0

First of all I'm aware that my question is same as in here. But that question did not helped me.

I have self signed applet.

jarsigner -verify sJSApplet.jar
jar verified.

Warning:
This jar contains entries whose signer certificate will expire within six months.

Applet's purpose is to open MS Word document from LAN machine. So far I've tried opening using Desktop.open() and Runtime.exec(). With AccessController.doPrivileged and without. I always get java.security.AccessControlException: access denied.

I'm out of options. What else I could do?

I cannot use java.policy file.

HTML

<html>
    <head>
        <script>
            function openFile( command ) {
                    var applet = "<object type='application/x-java-applet' height='100' width='100' name='jsApplet'><param name='code' value='com.avacoda.swing.JSApplet'/><param name='archive' value='sJSApplet.jar' /><param name='mayscript' value='true'/><param name='filePath' value='C:\\note.txt'/>Applet failed to run.  No Java plug-in was found.</object>";

                    var body = document.getElementsByTagName("body")[0];
                    var div = document.createElement("div");
                    div.innerHTML = applet;
                    body.appendChild(div);
            }
        </script>
    </head>
    <body>
        <a href="#" onclick="openFile('C:/note.txt');">Open file</a>
    </body>
</html>

Java code:

public class WordApplet extends JApplet {

    @Override
    public void init() {
        openFile(getParameter("filePath"));
    };

    public void openFile(final String path) {
        AccessController.doPrivileged(new PrivilegedAction<Object>() {

            @Override
            public Object run() {
                try {
                        Runtime.getRuntime().exec("winword " + path); 
                        //Desktop.getDesktop().open(new File(path));
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return null;
            }
        });
    }
}

Full stack trace

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkExec(Unknown Source)
    at java.lang.ProcessBuilder.start(Unknown Source)
    at java.lang.Runtime.exec(Unknown Source)
    at java.lang.Runtime.exec(Unknown Source)
    at java.lang.Runtime.exec(Unknown Source)
    at com.test.applet.JSApplet$1.run(JSApplet.java:34)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.avacoda.swing.JSApplet.openFile(JSApplet.java:29)
    at com.avacoda.swing.JSApplet.init(JSApplet.java:25)
    at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
basic: Applet initialized
Community
  • 1
  • 1
Martynas Jurkus
  • 9,231
  • 13
  • 59
  • 101
  • Show complete stacktrace please – Sully Jun 28 '12 at 20:39
  • 2
    See also [*What Applets Can and Cannot Do*](http://docs.oracle.com/javase/tutorial/deployment/applet/security.html) and this [example](http://blog.danieldee.com/2009/07/javascript-and-applet-communication.html). – trashgod Jun 29 '12 at 00:45
  • Well, my applet was based on that example and I found out that JavaScript code is treaded as unsigned code. That is why I don't call my method from JS anymore and just add applet markup on demand. – Martynas Jurkus Jun 29 '12 at 08:02
  • 1
    1) Ensure the Java Console cache is cleared each add a label or `System.out.println()` to check you are using the new code. 2) Now I look closely at it, the JS function never uses the `command` it is passed. Why is that? – Andrew Thompson Jun 30 '12 at 01:05
  • 1) Thanks, this tip made me find my mistake. 2) just for testing purpose – Martynas Jurkus Jun 30 '12 at 07:50

2 Answers2

0

You are inherently not allowed to execute code on a user’s machine from an applet. This could be used to cause lots of trouble. However, consider using your Applet to output a file to the user’s computer and then using jScript and ActiveX to open the document in notepad. I have included an example I have found online:

<html>
    <head>
        <script type="text/javascript">
            function runApp(which) {
                WshShell = new ActiveXObject("WScript.Shell");
                WshShell.Run (which,1,false);
            }
        </script>
    </head>
    <body>
        <!-- Two ways to create a link to run the app. -->
        <font onClick="runApp('file://c:/winnt/notepad.exe');" style="cursor: hand;">
            <u>Notepad</u>
        </font>
        <br>
        <!-- Or use <a> descriptor -->
        <a href="runApp('file://c:/test.bat');">Batch File</a>
    </body>
</html>
sachleen
  • 30,730
  • 8
  • 78
  • 73
Mitch Connor
  • 766
  • 10
  • 19
  • Well, isn't it the same? Read file and write file? Anyway. I need to open file from network as it will have to be saved back to the same place after it is edited. So downloading file to system and then opening it is not an option. – Martynas Jurkus Jun 28 '12 at 20:37
  • 1
    Can I have more context on what your goal is? Just write all the information to the file and then output the file to the system, you should be using a text editor to write data to a file programmatic-ly. – Mitch Connor Jun 28 '12 at 20:40
  • A word document is stored on a network machine. User should be able to open it by clicking a link. File MUST be opened with a MS Word ready for editing. After editing file must be saved in the same location. That means no "Save as..." – Martynas Jurkus Jun 28 '12 at 21:01
0

There is nothing wrong with code samples above. Both cases Desktop.getDesktop().open() and Runtime.getRuntime().exec() works perfectly.

My problem was badly packaged jar.

Martynas Jurkus
  • 9,231
  • 13
  • 59
  • 101