java.security.AccessControlException: access denied - Java Applet Development

Hai ,
I am getting the following error! when am running my applet on bowser ,My applet class contains file access code ,
java.security.AccessControlException: access denied (java.io.FilePermission
     at java.security.AccessControlContext.checkPermission(Unknown Source)
     at java.security.AccessController.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkRead(Unknown Source)
     at java.io.File.canRead(Unknown Source)
     at com.esri.arcgis.sample.HelloSwingApplet.init(HelloSwingApplet.java:35)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
But the same code is working in appletviewer by using following command ,
**applettviewer -J-Djava.security.policy=java.policy.applet MyApplet.html**
So, tell me how to give permission when running applet on browser..
Thanks in advance ,
Arockia 

Sign the applet. 

Arockiaraj wrote:
..I am getting the following error! when am running my applet on bowser ,My applet class contains file access code ,As mentioned, applet code that uses File objects needs to be digitally signed by you, and authorized by the end user.
---------------------
Though there is also another way for an embedded applet to access resources on the file system of the end user when running in a Plug-In 2 JRE (1.6.0_10+).
The JNLP API offers the FileContents object which can be accessed through other JNLP classes. See the [demo of the JNLP API FileService|http://pscode.org/jws/api.html#fs] *(<- link)* for more details.
The [GIFanim applet|http://pscode.org/gifanim/#run] *(<- link)* uses those services in an embedded applet.
The JNLP API services are much friendlier than digitally signing the applet, IMO. The applet arrives on-screen with no prompts or warnings. Once the user clicks an 'Open File' menu item they are presented with a dialog that says WTE "The app. would like to read local files. Allow?".
This is much more understandable and logical than a prompt before the applet appears, asking the user for unlimited permissions. I examine the difficult result of the end user refusing the initial trust dialog and arriving at a sand-boxed applet that was intended to be trusted in the [example of loading trusted applets in a 'defensive' way|http://pscode.org/test/docload/] *(<- link).*
Hopefully, by now you will have got the point that dealing with embedded applets that are trusted is a PITA.
In contrast, it is relatively simple to use the JNLP file services in a sand-boxed free floating app., and that could be done since Java 1.2 (as opposed to embedding it, which only became possible in 1.6.0_10). 

You can grant permission base on its code base.
Edit file <JRE_dir>\lib\security\java.policy, add this code
grant codeBase "file:/<Path_to_your_jar_files>/*" {
permission java.security.AllPermission;
};
Path_to_your_jar_files example: C:/myApplet/*
JRE_dir may be C:\Program Files\Java\jre6
Edited by: 800360 on Oct 6, 2010 12:59 AM 

As applets are loaded from networks by clients who don't know java.policy from a hole in the ground, this suggestion seems entirely futile.

Related

using a jar librari under netbeans for  java web start

hello im using netbeans with the java web start plugin, in my proyect i need to use some .jar libraries , like synthetica.jar, i add the .jars to the librarie of my proyect but when i run the aplication under java web start the jars are not been use, any ideas?? please help =( 
..in my proyect i need to use some .jar libraries ,
like synthetica.jar, i add the .jars to the librarie
of my proyect but when i run the aplication
under java web start the jars are not been
use, any ideas?? ..Add the other resources to the classpath of the
web-start launch file.
Make references to the other jar file(s) from
within the resources element, of the JNLP
launch file, and they become available to
the classpath of the application.
There are other ways to reference the
resources, but that is the easiest.
..please help =( I recommend trying not to sound so pathetic.
It makes a poster seem 'needy' and people
are discouraged from helping. 
Keep in mind that the NetBeans webstart plugin is still in beta stage and as such by no means a fullproof option to successfully deploy your applications through webstart. For example; it doesn't support options like security and such.
Note: I'm not positive here myself but from what I read so far I conclude that a key element to what you want is using signed jarfiles (which netbeans doesn't do by default) and defining the security element in the jnlp file.
After reading the Java Web Start guide </hint> which can be found here: http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/contents.html I came to the conclusion that the program can't access the other jar file due to security limitations. By default its run in a sandbox and can't access other resources on the target machine. Unless it is signed and has requested the extra permission.
I know this contradicts with another section stating that the jarfiles will be pre-loaded and made available in the classpath before executing but I can reproduce your problems when trying to deploy an application which utilizes the NetBeans Swing GUI builder ('Matisse'). For some reason the layout manager isn't initialized, I can backtrace this to the application not getting access to the other classes when looking at the Java console:
Exception in thread "AWT-EventQueue-0" java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
     at java.security.AccessControlContext.checkPermission(Unknown Source)
     at java.security.AccessController.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
     at java.lang.System.getProperty(Unknown Source)
     at java.io.Win32FileSystem.getUserPath(Unknown Source)
     at java.io.Win32FileSystem.resolve(Unknown Source)
    ----CUT----This exception occurs right after I click one of the buttons which should trigger another window which also utilizes the layout manager in the extra jar file. The jarfile is defined as extra 'resource' in the jnlp file and has been set to eager.
So; my suggestion would be to sign your jarfiles, setup a security block to request full permissions and then you'll see things work as they should. I'm not really happy with this solution myself since it basicly requests full access on the client machine but so far I haven't found a way to overcome this.
PS: It has taken me much googleing (it seems most people simply copy each other examples, even if they have no clue what it does) and eventually came across the documetation of an older javaws version (1.4.2 iirc) which also presents the "j2ee-application-client-permissions" setting for the security block. This will work too, and I think its much safer than to try and use full permissions.
Message was edited by: Lion-O to add a PS section.

