I'm facing a problem when executing code that is part of an applet loaded in my browser. The jar file is generated via a maven build and then I signed the jar with the following command :
jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -keypass mypass library.jar MYALIAS
I activated my Java console when executing the applet. The applet is well launched but when I click on a button that call some piece of code in my applet, I'm getting the following error :
java.lang.IllegalArgumentException: Can not access public package.DataHolder()
(from class package.DataHolder; failed to set access: access denied
("java.lang.reflect.ReflectPermission" "suppressAccessChecks")**
After some investigations I "solved" the problem by adding permissions into the JVM. This may be done more properly in the code but I needed to solve my problem quickly.
Edit the file into java.policy in the JVM by adding all the needed permissions as follow :
grant {
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
Related
When running ./gradlew bundleRelease I get :
Execution failed for task ':app:packageReleaseBundle'.
> java.util.concurrent.ExecutionException: java.lang.RuntimeException: jarsignerfailed with exit code 1 :
jarsigner error: java.lang.RuntimeException: keystore load: keystore password was incorrect
I followed the official doc here: https://facebook.github.io/react-native/docs/signed-apk-android.html
I tried to put the password in :
android/gradle.properties in plaintext as the doc suggests
macOS Keychain for obvious security reason
android/app/build.gradle in plaintext to exclude a variable issue
I was able to assert :
the password passed to android/app/build.gradle was the right one by using java.lang.System.console(password) to print it
the keystore password was the right one by using keytool -list -keystore app/my_key.keystore
when using keychain, the password was also rightfully set and recovered with security find-generic-password -a [username] -s [keychain_password_key_name] -w
I'm out of option here since I don't usually use Java or Gradle.
Given nobody seems to have the answer and after having dug to the end of the web, I found this :
https://blog.pieeatingninjas.be/2018/12/12/fixing-appcenter-android-build-error-usr-bin-jarsigner-failed-with-return-code-1/
The error is misleading and the implementation is wrong (/troll as usual in java).
Trashing the entire build folder and trying again fixed the problem and got gradle's mind straight.
I have being trying to get a clock applet to run on my locate PC outside of netbeans but the when I load the web page to run the applet I get “Application Blocked by Java Security”. Googling I then create a self-signed certificate thinking that would solve the problem.
I opened a command window and changed directory to where the jar and class were and the created the key and certificate.
cd C:\DEV\clock\classes
C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -genkey -alias selfsigned -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.jks
Enter keystore password: <password>
Re-enter new password: <password>
What is your first and last name?
[Unknown]: PC129.aa.dfdd.nasa.gov (this is fake but matches the pattern I used)
Etc.
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -selfcert -keystore keystore.jks -alias selfsigned -validity 3650
Enter keystore password: <password>
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\jarsigner" -keystore keystore.jks threeClock.jar selfsigned
Enter Passphrase for keystore: selfsigned
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a times tamp, users may not be able to validate this jar after the signer certificate's expiration date (2025-06-21) or after any future revocation date.
I this tried to start the web page again but this time I got “Application Blocked. Your security settings have blocked a self-signed application from running”. I again googled and they all seem to basically say that you need to still add a Java exception for you PC to make the applet run. But all the examples seem to be www.foo.com examples with either a full path name to the web/applet directory, domain name, or full domain name which all seem to be www or http addresses. So what is the correct input for a PC that is not a web server or has a www address setup for it? I don’t think I need the full path to the applet directory included in the exception name since I only saw that in one example.
So lets say this is my PC info: PC129 is the host name. Network: aa.dfdd.nasa.gov
So what should the the exception name be?
The SAs here have no idea since they always add exceptions for web servers that have www web addresses.
The SA finally came by and after lots of combinations we found that adding the following exception to the java site list will allow the applets to run.
file:/C:/DEV/NelsonsPrograms/clock/clock/classes/
The full path name was required to the location where the applet and web page was located otherwise the applet would be blocked.
Correction, while the signed jar is running correctly, web pages that try to just run the XXX.class don't run. The applet is displaying the layout, but nothing is running in it. I think the local input file is being blocked so there is no data to display. So make a jar, self sign it, and run the jar from the web page.
I turned on the java console via Java Control Panel - Advanced tab to see why the aosClock.class version didn't work while the signed clock.jar did and as you can see it’s the security stuff again stopping the applet from working. It’s stopping the applet from reading in the clock time data. Googling seems to indicate that I would have to insert grant code into the applet, but since the signed jar version works fine on my PC I will use that to test. I don't want to add extra stuff that is not needed in the applet when running on a real web server. The jar way also seems to be the standard way to do web applets now anyway.
aosClock: Thread-14: Forcing garbage collection...
