1

We use Javascript to communicate between an applet and its hosting web page. We need to modify the applet to include the permissions attribute, and would like to know which value is needed for enabling Javascript communication for the applet. Can we use sandbox or do we need to use all-permissions?

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
Crashalot
  • 33,605
  • 61
  • 269
  • 439
  • Have you tried it (`sandbox`) before you asked? – Stephen C Mar 16 '14 at 02:30
  • Yes, we tried sandbox, but we're not sure if it works in all cases. And the applet security model has changed so much recently that we want to make sure we minimize the possibility of error for our users. Thanks. – Crashalot Mar 16 '14 at 02:40
  • The best way to minimize the possibility of errors for your users is to TEST on all versions of Java that you can get your hands on. You need to do this anyway. Indeed, you would need to do that anyway ... to validate whatever you were told here! – Stephen C Mar 16 '14 at 02:48

2 Answers2

1

An applet scripted by Java Script only needs the same permissions as the applet would without Java Script.

Having said that, any call from JS is not considered 'trusted' by the JVM. So if a method that requires trust is called from JS, it will need to implement (in the code) use of doPrivileged(PrivilegedAction).

More on AccessController

The AccessController class is used for access control operations and decisions.

More specifically, the AccessController class is used for three purposes:

  • to decide whether an access to a critical system resource is to be allowed or denied, based on the security policy currently in effect,
  • to mark code as being "privileged", thus affecting subsequent access determinations, and
  • to obtain a "snapshot" of the current calling context so access-control decisions from a different context can be made with respect to the saved context.

More on PrivilegedAction

A computation to be performed with privileges enabled. The computation is performed by invoking AccessController.doPrivileged on the PrivilegedAction object. ..

Given the changing security regime, I would recommend wrapping all code that might ever be called from JS, into a PrivilegedAction.

Community
  • 1
  • 1
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
0

I don't know if is you are looking for but for me it works if I deploy the applet with javascript: http://docs.oracle.com/javase/tutorial/deployment/applet/invokingAppletMethodsFromJavaScript.html

sandbox will work fine, but if you want to acess files or sockets you'll need to configure java.policy file: http://docs.oracle.com/javase/tutorial/security/tour1/wstep2.html

and grant permissions like java.security.Permission or java.io.FilePermission

Adrien
  • 365
  • 3
  • 9
  • similar question here: http://stackoverflow.com/questions/19399944/warning-on-permissions-attribute-when-running-an-applet-with-jre-7u45/25895666#25895666 – Adrien Sep 17 '14 at 16:54
  • well doing this is not deployable, cause client wont have permission, for that you'll need a true CA certificate – Adrien Sep 18 '14 at 16:10