Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to loading policy file with signed Applet

 
Mahesh Bohra
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Everyone!

I have an Applet which tries to open a file in the client machine. For this to work the jar file (in which the Applet class reside) is signed using the keytool and jarsigner. I have also created a policy file for enabling access to the Applet. The policy reads as below:

grant {
permission java.security.AllPermission;
};

The following works fine:
appletviewer -J-Djava.security.policy=mypolicy test.html
Without the '-J-Djava.security.policy=mypolicy' in the above, the Applet would not work!

But if I try to open the html file in a browser (MacOS) then Access is denied.

I think the browser JVM is using the default policy file. One way to make this work is by modifying the JRE policy file. But I dont think my clients would be looking to do that.

My question is... how should I bundle the custom policy file into the jar so that client side there are no changes? Any idea?

NOTE: I have already seen some articles for the same. Would appreciate if anyone provides a very simple working example.

Thanks and Regards,
Mahesh.
 
Norm Radder
Ranch Hand
Posts: 728
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A comment:
> bundle the custom policy file into the jar
This can't be allowed. If it were possible for an applet to set its own permissions then there wouldn't be any security.

>I think the browser JVM is using the default policy file
Yes I think so to. It is up to each client to change his policy file to control what he will allow applets to do on his machine.

On Win98 there is a file: .java.policy where the policytool writes when it is used to update permissions. This file is linked to from another policy file in the JVMs folders.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
grant {
permission java.security.AllPermission;
};


Ouch. You have just allowed any applet out there to read all files on your hard disk and to transmit them somewhere on the web.

Something like

grant codeBase "http://www.xyz.com/directory/applet.jar" {
permission java.security.AllPermission;
};

seems more appropriate. Even better, replace AllPermission with a more specific FilePermission.
[ October 24, 2005: Message edited by: Ulf Dittmer ]
 
Lin Shen
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf Dittmer or anyone else can help,

I need to allow the client to connect to hosts rather than the one it downloaded the applet from. Also I need the applet to have right to have read and write permission.

How should I set the permission file to allow it do so?

Thanks very much.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Lin Shen: You would need a java.io.FilePermission and a java.net.SocketPermission. They can be combined in one grant statement, which, as in my earlier post, should also specify the URL the applet comes from. Reading the javadocs for those two classes will give you a start in what to do. The Applet FAQ, which is linked in my signature, has further links on using policy files with applets.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic