0

I have simple folder chooser in java applet. The applet opens successfully and it shows AccessControlException. Im trying to set the default path ${user.home}, and then the user can select any flder they wish. If i set the other than user home path, the same error occurs. I have googled a lot for this and nothing works to me. Please look at the below traces and suggest any solution.

Below is the applet calling area from jsp:

<td align="right">
    <input type ="text" name="hdn_folder_path" readonly value="<%if(request.getRemoteAddr().toString().trim().equals(db_ip_address)){ out.println(hdn_folder_path);}%>" id="hdn_folder_path" size="60" class="textbox">&nbsp;&nbsp;<input type="button" class="buttonorange" value="Choose.." onClick = "getFolder();"  onmouseover="this.style.color='#fbe249';"  onmouseout="this.style.color='#FFF';">
    <OBJECT ID="FolderChooserApplet" NAME="FolderChooserApplet" WIDTH=00 HEIGHT=0 border="0" <% if(agentText.indexOf("msie") != -1){%>CLASSID="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" <%} else { %>  CLASSID="java:JFolderChooser.JFolderChooser.class"<% } %> type="application/x-java-applet">
    <PARAM NAME="code" value="JFolderChooser.JFolderChooser.class">
    <PARAM NAME="archive" value="<%=session.getAttribute("APPLET_PATH")%>/JFolderChooser.jar">
    <param name="defaultDir" value="<%if(request.getRemoteAddr().toString().equals(db_ip_address)){ out.println(hdn_folder_path);}%>">
    <param name="mayscript" value="true">
    </OBJECT>
</td>

Log:

Exception in thread "Basic L&F File Loading Thread" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Documents and Settings\Users" "read")
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkRead(Unknown Source)
    at java.io.File.exists(Unknown Source)
    at sun.awt.shell.ShellFolder.getShellFolder(Unknown Source)
    at javax.swing.filechooser.FileSystemView.getShellFolder(Unknown Source)
    at javax.swing.filechooser.FileSystemView.getFiles(Unknown Source)
    at javax.swing.plaf.basic.BasicDirectoryModel$LoadFilesThread.run0(Unknown Source)
    at javax.swing.plaf.basic.BasicDirectoryModel$LoadFilesThread.run(Unknown Source)

JFolderChooser.java

import java.applet.Applet;
import java.io.File;
import java.security.AccessController;
import java.security.PrivilegedAction;

import javax.swing.JFileChooser;
import javax.swing.UIManager;
import javax.swing.filechooser.FileFilter;

public class JFolderChooser extends Applet {
    /**
     * 
     */
    private static final long serialVersionUID = -6499964033850797167L;
    int returnVal;
    public String folderPath = "", defaultPath = "c:\\", defaultDir = "";
    public String formName = "", fieldName = "";
    JFileChooser jfc;

    @SuppressWarnings("unchecked")
    @Override
    public void init() {

        AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
                try {
                    UIManager
                            .setLookAndFeel("com.sun.java.swing.plaf.windows.WindowsLookAndFeel");
                } catch (Exception e) {
                }
//              defaultPath = getParameter("defaultDir");
//              if (defaultPath == null) {
//                  defaultPath = System.getProperty("user.home");
//              }
                File defaultDir = new File(defaultPath);
                if (!defaultDir.exists()) {
                    System.out.println("The specified folder does not exist.");
                    defaultDir = new File(System.getProperty("user.home"));
                }
                jfc = new JFileChooser();
                jfc.setFileFilter(new FileFilter() {
                    @Override
                    public boolean accept(File f) {
                        return f.isDirectory();
                    }

                    @Override
                    public String getDescription() {
                        return "Choose Folder";
                    }
                });
                jfc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
                jfc.setCurrentDirectory(defaultDir);
                jfc.setAcceptAllFileFilterUsed(false);
                return null;
            }
        });     
        // getFolderSelected();
    }

    public String getFolderSelected() {
        returnVal = jfc.showDialog(this, "Select");
        if (returnVal == JFileChooser.APPROVE_OPTION) {
            folderPath = jfc.getSelectedFile().getAbsolutePath();
            System.out.println("You chose to open this folder: "
                    + jfc.getSelectedFile().getAbsolutePath());
        } else {
            folderPath = defaultPath;
            System.out.println("Rejected by User" + folderPath);
        }
        return folderPath;
    }

    public static void main(String args[]) {

    }
}

Note: I have done the following things,

  1. Signed jar using this commands

    keytool -genkey -validity 3650 -keystore pKeyStore -alias keyName keytool -selfcert -keystore pKeyStore -alias keyName-validity 3650 jarsigner -keystore pKeyStore AppletClass.jar keyName

