0

I want to code an applet wich needs a special security permissions, ie: network access to do an http GET to a site.

I signed the applet myself and did a simple test with this result:

java.security.AccessControlException: access denied ("java.net.SocketPermission" "www.google.com:80" "connect,resolve")

I also try to add the security policy inside the manifest file with no luck.

I dont really understand what should be the correct producedure,

  • Should i use a policy file inside the jar? where exactly it should be located?

  • Should i put some policy definition on the APPLET tag on the HTML?

  • Should i do something inside the code to ask for privileges/permission?

  • Should i use other launch method like JNLP? does this make any difference?

Thanks

gipsh
  • 578
  • 1
  • 3
  • 20

2 Answers2

0

The behavior depends on java Version. Starting from java 7u51 both jws and applet need to be signed with a valid certificate (not self signed). http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html#newft There are only two security levels sandbox and all-permissions. The attribute permissions must be specified in the manifest and in the jnlp file. To perform http request sandbox is enough. Read this article http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

Simone
  • 247
  • 2
  • 10
  • Thanks. What have worked for me is implementing PrivilegedAction on my classes and doing the AccessController.doPrivileged(). – gipsh Jan 28 '14 at 21:11
  • "sandboxed" permission is generally insufficient to violate Same Origin Policy. A limited form of crossdomain.xml is supported, but I don't think that can do anything useful with google.com's policy. – Tom Hawtin - tackline Jan 28 '14 at 22:20
0

I answer similar question here: Warning on Permissions attribute when running an applet with JRE 7u45

you need to make a right manifest file. or you use the command line

jar ufm jarfile.jar confmanifest.txt

or you use maven.(Simpliest way to add an attribute to a jar Manifest in Maven)

inside your manifest you'll edit permissions that its needed (socket, file, etc) and its codBase.(cross-origin and security purposes)

Then for running locally without a true CA signed certificate you'll need to edit your jvm java.policy file with policytool

JNLP is for signed jars/applets. But you can use this, its only an applet descriptor and you can excute it from everywhere, like you desktop.

With HTML5 you should use the <object> tag. I rather prefer deploy the applet via javascript and invoke applet methods with javascript methods.

See http://docs.oracle.com/javase/tutorial/deployment/applet/invokingAppletMethodsFromJavaScript.html

cy@.

Community
  • 1
  • 1
Adrien
  • 365
  • 3
  • 9