Till morning everything working fine in my applet. I took Java update and everything stopped. I'm dealing with digital certificate using applet. Here is my stack trace. I followed some oracle article but didn't work.
https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#trusted_library
http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\vicky.thakor
java.security.AccessControlException: access denied ("java.security.SecurityPermission" "authProvider.SunMSCAPI")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:755)
at sun.security.mscapi.KeyStore$MY.engineLoad(KeyStore.java:62)
at java.security.KeyStore.load(Unknown Source)
at SecurityApplet.initializeBrowserKeyStore(SecurityApplet.java:162)
at SecurityApplet.isCertificateInstalled(SecurityApplet.java:268)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
.java.policy file I'm creating in public void init() method of applet. Its before accessing anything in applet.
grant
{
permission java.security.AllPermission;
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
permission java.util.PropertyPermission "*", "read, write";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "*";
};
Update: 18th Nov, 2013
Its not working even if using code signing certificate
I cannot comment yet so am putting this as an answer instead.
I believe creating the .java.policy file in your applet will be too late - the plugin will have already started up and read the policy files before running any of your code.
You could sign your applet and use a jnlp file to assign permissions in the security element
I know it's pretty late to answer here, but adding my solution as I had a tough time with this:
My Issue: While deploying an application (a WAR file) that has dependencies on Bouncy Castle libraries, I faced this issue:
`
cannot create instance of
org.bouncycastle.jcajce.provider.digest.GOST3411$Mappings
java.security.AccessControlException: access denied
("java.security.SecurityPermission"
"putProviderProperty.BC")
`
Here is what I did and it worked for me:
Go to: {Installed JDK path}\jre\lib\security\
Open the file java.policy
Add permission: permission java.security.SecurityPermission "putProviderProperty.BC";
Restart the programs to load the changes.
I am yet to understand how exactly this works or if it is safe to just change java.policy file like this (still looking for other ways to achieve such a configuration).
Do take precautions with such a change. More at Oracle's doc
Issue:
java.security.AccessControlException: access denied ("java.security.SecurityPermission" "authProvider.SunMSCAPI")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
It is because we needs permission to access file system resources, but an unsigned applet is denied this permission by default. So, to overcome this, the applet must be signed.
Simply you need to signed your applet jar file.
Signed jar file
Related
I'm working on JavaFx, and we need to run our app on JNLP Web Start, we have faced some problem, and we solved them, now, we have an error in SocketPermission on JNLP runtime.
My problem happens when I call an HTTP request to our server(APIs), the App can't call the request due the permission is denied :
java.security.AccessControlException: access denied ("java.net.SocketPermission" "192.168.1.16:8080" "connect,resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:74)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
Some Developers said I should have change the java.policy file in my JRE, and said it's wrong way to solve it, but i did this way and nothing happened.
Is there other ways to solve this problem ?!
Add the below section to your JNLP file:
<security>
<all-permissions/>
</security>
I'm trying to run a simple Java Web Start App. I wrote my code in NetBeans and used the jar exported for my .jnlp file. Eventually I plan on having the code read from the windows registry and use that data, but for now all I'm doing is creating a String then calling System.out.println(strName); I am self signing the jar using the strategy outlined here. When I download and run the .jnlp, I get the following exception:
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "jna.debug_load" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at com.sun.javaws.security.JavaWebStartSecurity.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at java.lang.Boolean.getBoolean(Unknown Source)
at com.sun.jna.Native.<clinit>(Native.java:95)
at com.sun.jna.Pointer.<clinit>(Pointer.java:41)
at com.sun.jna.platform.win32.WinReg$HKEY.<init>(WinReg.java:32)
at com.sun.jna.platform.win32.WinReg.<clinit>(WinReg.java:61)
at cvbxtractor.CvbXtractor.main(CvbXtractor.java:17)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I have tried adding permission java.util.PropertyPermission "jna.debug_load", "read"; to my java.policy file, I have tried signing and resigning any jars it might be using, and made sure my .jnlp has the
<security>
<all-permissions/>
</security>
line in it, but none have helped. I'm sure I'm just missing some security toggle somewhere, if this is easy please forgive me, this is my first Java Web Start App.
As of java 7u45, you can't read system properties when running from a jnlp. Oracle basically ruined javaws. If you're writing a new app, I would recommend staying away from java webstart. It's broken and they just keep making it worse by forcing security updates that break your application.
