Applet access to lib/ext - Java Applet Development

Hi,
I wrote an applet that is supposed to load additional jars from the local lib/ext. If I start the applet I get an access error:
java.lang.RuntimeException: java.lang.IllegalAccessError: tried to access class AApplet$1 from class AApplet
     at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
...
I know that I either have to sign it or grant it access to read local files. So I put
grant {
permission java.security.AllPermission;
};
in the java.policy file. I also put it in the .java.security in my home but still get the error. Then I signed the jar and imported the certificate in the browser, same exception. I also get the same exception if I start the applet with my test program outside the browser.
If I load both jars from the server, in my case localhost, everything works fine.
Any help greatly appreciated.
Peter 

I wrote an applet that is supposed to load additional jars from the local lib/ext.Why? If they're legitimate Java JARs they will be loaded anyway, and if they aren't they shouldn't be there. 

Because we load many different applets from different servers and if we load the jars from the server, we end up having the same jars being loaded many times and run out of memory. 

I found the problem, all classes in a jar have to come from the same package. Now it works. 

I found the problem, all classes in a jar have to come from the same package.No they don't.
Now it works.Not for that reason. 

Sun's Extension Mechanism Architecture doc states:
A package sealed within a JAR specifies that all classes defined in that package must originate from the same JAR. Otherwise, a SecurityException is thrown.
After moving the classes in a separate package it worked.
ejp I'm interested in hearing your explanation. 

all classes in a jar have to come from the same package.No they don't.A package sealed within a JAR specifies that all classes defined in that package must originate from the same JAR.Exactly. That's the opposite of what you said above. You had it back to front.

Related

Does URLClassLoader not recognize signed jars?

Hi everybody
I have the following setup:
1. An Applet, serving as a classloader. Applet is a signed jar (all permissions)
2. An Applet, being loaded by the classloader. Applet is also a signed jar (all permissions)
Everything works well, the second Applet is loaded and starts initializing untill the point where a FileDialog takes place. Then this error is thrown:
java.security.AccessControlException: access denied (java.io.FilePermission
I have read that URLClassLoader should be capable of knowing when a jar is signed and thereby executing the jar as a signed one.
Does anybody knows how to circumvent this so the jar will be given all permissions? 
Are you using Windows Vista? There's a restriction in Vista that makes it impossible to access folders outside of an secure area (can't remember that folder name).
Kaj 
Hi Kaj
Thanks for replying..
I do not think it is related to Vista because I have the same issue with Windows 2000. I think it has to do with giving permission for the loaded class even though it should not be necesarry.... URLClassLoader should be able to do this by itself when the loaded jar is signed.

Classes not found for jars listed in manifest

I have an applet whose main jar has a number of dependent jars listed in the manifest. All the jars are signed.
The applet works fine when downloaded from an HTTP server.
Previous to 1.6.14 it would also run from a local directory.
As of Java 1.6.15 and 1.6.16, the classes in the dependent jars are no longer loadable from the local directory. ClassDefNotFound is the reported on the java console. Obviously the class is present, as the application is running fine in JVMs 1.6.14 and previous.
I see that 1.6.16 includes changes for the security baseline, but I cannot find anything that suggests changes are needed to support dependent jars. None of the dependent jars request a specific version of JRE.
Anybody know what is going on? 
Is this the error? (what you said doesn't exist in Sun's Java.)
h4. NoClassDefFoundError
h5. extends LinkageError
h5.
Thrown if the Java Virtual Machine or a ClassLoader instance tries to load in the definition of a class (as part of a normal method call or as part of creating a new instance using the new expression) and no definition of the class could be found.
h5.
The searched-for class definition existed when the currently executing class was compiled, but the definition can no longer be found.
Probably due to the presence of class files that once existed outside of the jars, but are now not there. And Java can't find the stuff in the jars to load, now.
If you provide a [Short, Self Contained, Correct Example|http://sscce.org] someone may be able to diagnosis the problem, as opposeed to guessing. 
Is this the error? ...Yes, sorry, the exception is NoClassDefFoundError
If you provide a Short, Self Contained, Correct Example someone may be able to diagnosis the problem, as opposeed to guessing. A link to the real live application can be found at: http://download.equitrac.com/38834/InstallGUI.html. (This original application does not meet the definition of short ... but demonstrates the problem well.)
When run as an applet off this site, it works fine.
If you click on the download button, it will place a copy on your local harddrive. To execute it locally double click on your local copy of InstallGUI.html.
When running it locally with Java 1.6.15 and 1.6.16 it will give you a class def not found exception without doing any thing.
When running locally with Java 1.6.14, it will not experience any trouble.
This applet needs permissions to open sockets and store data on the harddrive.
Probably due to the presence of class files that once existed outside of the jars, but are now not thereClose ... the application is made up of a main jar (our product) and a number of third party jars. The manifest for the main jar properly references the other jars, and works in all JVMs before 1.6.15. As of 1.6.15, none of the classes from the referenced jars can be opened.
I found that I can work around the problem by placing all classes into a single jar ... which may infringe on licensing requirements for some of the third party jars we use.
Dave

