I'm going to develope some Applets, And I was wondering What an Applet can and cannot do.
I know that an Applet can't write in the Registry or Windows folders.
Do you know other things ?
Thanks
Official docs http://download.oracle.com/javase/tutorial/deployment/applet/security.html
Much of it depends on whether you signed it or not.
There is one omission i know of in that....
Java AWT Robots are tricky since they give keyboard/mouse access to the applet. You can do it, but trust from the user alone doesnt cut it.
In this case you need to set your own custom security manager to grant permission to create a Robot
Edited for correctness based on comments, thanks guys
Actually a signed applet can access the Windows registry through JNI calls.
For more info on the applet capabilities get a look at http://en.wikipedia.org/wiki/Java_applet
Related
I have a javacard and it has 2 applets installed. Now I would like to select one among the two. Currently how I do is that, I provide the cap file of the applet from which I get its AID. But I don't find this method satisfactory. So
Is there a way or steps to get the AID of the applets installed in a java card without having the cap file?
Is there a way to select the applet without its AID? By this I mean that is there a way to make an applet auto selectable after reset?
Are there any other ideas or insights over this?
For the questions you have asked,
Yes. PyApduTool can make you reach you goal. This tool can help you get all the packages' or applets'AID in java card even though you don NOT have the cap file.
Just press the "Refresh" button. the things you need appears in the right text field.
You can set you applet as "Default Selected" when installing it.
In this way, you can make you applet selected by default without having to know its AID.
For convenience, it should be better to know the applet-AID.
Only one applet can be the default selected.
The answer from Andy is good but i feel that its missing an important part of the question:
Javacard get applet AID of installed applets through Java code
If the question refers to finding installedf Applets from the code of one java card applet itself than this answer might apply:
First, it is possible to get the AID of the applet itself by JCSystem.getAID().
Second, it is not possible to "detect" other applets from within an installed applet.
Although if you know the other applet's AID you can get a hack of useful information about it using JCSystem and GPSystem.
So apart from inside JavaCard code, the Card Manager is able to list of installed applets with all their privileges and so on. You can use a tool of your choice. If you are working with JCOP, I recommend JCOP Shell. If you work with freeware I recommend Global Platform Pro from Martin Paljak.
Beside selecting AIDs and default selection there is no direct way to select an applet. There is an indirect way by using the SharedObjectInterface mechanism from JavaCard which lets you change control flow to a different applet.
I have SELF-signed applet. Is it possible to see only next message from Java (which happens only once)
NOT THIS (which happens everytime when I load applet)
Maybe adding something to java.policy or java.security ? Or disable this in Java Console. If somebody familiar with this, kindly help me :)
If you are not familiar with this messages, read this please:
What should I do when I see a security prompt from Java?
Thanks in advance.
Maybe adding something to java.policy or java.security ?
On the machine of every user of the applet? That has never been practical.
Or disable this in Java Console.
You mean introduce what amounts to weak security in the interface Oracle offers to configure their plug-in? No.
If somebody familiar with this, kindly help me :)
Oracle, (as well as me for that matter) are more interested in helping the end user to avoid applets like this one which is self signed. If the user saw only the 2nd prompt as seen above, for an unverified applet, it would be nothing short of a security bug in the JRE. If you find a way to achieve, please report it to Oracle so they can have that bug fixed quickly.
Seems the certificate used to sign the applet jar expired ..please sign it with valid self signed certificate ..
We have an app that we use as an applet in our website. Since the latest Java updates, we can't use it because a third party component uses it's own applet loader, and that is being blocked by the runtime. So, we've moved to Webstart, which is working ok, but when a user downloads the JNLP then leaves our site they can access the app by loading the JNLP. So we miss out on the website traffic.
So my question is: is there any way to make a jnlp "use-once" to force a user to come back to the website? Tying it to a session variable? An entry in the database to say when they were last online maybe? Has anyone else done something similar?
Thanks in advance.
Java Web Start is a deployment technology, not a marketing strategy, but some possibilities suggest themselves:
Exploit the features of the <shortcut/> element.
Dynamically load and display site content in your application.
Make it easy to visit your site using the browse() method provided by java.awt.Desktop.
I'd like to have our ASP.NET web app create a desktop shortcut to our site on the user's (windows) desktop. With their permission of course. Like a button that they click and answer 'yes its ok', and then they get a link on the desktop or start menu that takes them to our site.
This may not seem like a great idea, and I could see how it could be annoying, but i have 2 great reasons for doing this. 1) Other people are doing it 2) Management wants it.
My question is, which technology would you guys recommend? I've heard this can be done via Java or Silverlight. Obviously our app is written in C#, but if it were much better/easier in Java we'd be willing to go that route.
So is one better for this task? And has anyone seen any examples?
EDIT:
Ok, assuming I wanted to go the route of Trusted XBAP or Signed Applet, can any point me in the right direction? I have no Silverlight or Java experience, but I'm willing to learn if someone can point me at a good tutorial.
If I've understood correctly what you're trying to do then no, you can't get your webapp to create a shortcut on the user's desktop. A couple of ways round it might be;
Host a batch file/script/installer on your site and try and get users to download it and run it locally.
Get the users to install a browser plugin that can do this. You may have to create this browser plugin yourself.
Browsers generally try to prevent websites having access to the local system for security reasons.
How does http://www.screentoaster.com capture a computer screen from a browser using Java Applet? Any suggestion or a lead in how to accomplish this? Is there other way to do using using different technology such as Flash?
You can do it with just 5 lines of code.
1 . Create one rectangle representing
screen. 2 . Create one BufferedImage
to store image of the screen. 3 . Take
snapshot using new
Robot().createSnapshot() method. 4 .
Save the bufferedImage in file.
Robot class is part of java.awt package
You can see more detail in the below link.
http://java.sun.com/j2se/1.4.2/docs/api/java/awt/Robot.html
I haven't tried it (I don't want to risk it!!!), but the indications are that it screen toaster uses a signed applet, and you have to explicitly accept a certificate (which gets added to your browser's trusted cert store) to enable the applet to break out of the normal Java security sandbox. (I'm also taking your word for it that it does use an applet ...)
I would hope that other methods of capturing the user's screen via a web-browser are similarly protected.
I would also like to hope that most users are not crazy enough to install random browser plugins or accept random certificates. But sadly, this is not true.
This whole idea strikes me as being very risky. What is to stop the Screen Toaster guys from taking their own copy of what is on your screen, installing a key-logger, ferreting around for sensitive files, installing a rootkit, etc? And assuming that they are entirely honest, how do you know that their applet doesn't have a security flaw that could be exploited by someone else to do the same thing?