That being said, one partial workaround to this problem is to prefix all of your properties with jnlp.. So, you'd have to rename your property jnlp.jna.debug_load. If it's a property from a third party library/jar you're using, you're out of luck.
I am trying to start the network server from outside netbeans. I did set the DERBY_INSTALL variable to the appropriate directory, then i issue setNetworkServerCP command which also works fine. But when i try to run startNetworkServer i am getting the following error.
C:\Users\tandons>D:
D:>cd D:\netbeans\glassfish-v2.1\javadb\bin
D:\netbeans\glassfish-v2.1\javadb\bin>setNetworkServerCP DERBY_HOME or
DERBY_INSTALL not set. Set one of these variables to the location of
your Derby installation. D:\netbeans\glassfish-v2.1\javadb\bin>set
DERBY_INSTALL=D:\netbeans\glassfish-v2 .1\javadb
D:\netbeans\glassfish-v2.1\javadb\bin>setNetworkServerCP.bat
D:\netbeans\glassfish-v2.1\javadb\bin>SET
DERBY_INSTALL=D:\netbeans\GLASSF~1.1\j avadb
D:\netbeans\glassfish-v2.1\javadb\bin>set
CLASSPATH=D:\netbeans\glassfish-v2.1\j
avadb\lib\derbynet.jar;D:\netbeans\glassfish-v2.1\javadb\lib\derbytools.jar;
D:\netbeans\glassfish-v2.1\javadb\bin>setNetworkServerCP
D:\netbeans\glassfish-v2.1\javadb\bin>SET
DERBY_INSTALL=D:\netbeans\GLASSF~1.1\j avadb
D:\netbeans\glassfish-v2.1\javadb\bin>set
CLASSPATH=D:\netbeans\glassfish-v2.1\j
avadb\lib\derbynet.jar;D:\netbeans\glassfish-v2.1\javadb\lib\derbytools.jar;D:\n
etbeans\glassfish-v2.1\javadb\lib\derbynet.jar;D:\netbeans\glassfish-v2.1\javadb
\lib\derbytools.jar;
D:\netbeans\glassfish-v2.1\javadb\bin>startNetworkServer Security
manager installed using the Basic server security policy. access
denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
java.security.AccessControlException: access denied
("java.net.SocketPermission" "localhost:1527" "listen,resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkListen(Unknown Source)
at java.net.ServerSocket.bind(Unknown Source)
at java.net.ServerSocket.(Unknown Source)
at javax.net.DefaultServerSocketFactory.createServerSocket(Unknown Sourc
e)
at org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocke
t(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknow
n Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Sou
rce)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unk
nown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unkno
wn Source)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
D:\netbeans\glassfish-v2.1\javadb\bin>
also is there a better way to do this from within a java program. I read the official doc given on Apache website( using NetworkServerControl api ) but i can make hardly anything out of whats given there..........
This is a known bug. Workarounds are described in the links below. (Google is your friend):
Netbeans bug report
Blog 1
Blog 2
Till morning everything working fine in my applet. I took Java update and everything stopped. I'm dealing with digital certificate using applet. Here is my stack trace. I followed some oracle article but didn't work.
https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#trusted_library
http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\vicky.thakor
java.security.AccessControlException: access denied ("java.security.SecurityPermission" "authProvider.SunMSCAPI")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:755)
at sun.security.mscapi.KeyStore$MY.engineLoad(KeyStore.java:62)
at java.security.KeyStore.load(Unknown Source)
at SecurityApplet.initializeBrowserKeyStore(SecurityApplet.java:162)
at SecurityApplet.isCertificateInstalled(SecurityApplet.java:268)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
.java.policy file I'm creating in public void init() method of applet. Its before accessing anything in applet.
grant
{
permission java.security.AllPermission;
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
permission java.util.PropertyPermission "*", "read, write";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "*";
};
Update: 18th Nov, 2013
Its not working even if using code signing certificate
I cannot comment yet so am putting this as an answer instead.
I believe creating the .java.policy file in your applet will be too late - the plugin will have already started up and read the policy files before running any of your code.
