2

I have an applet which runs in a browser.

I expect that when the use denies the permission for the applet to run, it should not run and give an AccessControlEception or something similar.

However, surprisingly, even after the user has denied permissions, the applet still keeps running. Here is part of the trace from the Java Console.

security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
security: Checking if certificate is in Deployment session certificate store
security: User has denied the priviledges to the code
security: Adding certificate in Deployment denied certificate store
security: Added certificate in Deployment denied certificate store
basic: Applet loaded.
basic: Applet resized and added to parent container

Isn't it expected that after the user has denied privileges, the applet shouldn't load? What's going on here?

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
Sumeet Khullar
  • 463
  • 1
  • 4
  • 12
  • 1
    Did you copy/paste that output? I find it hard to believe Oracle would spell 'privileges' incorrectly in this case. What JRE is the browser using? What does the applet do that requires trust? Better still, where is your [SSCCE](http://sscce.org/)? – Andrew Thompson Jun 20 '12 at 09:59
  • Ya, I did copy/paste the output, and 'privileges' is indeed spelled incorrectly in the output. Anyhow, I think I got the solution. If the user denies permissions, the applet still loads with limited privileges, and if the user grants permissions, the applet loads with all privileges. – Sumeet Khullar Jun 20 '12 at 10:05

2 Answers2

2

If additional privileges are requested but denied, then the applet continues to run as normal. Otherwise you'd have the area of the page broken. The author of the applet may decide to continue with standard applet functionality or display some kind of permissions denied message. Unfortunately many applets are of sufficiently poor quality (which is a bit worrying for code that's supposed to be trusted) that they just fail throwing exceptions.

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305
1

..think I got the solution. If the user denies permissions, the applet still loads with limited privileges, and if the user grants permissions, the applet loads with all privileges

You think wrong. An Iced Tear JRE will not load the applet at all if it requests extended privileges and the user refuses. It is a decision that comes down to the manufacturer of the JRE.

Community
  • 1
  • 1
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433