HELP!!! java.security.AccessControlException: access denied

Please help!
I have the project to use the applet to show the form, this applet is needed to read the file from the server side. when i using the jbuilder to coding, it can work to use the appletviewer to run the program to read the file.
After that i placed the code to the webapp (localhost), when i start up tomcat and use the ie to view the http://localhost:8080/auditForm/AuditForm.html. (this AuditForm.html is embedded the test.class. test.class use to read the file.
but error was occurred.
i am using the File Object to read file
File propertyFile=new File("C:/Tomcat/webapps/XX/WEB-INF/dbconfig.properties");java.security.AccessControlException: access denied (java.io.FilePermission C:\Tomcat\webapps\auditform\test\dbconfig.properties read)
     at java.security.AccessControlContext.checkPermission(Unknown Source)
     at java.security.AccessController.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkRead(Unknown Source)
     at java.io.File.canRead(Unknown Source)
     at DBconfig.<init>(DBconfig.java:31)
     at test.init(test.java:19)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
i am try to set the security policy in jdk, and tomcat, but also cannot work??? is it wrong setting??? how come.
urgent!!!!
To solve the problem probably it's necessary to have a look at the project but I can give you some suggestions :
1) An applet run on the client side so if you want to read a file on server side probably you have to use a jsp page.
2) The directory :
File propertyFile=new File("C:/Tomcat/webapps/XX/WEBINF/dbconfig.properties");
is different from the directory specified :
java.io.FilePermission C:\Tomcat\webapps\auditform\test\dbconfig.properties read.. probably because the first it's on server side and the second it's on client side . Pay attenction because it's difficult to distinguish between client and server sides when you test applications on your own machine :-)
3) java.security.AccessControlException is launched by client jre not from server
Bye
Fabio 
so how can i read the file from the server side. and then pass to the applet. 
Hai,
Probably i know the reasons..
1. Your applet should be signed... other no way of accessing other resources..
2. Any aaplication other than server-side code cant able to access the "WEB- INF" DIR CONTENTS.. I sure about this point..
3. If you want to read a file which is no more confidential ..keep it out side of "WEB-INF" then read it...
Other wise
Read it using servlet-applet communication...
i hope this will useful for you..
Regards
Desizners 
Ok..Im just trying to view a movie that runs in a java applet im thinking
When the video is trying to initalize...i get this error everytime..what the heck can I do to get these vids to play???
error:
jave.security.AccessControlException:access denied(ja....this reset I can not see its off the screen..
HELP...this is driving me nuts
thx 
Hey guys,
You can access what ever file you want on the originating host i.e. the server.
Im guessing you guys are testing your applet code probably before it takes the form of an applet. It's fundamental to realise that applets are downloaded to the client and excuted in a 'sandbox' by the java-plugin installed in the client browser. Hence using a File instance pointing somewhere on the C:\ drive is totally pointless as you likely won't have permission to access the client's hard drive anyway. More to the point, it is totally wrong; the property files or movies do not reside on the client machine.... and there is no need to confuse matters by talking about signing Jars.
My advice is to read the Applet/JApplet APIs which cleary show how to access 'resources' on the server - no extra permissions are needed so it is not even a security issue. Also, you web application usually can not see outside its context/document base so you will need to put the property file or movies in the same directory (or a visible sub-directory) as the applet code/jar itself.
Hope this info is of some use.
Warm regards.