  2. Edited policy file in ${java.home}/jre/lib/security/java.policy and added all permission. By doing this, the applet runs succesfully and choosing the folder in my machine/computer but not in others. This should work in all client machines. And i do not know how/where to add policy file to the project or application.

  3. Added privileged action classes in java file. and pasted the code below.

  4. When i run the applet normally instead calling from jsp, it works fine.

  5. Im using java version: jdk1.6.0_12 and jre6

Thanks.

EDITED: Finally this works, I changed the function getFolderSelected() which is calling from javascript,

public String getFolderSelected(){
        AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
                returnVal=jfc.showDialog(JFolderChooser.this, "Select");    
                if(returnVal == JFileChooser.APPROVE_OPTION) {
                    folderPath = jfc.getSelectedFile().getAbsolutePath();
                    System.out.println("You chose to open this folder: " + jfc.getSelectedFile().getAbsolutePath());
                }else {
                    folderPath = defaultPath;
                    System.out.println("Rejected by User"+folderPath);  
                }
                return folderPath;
            }
        });
        return folderPath;
    }
fargath
  • 7,844
  • 6
  • 24
  • 36
  • Is JS in the mix? That will cause code that is normally trusted, to become untrusted. Also, that applet has some problems. 1) `public class JFolderChooser extends Applet {` Use the Swing based `JApplet`. 2) `.setLookAndFeel("com.sun.java.swing.plaf.windows.WindowsLookAndFeel");` If that worked on OS X or *nix, the users would hate you. Fortunately it will fail, silently. Use instead [`UIManager.getSystemLookAndFeelClassName()`](http://docs.oracle.com/javase/7/docs/api/javax/swing/UIManager.html#getSystemLookAndFeelClassName%28%29) which should work on all OS'. – Andrew Thompson Mar 18 '13 at 14:28
  • 3) Use `deployJava.js` to write the applet elemnt. 4) Don't try to deploy 0x0 applets. Some browsers will consider 0x0 elements to be suspicious and remove them. Recent problems with security had most of the browser manufacturers reverting to a 'click applet to launch' mode - which is pretty hard to do with a 0x0 applet. Instead use CSS to hide them (after they are working). See for further details, [1](http://stackoverflow.com/q/14487698/418556) & [2](http://stackoverflow.com/q/14659057/418556). – Andrew Thompson Mar 18 '13 at 14:33
  • Yes, JS in the mix. Thanks for the reply. And i have hidden the applet by giving 0x0 and set height and width from applet. So when calling applet function getSelectedFolder() from jsp then it show error. 2. I tried deployJava.js but it shows blank area no luck for me. In addition, i do not know how to include and process this js in my project. – fargath Mar 20 '13 at 10:03
  • 1
    *"Yes, JS in the mix."* Well make sure that whatever methods are called by JS, use `AccessController.doPrivileged(new PrivilegedAction() {..` kike in the `init()` – Andrew Thompson Mar 20 '13 at 10:23

1 Answers1

0

It seems like your applet is trying to get JRE L&F from LFS as

C:\Documents and Settings\Users

... and, moreover, making "c:\\" as a default path is not a good idea because, as a rule, it is not current OS user session root dir (for Windows' at least), anyway...

getting back to stack trace... It is probably L&F problem. So try to run applet with a default L&F or pack (into jar file) the windows L&F together with your applet not to read client's one.

P.S. I am not pretty sure here... but check your Internet browser Java settings. As I can remember, Oracle had recently restricted some default applet options so maybe you have to set them manually :S

Report if it was helpful

user592704
  • 3,674
  • 11
  • 70
  • 107
  • Yes, c:/ is not the current OS user session root dir, i get the default path directory as $user.home. so it shows default path of user root directory. – fargath Mar 20 '13 at 10:11