Custom classloader & sandbox

Hi all,
I have an applet which consists of two jar files. One unsigned with the main class and one which is signed and includes some optional classes which require extra privileges out of the sandbox.
When I boot the applet it loads in sandbox mode without throwing a security warning. When at runtime I create an instance from a class from the signed jar it will nicely throw a security warning wether the user wants to accept the certificate from the signed jar. This signed jar will then create a custom (url)classloader, which downloads an additional jar at runtime and executes it.
So far so good, but I noticed that the runtime downloaded classes may only use sandboxed methods. When I runtime download some classes which execute methods that reach out of the sandbox they fail with a java.security.AccessControlException.
These runtime classes are loaded through my custom classloader (which resides in the signed jar). I signed the jar which is downloaded at runtime with the same certificate. Also the privileged calls in the runtime classes are wrapped in AccessController.doPrivileged blocks. I thought these runtime loaded classes would inherit the permissions from their parent, which was granted permission by the user to escape the sandbox...
Does anyone know how I can force the extended priviliges to apply to my runtime loaded classes as well? Maybe sticking a custom securitymanager with my custom classloader?
Thanks!
Thijs 
did the user give your jar privilege to grant privileges to other jars? 
I don't know... Is it possible to explicitly request that permission (in code)?
The way I do it now is by having some classes that do some privileged actions in a accesscontroller.doprivileged block. This works fine for the jar bundled in the applets archive tag, but not for the runtime downlaoded classes. 
Never mind, I fixed it by setting my own securitymanager in the customclassloader which extends the checkPermission methods.

SecurityManager can trust a signed jar?

Hi, I have a signed applet. In the init method I forced classloader to load a signed jar. My jar calls some function not allowed in applet sandbox so I have an exception (in particular when a class in the jar calls System.getProperty()).
I post in the applet development forum and a suggestion is to set null the SecurityManager. It's resolve my problem but I prefer another suggestion: make the SecurityManager trusts my jar.
Is it possible? There is a way to give my jar the same privileges of my signed applet or to make the System considers it secure?
Thanks in advance 
From your other thread:
I don't want to download/load libraries yet includedYou won't. JAR files are only downloaded for missing classes. If JAXB is in the JRE your own JAXB won't be needed.
So you don' t need your classloader at all.
From this thread:
a suggestion is to set null the SecurityManager. It's resolve my problemI would be astonished if that is even possible in an applet. 
>
From this thread:
a suggestion is to set null the SecurityManager. It's resolve my problemI would be astonished if that is even possible in an applet.Trusted applets have full permissions, so you can do whatever you want. It's up to the programmer not to abuse that power, for instance by setting global state. There is an awful lot of responsibility in signing a jar. 
Thanks for your reply.
My jar does not contain only JAXB library but also some libraries that java 5 does not have (but java 6 have in the JRE).
I posted that my problem is in particular with JAXB library because loading my jar in a dinamic way I have an exception when I use JAXB library because it calls some forbidden function and it does not have permission.
If I understand well your opinion you tell me that if I put my jar in the archive tag when I define my applet in the html page, my jar is downloaded only if the jre hasn't the needed classes. It's probably true but my jar contains some libraries (not only jaxb) and they are all downloaded at the same time.
I tried this solution in the past and I tested my signed applet with different operating systems and in some case I obtained errors setting my jar in the archive tag with java 6 because there were conflicts.
I can't divide my jar in more jars, it's a requirement.
And after this tests I need to dowload it only with java 5. (I think)
My applet is signed so I can obtain the classloader and add it the URL of my jar. But my jar dosn't have the same privileges.
So I call System.setSecurityManager(null) and I haven't exception because nothing checks the actions of JAXB library.
But I prefer to get my jar the privileges it needs and not set null the SecurityManager, is it possibile in JAVA? My jar is signed, as the applet, is it possibile to impose it is safe? 
My jar does not contain only JAXB library but also some libraries that java 5 does not have (but java 6 have in the JRE). Why? Separate them. The JAXB implementation comes in a JAR of its own. Don't mess with that.
I can't divide my jar in more jars, it's a requirement.It can't be a requirement that you re-jar external components. Very bad practice.

Applet Exception

Hey
I have created an FTP CLIENT JApplet running on an IIS, it consists og 3 jar files,
Application jar and 2 Jakarta jar files (Jakarta FTPClient and some other jar).
My Problem is that i am getting an Exception "java.security.AccessControlException: Access denied (java.net.SocketPermission....)"
I can tell that my Application workes fine as an JFrame, but as an JApplet i get the Exception.
I have signed my Application.jar file (which i my JApplet).
Do i have to sign all 3 jar files ??
Can any tell me what to do, to make the Applet function
Thanks, Al 
Telling us the stack trace would have been nice, but yes, you'll have to sign all JARs that might execute a potentially restricted operation. 
Tanks CeciNEstPasUnProgrammeur!!
It works - You are a Java Superman in my eyes.
Thanks again - AL

Categories

Resources