2

Since Applets run in sandbox mode in browsers, I am using AccessController.doPrivileged to write to a file. It writes to the file when I run it in Eclipse, but doesn't write when I access the applet in browser. What am I missing? Here is the code:

public class HelloWorld extends Applet {

    public void paint(Graphics g) {
        AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
            public Boolean run() {
                try {
                    System.out.println(System.getProperty("user.home"));
                    String userHome = System.getProperty("user.home");
                    FileWriter fw = new FileWriter(userHome + File.separator
                            + "test" + File.separator + "area.txt");
                    fw.write("The area is 20m");
                    fw.flush();
                    fw.close();

                } catch (IOException ioe) {
                    System.err.println(ioe);
                }
                return Boolean.TRUE;
            }
        });
    }
}
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
user2536083
  • 21
  • 1
  • 2
  • 5
    The applet must be signed and you may adjust Java policy settings. http://stackoverflow.com/questions/5313672/setting-up-policies-for-an-applet-embedded-in-html – PeterMmm Jun 30 '13 at 08:39
  • 2
    @PeterMmm *"you may adjust Java policy settings"* That is hardly practical at time of deployment. During development, you might as well just have the IDE launch it with no security manager. – Andrew Thompson Jun 30 '13 at 09:40

1 Answers1

4

AccessController.doPrivileged does not do what you think1.

But first to the two (practical) ways that an applet can access the local file system.

  • Digitally sign the applet, then have the user OK that applet when prompted.
  • Embedded applets running in a 1.6.0_10+ JRE can also access the services of the JNLP API, which include the JNLP API file services. They can work in a sand-boxed app. - they simply prompt the user when the applet goes to load or save a file. Of course, a free floating applet launched using JWS could do the same since Java 1.2, but since 1.6.0_10, those same applets can remain embedded. See the demo. of the file services in a small app. that comes complete with source, or this other small animated GIF maker for it used in an embedded applet.

You might note that I did not list 'adjust policy files/settings' in the list of practical ways. That is because it is not really practical. At least not for anything beyond a closed intranet in which the person deploying them controls the target machines (& can thereby install a policy file to allow the applet trust). But then in that situation, the benefits of an applet are severely eroded in any case.

  1. What it does is allow an applet that is already trusted to be called using a non-trusted source such as JavaScript. If adding that actually did change the security environment of an applet without lots of bells and whistles warning the end user, it would be a security bug.
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
  • I created the jar and signed it too. Still it doesn't write to the file. I didn't change the above code, but added the name of signed jar in archive attribute of in html file. – user2536083 Jun 30 '13 at 12:03
  • 1) Change code of the form `catch (Exception e) { ..` to `catch (Exception e) { e.printStackTrace(); // very informative! ..` 2) Ensure the [Java Console](http://www.java.com/en/download/help/javaconsole.xml) is configured to show for applets & JWS apps. To clear the cache, type 'x c' while the console has focus. Then try to reload the page containing the applet. – Andrew Thompson Jun 30 '13 at 12:08
  • As an aside, no potentially time-consuming task should be done in the `public void paint(Graphics g) {` method! That method is intended to run very quickly.. – Andrew Thompson Jun 30 '13 at 12:10