Exception in thread "Thread-14" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\DEV\NelsonsPrograms\clock\clock\classes\aqua_aos_times" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.isDirectory(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.initializeHeaders(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.getLastModified(Unknown Source)
at singleClock.run(aosClock.java:679)
I am beginner.it is first applet that i writing
i want run exe application with applet
java code
package appletexample;
import java.io.*;
import java.awt.*;
import java.applet.Applet;
public class Welcome extends Applet {
public void init() {
String execommand = "C:\\windows\\notepad.exe" ;
try {
Process proc = Runtime.getRuntime().exec(execommand) ;
}
catch(IOException ieo) {
System.out.println("Problem starting " + execommand) ;
}
}
}
java.policy.applet
grant {
permission java.security.AllPermission;
};
i run this code in eclipse Run As->Java Applet worked and opened NotePade
but when Export->Jar File(with .classPath,.project,java.policy.applet)
and use in
Html
<applet archive="test.jar" code="appletexample/Welcome.class" width=550 height=300>
in firefox say error access denied ("java.io.FilePermission" "execute")?
how can fix this problem?
download my java and Html code
I assume that you just want to practice how to write a applet.
For development purpose, you can create a keystore and then use it to sign your applet.jar.
Go: Start Menu > Execute > cmd.exe
Input:
cd /
keytool -genkey -dname "cn=CN, ou=OU, o=O, l=L, st=ST, c=C" -alias mykey -keypass mypass -keystore mystore -validity 3650 -storepass mypass
jarsigner -keystore c:\mystore -storepass mypass C:\path\to\applet.jar mykey
Then:
Refresh your HTML page.
As beginner you should start with something much much simpler. When you play with Applets not all security rules apply. But when you come to real world (Browser in your case or, in other terms, sandbox) security rules are in force to prevent your code from harming the host computer.
What you are doing - you are running some program on the client computer when the client opens your web page with an Applet. That what viruses do. People will not want to allow it.
Of course you can the use Signed Applet approach or other ways to run program on another computer, but is it your goal? If it is to learn basics, then run easy stuff. Eventually, you will understand JNLP (Java Web Start) and other methods useful for you and your clients.
I've googled lots of links like oracle and velocity review and stackoverlow too, but still no success.
The point is simple. Jar is signed using:
keytool -genkey -alias signFiles -keystore compstore -keypass bca321 -dname "cn=test" -storepass abc123
jarsigner -keystore compstore -storepass abc123 -keypass bca321 -signedjar SignedJar.jar UnsignedJar.jar signFiles
And it runs perfectly on local machine. But when SignedJar.jar is used like an applet via HTTP(S), even if user accepts certificate (IE or FF or Chrome - no difference), it stops working with:
java.security.AccessControlException: access denied (javax.smartcardio.CardPermission Broadcom Corp Contacted SmartCard 0 connect)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.security.smartcardio.TerminalImpl.connect(Unknown Source)
Yes, it tries to read from smartcard inserted in terminal, and gets an exception on calling connect.
Yes, I've tried this approach too:
AccessController.doPrivileged(new PrivilegedAction() {
...
But with no luck. So where is the catch?
Thanks in advance,
Kirill
I ran into this problem today, java 1.7.0_11, applet jars signed with self-signed certificate added to the list of trusted certificates. It went away when I removed the section in my policy file that granted my applet's codebase all permissions.
After creating public/private keys, creating the associate certificate and signing which one of your applet jars with the certificate you should create a hash for each file in the JAR and sign them with the private key. These hashes, the public key, and the certificate must be added to the META-INF directory of the JAR file alongside the JAR’s manifest.
Here is the command line:
$ jar -tf SignedApplet.jar
See link
I have problem in setup of policy file for applet.I am doing this first time and don't know how to set the policy file for applet in java.Actually I want to give the permission to the applet to write on the file system. for Which I will have to give file permission to the applet
So I make a file named .java.policy and and put the following code in it
grant codeBase "file:/C://res/applet/*" { permission java.io.FilePermission "C:\res\applet\test.txt", "read, write"; };
and save this in users\jindal folder now i set the JAVA_HOME as c:\users\jindal
but still I found the exception that
java.security.AccessControlException: access denied (java.io.FilePermission C:\res\applet\test.txt write)
can any body please help what is wrong or what should i do.And I have to use jdk 1.4
You need to sign your jar file
see also : http://java.sun.com/developer/Books/javaprogramming/JAR/sign/signing.html
You are probably better of signing the jar. Signing the jar elevates the privileges for the applet, which enables file access.
First you need a certificate. You can create a temporary one by:
keytool -genkey -alias certAlias
Sign the jar:
jarsigner -storepass yourPwd -signedjar output.jar in.jar certAlias