File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Applets and the fly likes Applet security issues Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Applets
Bookmark "Applet security issues" Watch "Applet security issues" New topic
Author

Applet security issues

Rob Fry
Greenhorn

Joined: Jun 11, 2008
Posts: 5
I have a self signed applet - I verified that its self signed with jarsigner -verify, so it is without a doubt signed.

Its running on a Tomcat 6.0 server on localhost, and I'm trying it with both Firefox and IE, with the same result.

I'm trying to access the filesystem, and it simply will not do it, giving me AccessControlExceptions when I try that look like this :-

java.security.AccessControlException: access denied (java.io.FilePermission C:\ read)

(it makes no difference where I attempt to read on the filesystem, I've already fiddled around with that).

The root of it all is to use a file chooser to save a .png to the hard drive. The above error is caused by it attempting to set a default path to save the .pngs too, but if I take that out it still falls over, just on writing the file instead of reading. All the (many) tutorials I've read just talk about the requirement to sign the applet, but it is signed and the certificate accepted, still no joy. There is some talk about Java Web Start and bugs I noticed after rooting through Google, but that doesn't apply to me.


public void doSaveAs() throws IOException {

JFileChooser fileChooser = new JFileChooser();
fileChooser.setCurrentDirectory(this.defaultDirectoryForSaveAs);
ExtensionFileFilter filter = new ExtensionFileFilter(
localizationResources.getString("PNG_Image_Files"), ".png");
fileChooser.addChoosableFileFilter(filter);

int option = fileChooser.showSaveDialog(this);
if (option == JFileChooser.APPROVE_OPTION) {
String filename = fileChooser.getSelectedFile().getPath();
if (isEnforceFileExtensions()) {
if (!filename.endsWith(".png")) {
filename = filename + ".png";
}
}
ChartUtilities.saveChartAsPNG(new File(filename), this.chart,
getWidth(), getHeight());
}

}

Thats the code for sake of completeness - its actually open source and well tested so I doubt theres anything to see there. The issue isnt really a codey one but some sort of signing/sandbox issue.

Any takers?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Welcome to JavaRanch.

One thing to try is to run the code as privileged code; I've read reports that sometimes that's necessary even if the applet is signed. See the end of the "Signing an applet" section in http://faq.javaranch.com/java/HowCanAnAppletReadFilesOnTheLocalFileSystem for details.


Ping & DNS - my free Android networking tools app
Rob Fry
Greenhorn

Joined: Jun 11, 2008
Posts: 5
Thanks. I been here a while actually, just not on the forums. Learning for the SCJP ages ago.

I was hoping to avoid policy files but it looks like I'll have to delve into them after all...
Rob Fry
Greenhorn

Joined: Jun 11, 2008
Posts: 5
Looks like this was the solution, putting in a policy file fixed it.

Thanks!
Sridhar Venkataraman
Ranch Hand

Joined: May 22, 2006
Posts: 76
Apologies if I'm stirring up this thread again, but I have a very similar issue on hand.

I had an applet which captured a screenshot of the client's workstation and saved it onto a predetermined location on the client's file system, from where my application picked it up for an e-mail attachment.

I had modified the code using the Java Swing API such that the applet prompts the user with a save file dialog as to where he/she wants to save the screenshot on their file system.

I am attempting to return the full path of the saved file from the applet onto a javascript function and then call on a VBScript function within the javascript such that it uses this full path (retrieved using the getAbsolutePath() method within the applet) of the screeshot to pick it up as an attachment.

My predicament is elaborated in my latest post HERE.

I want to give my applet full read rights to the client's file system without the client having to manually configure an appropriate policy to this effect at his end.

I have self-signed my applet and it is able to write the screenshot onto the client's file system inside a privileged code block. I have put the other code which requires read rights within the same block, but it doesn't appear to be working.

How do I achieve this?

Thank you for your time.
[ July 02, 2008: Message edited by: Sridhar Venkataraman ]
Sridhar Venkataraman
Ranch Hand

Joined: May 22, 2006
Posts: 76
UPDATE:

Solved the object expected issue, but still in the dark about how to make the file save dialog stay in focus immediately upon being fired.

UPDATE:

I managed to bypass the security restriction (It surprised me because I did not explicity do anything in the code which dealt with security).

I now have a new problem. When I fire up the java applet using the javascript, it throws the file save dialog and then appears to freeze (the dialog is not immediately in focus and I have to alt-tab around to bring it into focus).

Upon typing a file name, the javascript throws up an "object expected" error.

[ July 02, 2008: Message edited by: Sridhar Venkataraman ]
[ July 02, 2008: Message edited by: Sridhar Venkataraman ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Applet security issues