Access denied when using Desktop-API

Hi to all,
I have a client app that is launched using JWS. In my JNLP file I declared:
<security>
     <j2ee-application-client-permissions/>
</security>
and all jar-files are signed with the same certificate. This is working fine, but when I try to use the Desktop-API to open a folder on clients machine
Desktop.getDesktop().open(new File("/path/to/dir"));
it gives me
java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
     at java.security.AccessControlContext.checkPermission(Unknown Source)
     at java.security.AccessController.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPermission(Unknown Source)
     at java.awt.Desktop.checkExec(Unknown Source)
     at java.awt.Desktop.open(Unknown Source)
...
I even tried with
<security>
     <all-permissions/>
</security>
in JNLP. But it gives me the same Exception. I also tried to use a PrivilegedAction to make SecurityManager not check permissions, but it didn't help. At last thought about having my own policy-file. But I don't know how to tell the JWS app to use it.
Thanks for help in advance
Christian 
843467 wrote:
..java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
...
I even tried with
..      <all-permissions/>I expect it is a caching issue. Make sure you uninstall the app. between runs. If that fails, check the JNLP file(s) using JaNeLA. 
Hi Andrew,
thanks for your quick reply. Indeed it was a caching problem.
I think I don't need the JaNeLA-tool in this case but it could be useful in the future.
Thanks for that, too and have a nice day.
Christian 
Hi to all,
Deleting the cache works fine. But only for one start.
I found the JNLP in the cache has been automatically updated with the line
<update check="timeout" policy="always"/>
I thought this could be the problem, because if may be the SecurityManager finds JNLP in the cache being different from that one on the server, it "thinks" it has been hacked?
To avoid this difference, I added the line right from the beginning, but that didn't help.
BTW I signed all my jars, but the JNLP-File is just provided in the working dir of the app unsigned. Somewhere I read about JNLP-Files also signed. May be I have to sign it, too, or is it possible to have it packed in my application jar (then it will be signed with it)?
Thank for any hints
Christian 
Unfortunately I came across further problems, see my last post.
Christian 
Hi to all,
I solved it. Having my JNLP signed and resetting also my browser cache helped. What I did before was only to reset the "java cache" (deleting the app in temporary internet files in java control panel).
May be that I really don't have to sign the JNLP and it will be working, too. I didn't test that yet.
Thanks to all for help
Christian

??Applet appears grey??

Hi,
I got a problem concerning something about policy I think.
When I launch my applet using IE, it appears grey even if it prints "applet started".
--> If I open the java console it gives me this :
Server setup error:
java.security.AccessControlException: access denied (java.io.FilePermission D:\pages\21.mif read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.FileInputStream.<init>(Unknown Source)
at java.io.FileInputStream.<init>(Unknown Source)
at MyApplet.init(MyApplet.java:82)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
--
I got this error when I log in with a new Windows account, with mine it works.
I re-install the JVM but it still doesn't work. I also copied the .java.policy file in c:/Documents and settings/[username].
???
Can you help me...
Thanks
ad 
Due to the error your applet probably won't be able to display. What is the applet trying to do. Are you accessing files? 
It looks like your applet is trying to access the local file system, something applets aren't allowed to do. 
Yes I have to open somes files I created but I allow the permissions on it and on the folder where they are located.
Something it's strange because when I launch my applet with JBuilder or Visual it's work but with IE it appears damn grey... 
How have you allowed the permissions? Also check you IE settings 
Its called the sandbox. As applets are like an application and client side, there is -by necessity, security restrictions preventing them from writing to or reading from local user files.
That said, if you just want it work for your own needs you can add this;-
grant {
permission java.security.AllPermission;
};
This should work OK with appletviewer and with relaxed settings in your own personal browser it may/should work on the net (btw: JBuilder provides an insulated testing environment for applets that ignores security restrictions). If you're planning to distribute it and you want it to work with other people, it won't work unless they explicitly set permissions in their browser, so as most people do not have relaxed settings and the default settings on most browsers are high security, its not reliable enough to be useful.
Signing the applet is one way - but it costs $$$
Forgetting about applets doing this sort of thing is a better way
Learning a scripting language such as JSP is the answer
Forgetting about applets doing this sort of thing is a
better way
Learning a scripting language such as JSP is the
answersomething says that u hate applets ..
Hi djbreizh,
Yes you can read files from applets. However, the file you wish to read has to be in the same directory as the applet class file or a subdirectory of the applet's home directory. When you do this, you should not need any signed applets (I could be wrong about this) and you will be able to read your file.
Regards,
Devyn 
Hi Sscotties,
Now it's working, but I don't understand why it's use for ?
When I want to install it on a new computer or to open a new account, I have to copy this file everytime ?
Thanks 
Hi Sscotties,
Now it's working, but I don't understand why it's use
for ?
When I want to install it on a new computer or to open
a new account, I have to copy this file everytime ?
ThanksErrr-hem!
Signing the applet is one way - but it costs $$$
Forgetting about applets doing this sort of thing is a better way
Learning a scripting language such as JSP is the answer
("something says that u hate applets .." of course I do, they're f---in' useless gimmicks)

Signed Applets 101?

I am new to applets, signed or otherwise.
I have a signed applet embedded in an HTML file. The public methods of the signed applet are called via JavaScript functions referenced in the HTML. All three (signed JARs, HTML, JavaScript) are on the local machine and not deployed on a web server (and are not meant to be).
I am using IE 6 with Java Plug-In 1.5.0_03 (5.0). As best as I can tell, my <OBJECT> tag specifying my applet is as described in the Java Plug-In 5.0 documentation.
I have created a public key-private key using "keytool", sent the certificate signing request to Verisign, have received the certificate reply, and have imported it into my keystore (with the -trustcacerts option). I have signed my JARs with that trusted certificate.
Within my applet (as a consequence of an HTML button click) I am attempting to write a small text file to the local machine. However, I am still getting the AccessControlExceptions (java.io.FileException testWrite.txt write).
What else am I missing? Do I need a ".java.policy" file in my user.home directory? If so, what do I need to specify? Do I need to modify the "java.policy" and/or "java.security" in JAVA_HOME? Do I need to sign my JavaScript also?
I was under the impression that signing your applet with a digital ID chained to a self-signed root CA certificate was sufficient to give your applet the same privileges as a normal application.
I have run out of options. Any guidance would be helpful.
Thanks 
If your jar file has been signed, when you run your applet, you should see a security warning dialog box popup,
which tell you what kind of certificate has signed this jar file, you will have option to click "Yes" button to give
permission to this applet, then your applet should have all the permission to do the job.
Do you see the security dialog box pop up? 
Yes, I see the security dialog box which presents the following message:
"Do you want to trust the signed applet distributed by '<My Company>'?"
"Publisher authenticity verified by 'VeriSign, Inc.'"
(Info balloon) "The security certificate was issued by a company that is trusted."
(Info balloon) "The security certificate has not expired and is still valid."
.. etc., etc.
Even if I select "Yes", my applet still does not have permission to write files or open sockets. Instead I get exception traces of this sort:
java.security.AccessControlException: access denied (java.io.FilePermission testWrite.txt write)
     at java.security.AccessControlContext.checkPermission(Unknown Source)
     at java.security.AccessController.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkPermission(Unknown Source)
     at java.lang.SecurityManager.checkWrite(Unknown Source)
     at java.io.FileOutputStream.<init>(Unknown Source)
     at java.io.FileOutputStream.<init>(Unknown Source)
     at java.io.PrintWriter.<init>(Unknown Source)
......
I have tried this both with and without a .java.policy file in my home directory. The following are the contents of the ".java.policy" file:
keystore "<MyHome>.keystore";
grant signedBy "sdl" {
permission java.security.AllPermission, signedBy "sdl";
};
where <MyHome> is replaced by my home directory path and "sdl" is my alias in the .keystore file in my home directory. 
you need a java.policy.applet file in the root of the jar.
just add the following to it.
grant {
permission java.security.AllPermission;
}; 
I have found a solution to my problem. In a nutshell, I was encountering these AccessControlExceptions in applet methods called from JavaScript functions.
Apparently, the Plug-In JRE does not trust (and therefore restricts) an otherwise trusted applet method if it is invoked from an untrusted JavaScript function.
I discovered this by perusing the following thread in the "Signed Applets" forum:
http://forum.java.sun.com/thread.jspa?forumID=63&threadID=524815
In that thread, "harmmeijer" posted a solution in which the public applet method invoked from JavaScript merely sets a boolean flag to be continuously monitored by a separate thread started from the applet's "init()" method. Whereas before the public applet method would be the one performing the restricted activity (read/write file, open socket, etc.), now that activity is performed by the thread, which is trusted because it is started in "init()" rather than via JavaScript.
The contents of a policy file in ${user.home} (or even its presence) do not seem to impact this extra "feature" in any way.
By the way, I was wondering whether this little "feature" is documented ANYWHERE in the Sun documentation (other than these forums, of course). I had been trying to solve this problem for a week and a half!!
Thanks to all who provided input.

Categories

Resources