java.io.File.isFile(File.java:793)
>         at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(FileP
> artSource.java:67) at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(FileP
> artSource.java:88) at
> org.apache.commons.httpclient.methods.multipart.FilePart.<init>(FilePart.ja
> va:178) at
> com.gatewaynet.web.applets.PhotoJApplet.actionPerformed(PhotoJApplet.java:2
> 85)
> 
> PhotoJApplet.java:285 reads :
> 
> FilePart filePart = new
> FilePart(thisfile.getName(),thisfile.getName(),thisfile,"image/jpeg",null);
> 
> The funny thing is that the very same signed applet reads the contents of
> the /usr/local/jboss-6.0.0.Final/ without problem:
> 
> String fname=imgPath + "/"+photos[i].filename;
> 			 ImageIcon icon = new ImageIcon(fname);
> 
> Its only when the IO is called from within apache's httpclient that i get
> the problem.
> 
> (pls do not get confused, here jboss wears the hat of the dummy firefox
> user, nothing j2ee involved!)
> 
> 
> Any info would be great.

-- 
Achilleas Mantzios
IT DEPT

More information about the freebsd-java mailing list