I have a self signed applet, which was running fine till jre 7u21 came around.
Now I get the following AccessControlException when calling java.net.ProxySelector.setDefault:
Caused by: java.security.AccessControlException: access denied
("java.net.NetPermission" "setProxySelector")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown Source)
at java.net.ProxySelector.setDefault(Unknown Source)
For testing I tried removing this call, but other AccessControlExceptions start popping up. Apparently 7u21 applied significant changes to the applet's security model.
I always assumed that if the user accepts an applet's digital signature, no security restrictions apply. 7u21 now says that even signed applets can run in sandbox mode without clearly specifying when this is the case. (7u21 release notes). My security level slider in the Java control panel is set to medium (lowest level). Any recommendations how to resolve this?
Update: I resolved it by adding the security tag
<security>
<all-permissions/>
</security>
to the applet's jnlp file (applet is deployed via dtjava). It is now running under 7u21 without problems.
Related
I've tried to get my Java Applet to read from my text file, but I do not have sufficient privaleges to read the file when i run the applet in my browser.
I have tried to use policy files but I cannot seem to get them to work.
I later tried
System.setProperty("java.security.policy", "*filelocation*");
but i got this error
java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.System.setProperty(Unknown Source)
at BIT.init(BIT.java:35)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
What ways can I get my applet to run in my browser? It works fine in Eclipse's applet viewer.
The reason is specified within the What Applets Can and Cannot Do. It clearly specifies that:
Applets that are not signed are restricted to the security sandbox,
and run only if the user accepts the applet. Applets that are signed
by a certificate from a recognized certificate authority can either
run only in the sandbox, or can request permission to run outside the
sandbox. In either case, the user must accept the applet's security
certificate, otherwise the applet is blocked from running.
Later it states that:
Sandbox applets cannot perform the following operations:
They cannot access client resources such as the local filesystem, executable files, system clipboard, and printers.
They cannot connect to or retrieve resources from any third party server (any server other than the server it originated from).
They cannot load native libraries.
They cannot change the SecurityManager.
They cannot create a ClassLoader.
They cannot read certain system properties. See System Properties for a list of forbidden system properties.
To know about how to sign an Applet look here : How to Sign Applets Using RSA-Signed Certificates
You really ought to consider signing the applet.
This (short!) FAQ discusses both policies and signing:
http://www.coderanch.com/how-to/java/HowCanAnAppletReadFilesOnTheLocalFileSystem
Here is the offician documentation:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/doprivileged.html
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
And here is a good (albeit old) tutorial:
http://faculty.kutztown.edu/spiegel/CSc421/SigningAnApplet.htm
I am trying to execute this jnlp application.
However, I keep receiving this security exception:
java.lang.ExceptionInInitializerError
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:399)
at java.lang.Class.newInstance0(Class.java:370)
at java.lang.Class.newInstance(Class.java:322)
at com.sun.javafx.applet.FXApplet2.init(FXApplet2.java:63)
at com.sun.deploy.uitoolkit.impl.fx.FXApplet2Adapter.init(FXApplet2Adapter.java:207)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.net.useSystemProxies" "write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:364)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.setProperty(System.java:783)
at ensemble.Ensemble2.<clinit>(Ensemble2.java:77)
... 10 more
I tried changing the security settings in the Java control panel (OSX 10.8.3), but they seem to be disabled and I cannot modify them (I do can check the "Enable Java content in the browser" option, but it is resetted when I click apply). This is shown in the following figure:
Is there another mechanism for bypassing the Java security manager and being able to execute a jnlp application ?
UPDATE:
After reinstalling Java I was finally able to change the security options in the Java Control panel (I did not do anything special, just reinstall it from scratch). Unfortunately, when I execute the jnlp application it dies silently without showing any errors. This problem could be related to the fact that I am using the jdk 1.8 (since the jnlp application requires javafx) and it is just a preview version (and OSX does not seem to like a lot Java these days...), it is my best guess but I cannot be completely sure.
Possible reasons for this:
I have heard that Java 7 on Mac is still not stable.
By default JNLP files run in a "sandbox" to prevent malicious code from wreaking havoc on your system. This sandbox restricts access to the local filesystem and local network. I imagine that system properties are restricted too, and it looks like the app is trying to write to them. To allow unrestricted access, you need to sign the JAR file and configure the JNLP file with <security><all-permissions/></security>
I am trying to integrate Jena libs, Pellet and some RPG 2d library Slick all together in an applet.