You could sign your applet and use a jnlp file to assign permissions in the security element
I know it's pretty late to answer here, but adding my solution as I had a tough time with this:
My Issue: While deploying an application (a WAR file) that has dependencies on Bouncy Castle libraries, I faced this issue:
`
cannot create instance of
org.bouncycastle.jcajce.provider.digest.GOST3411$Mappings
java.security.AccessControlException: access denied
("java.security.SecurityPermission"
"putProviderProperty.BC")
`
Here is what I did and it worked for me:
Go to: {Installed JDK path}\jre\lib\security\
Open the file java.policy
Add permission: permission java.security.SecurityPermission "putProviderProperty.BC";
Restart the programs to load the changes.
I am yet to understand how exactly this works or if it is safe to just change java.policy file like this (still looking for other ways to achieve such a configuration).
Do take precautions with such a change. More at Oracle's doc
Issue:
java.security.AccessControlException: access denied ("java.security.SecurityPermission" "authProvider.SunMSCAPI")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
It is because we needs permission to access file system resources, but an unsigned applet is denied this permission by default. So, to overcome this, the applet must be signed.
Simply you need to signed your applet jar file.
Signed jar file
I'm trying to implement Sun Tutorials RMI application that calculates Pi. I'm having some serious problems and I cant find the solution eventhough I've been searching the entire web and several javaskilled people.
I'm hoping you can put an end to my frustrations.
The crazy thing is that I can run the application from the cmd on my desktop computer. Trying the exact same thing with the exact same code in the exact same directories on my laptop produces the following errors. The problem occures when I try to connect the client to the server.
I don't believe that the error is due to my policyfile as I can run it on the desktop. It must be elsewhere. Have anyone tried the same and can you give me a hint as to where my problem is, please?
POLICYFILE SERVER:
grant
{
permission java.security.AllPermissions;
permission java.net.SocketPermission"*", "connect, resolve";
};
POLICYFILE CLIENT:
grant
{
permission java.security.AllPermissions;
permission java.net.SocketPermission"*", "connect, resolve";
};
______________________________________________
SERVERSIDE ERRORS:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\STUDENT>cd\
C:\>start rmiregistry
C:\>java -cp c:\java;c:\java\compute.jar -Djava.rmi.server.codebase=file:/c:/jav
a/compute.jar -Djava.rmi.server.hostname=localhost -Djava.security.policy=c:/jav
a/servertest.policy engine.ComputeEngine
ComputeEngine bound
Exception in thread "RMI TCP Connection(idle)" java.security.AccessControlExcept
ion: access denied (java.net.SocketPermission 127.0.0.1:1440 accept,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkAccept(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.checkAcceptPermi
ssion(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.checkAcceptPermission(Unknown Sour
ce)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Sou
rce)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Sour
ce)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source
)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
_______________________________
CLIENTSIDE ERRORS:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\STUDENT>cd\
C:\>java -cp c:\java;c:\java\compute.jar -Djava.rmi.server.codebase=file:\C:\jav
a\files\ -Djava.security.policy=c:/java/clienttest.policy client.ComputePi local
host 45
ComputePi exception:
java.rmi.UnmarshalException: Error unmarshaling return header; nested exception
is:
java.io.EOFException
at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(Unkn
own Source)
at java.rmi.server.RemoteObjectInvocationHandler.invoke(Unknown Source)
at $Proxy0.executeTask(Unknown Source)
at client.ComputePi.main(ComputePi.java:18)
Caused by: java.io.EOFException
at java.io.DataInputStream.readByte(Unknown Source)
... 6 more
C:\>
Thanks in advance
Perry
Your server didn't have permission to accept a connection from that client.
Ergo your policy file wasn't where you said it was, or wasn't loaded for some other reason.
Run it with -Djava.security.debug=access,failure and you will see what protection domain you were in when the security exception occurred, and what permissions it had.
java -cp c:\java;c:\java\compute.jar -Djava.rmi.server.codebase=file:/c:/java/compute.jar -Djava.rmi.server.hostname=localhost -Djava.security.policy=c:/java/servertest.policy engine.ComputeEngine
NB a file: codebase cannot work if it refers to a local filesystem, unless the client is also in the same machine, which makes RMI fairly pointless. Codebase URLs need to refer to locations that are accessible by the client. You can use shared file systems but you must provide a URL that is usable by the client. The server doesn't use its own codebase URL at all.
I tried the same and I found that Java simply ignored the policy file, no matter where I put it or what I put into it or which option I used to make the VM pick it up.
In the end, I create my own SecurityManager in the code and did everything manually.