This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes Applets and the fly likes How to loading policy file with signed Applet Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "How to loading policy file with signed Applet" Watch "How to loading policy file with signed Applet" New topic
Author

How to loading policy file with signed Applet

Mahesh Bohra
Greenhorn

Joined: Oct 20, 2005
Posts: 1
Hi Everyone!

I have an Applet which tries to open a file in the client machine. For this to work the jar file (in which the Applet class reside) is signed using the keytool and jarsigner. I have also created a policy file for enabling access to the Applet. The policy reads as below:

grant {
permission java.security.AllPermission;
};

The following works fine:
appletviewer -J-Djava.security.policy=mypolicy test.html
Without the '-J-Djava.security.policy=mypolicy' in the above, the Applet would not work!

But if I try to open the html file in a browser (MacOS) then Access is denied.

I think the browser JVM is using the default policy file. One way to make this work is by modifying the JRE policy file. But I dont think my clients would be looking to do that.

My question is... how should I bundle the custom policy file into the jar so that client side there are no changes? Any idea?

NOTE: I have already seen some articles for the same. Would appreciate if anyone provides a very simple working example.

Thanks and Regards,
Mahesh.
Norm Radder
Ranch Hand

Joined: Aug 10, 2005
Posts: 687
    
    1
A comment:
> bundle the custom policy file into the jar
This can't be allowed. If it were possible for an applet to set its own permissions then there wouldn't be any security.

>I think the browser JVM is using the default policy file
Yes I think so to. It is up to each client to change his policy file to control what he will allow applets to do on his machine.

On Win98 there is a file: .java.policy where the policytool writes when it is used to update permissions. This file is linked to from another policy file in the JVMs folders.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42370
    
  64
grant {
permission java.security.AllPermission;
};


Ouch. You have just allowed any applet out there to read all files on your hard disk and to transmit them somewhere on the web.

Something like

grant codeBase "http://www.xyz.com/directory/applet.jar" {
permission java.security.AllPermission;
};

seems more appropriate. Even better, replace AllPermission with a more specific FilePermission.
[ October 24, 2005: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Lin Shen
Ranch Hand

Joined: Oct 08, 2003
Posts: 57
Hi Ulf Dittmer or anyone else can help,

I need to allow the client to connect to hosts rather than the one it downloaded the applet from. Also I need the applet to have right to have read and write permission.

How should I set the permission file to allow it do so?

Thanks very much.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42370
    
  64
@Lin Shen: You would need a java.io.FilePermission and a java.net.SocketPermission. They can be combined in one grant statement, which, as in my earlier post, should also specify the URL the applet comes from. Reading the javadocs for those two classes will give you a start in what to do. The Applet FAQ, which is linked in my signature, has further links on using policy files with applets.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to loading policy file with signed Applet