So basically when I run the applet in the browser I get this file permission error (the jars I am using are all signed):
Exception in thread "Thread-15" java.lang.ExceptionInInitializerError
at org.mindswap.pellet.ABox.<init>(ABox.java:208)
at org.mindswap.pellet.KnowledgeBase.clear(KnowledgeBase.java:540)
at org.mindswap.pellet.KnowledgeBase.<init>(KnowledgeBase.java:418)
at org.mindswap.pellet.jena.PelletInfGraph.<init>(PelletInfGraph.java:99)
at org.mindswap.pellet.jena.PelletReasoner.bind(PelletReasoner.java:95)
at org.mindswap.pellet.jena.PelletReasoner.bind(PelletReasoner.java:53)
at com.hp.hpl.jena.ontology.impl.OntModelImpl.generateGraph(OntModelImpl.java:2744)
at com.hp.hpl.jena.ontology.impl.OntModelImpl.<init>(OntModelImpl.java:139)
at com.hp.hpl.jena.ontology.impl.OntModelImpl.<init>(OntModelImpl.java:128)
at com.hp.hpl.jena.rdf.model.ModelFactory.createOntologyModel(ModelFactory.java:410)
at RPGGame.GameSelectionScreen.init(GameSelectionScreen.java:170)
at RPGGame.RPGGame.initStatesList(RPGGame.java:39)
at org.newdawn.slick.state.StateBasedGame.init(StateBasedGame.java:164)
at org.newdawn.slick.AppletGameContainer$Container.initApplet(AppletGameContainer.java:272)
at org.newdawn.slick.AppletGameContainer$ContainerPanel.initGL(AppletGameContainer.java:229)
at org.newdawn.slick.AppletGameContainer$ContainerPanel.start(AppletGameContainer.java:216)
at org.newdawn.slick.AppletGameContainer$1.run(AppletGameContainer.java:92)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "pellet.configuration" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.mindswap.pellet.PelletOptions.<clinit>(PelletOptions.java:805)
Thanks in advance,
Ioana
The error is because ABox is trying to read information out of PelletOptions, which needs to load the Pellet configuration. It will usually try to read this out of the jar, but first, it double checks if the user specified in the system properties a different location than the default. It's this check that is causing the error.
You can just modify PelletOptions to always check in the jar and avoid the system properties check, or you might be able to twiddle the applet security stuff to make this ok (I don't know if that's possible, never used an Applet before).
I friend of mine gave me a script to run minecraft skins on my site but i keep getting this error and i dont have any clue how to go about this... =(
http://allcitybuilder.com/new/example.html
java.security.AccessControlException: access denied (java.net.SocketPermission www.minecraft.net:80 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at net.minecraft.skintest.math.Zombie$1.run(Zombie.java:82)
You must allow the Applet to connect to a resource.
Have a look at the sigend Applet tutorial: http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
Normally Applets are only allowed to access the host they came from (in your case allcitybuilder.com). Thus, you either have to put the file to view also to this host (or install a proxy there), or your applet needs additional privileges to have more access.
For the applet to have more access, it needs to be digitally signed, and the user needs to confirm the applet loading.
But there is no way to say "I need only access to minecraft.net" and for the user to grant you only this permission (without manual editing of policy files), so it is an "all or nothing". Also, if the user refuses, the applet may either run with usual applet permissions (on Sun's Plugin) or not run at all (on IcedTea).
With JNLP you can get a confirmation for the user for individual actions, but this is only for local access, no remote one.
Probably the easiest thing would be to copy the resources to your site, making sure you have been granted appropriate rights by the copyright holder.
Alternatively, the site may add a crossdomain.xml file to allow access to code loaded from non-same-origin sites.
It is possibly to sign the code to gain full access to the local machine. However, this requires the user to accept the risk and writing secure code is surprisingly difficult.
I've got a signed java applet (using a self-signed-certificate) which has to access the user's file system. I have to do it, so please no replies ala "you shouldn't do it" :)
The thing is, when I execute the Applet from Firefox 3.0 / Mac, everything works as desired, I get all access just as it should.
When I use Safar 4 / Mac, I don't get access. The line I especially have problems with is System.getProperty() (although when I stub that out, the FS access doesn't work either)
String home = System.getProperty("user.home");
The Exception I get is the following:
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
at java.lang.System.getProperty(System.java:628)
at de.samedi.searcher.Searcher.<init>(Searcher.java:49)
at de.samedi.searcher.Applet.getSearcher(Applet.java:193)
at de.samedi.searcher.Applet.getSearcher(Applet.java:187)
at de.samedi.searcher.Applet.addPatient(Applet.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.plugin.javascript.invoke.JSInvoke.invoke(JSInvoke.java:19)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.plugin.javascript.JSClassLoader.invoke(JSClassLoader.java:44)
at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(SecureInvocation.java:658)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.liveconnect.SecureInvocation$2.run(SecureInvocation.java:214)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.liveconnect.SecureInvocation.CallMethod(SecureInvocation.java:192)
at sun.plugin.liveconnect.SecureInvocation.access$300(SecureInvocation.java:52)
at sun.plugin.liveconnect.SecureInvocation$CallMethodThread.run(SecureInvocation.java:123)
As I said, this works perfectly on Firefox. Gotta check Windows Browser today...
Any Ideas?
Once you have your jar compiled and signed you should run the -verify option to ensure its signed properly.
If the verification is ok look at the installed certificates on your browsers.
I haven't done anything in Safari only IE, but I imagine there is a place similar to I.E. where you can at least view the installed certificates. I would verify the certificate is installed.
Also make sure your code is running in a privileged block.
String home = System.getProperty("user.home");
will always throw an error in 1.4 or higher. Unless you have edited the java.policy file for All Permissions
Try using this in combination with your signed jar.
String home = (String) AccessController.doPrivileged(new PrivilegedAction()
{
public Object run()
{
return System.getProperty("user.home");
}
});
Has the user accepted full access for your applet in Safari? Sounds like the security manager kicking in.
I remember having a similar problem in an older version of Safari (this was years ago), and the solution I found was adding a delay to the applet. It seemed Safari for some reason was allowing the applet to run before the user was given the "trust this applet" dialogue (other browsers would not start the applet until after the user granted or denied access). At that point the applet was not trusted and a security exception would occur. Even though the user would then allow trust, it was too late as the applet had already run and failed. I had to add a delay for safari, so it would not try doing anything that needed secure access until a period of time had passed, allowing the user to give access before the applet tried doing anything needing security access.