I have an applet that receives an XML that serialized a JasperPrint object and print it using printservices. The applet is signed and the certificate is imported in house.
This applet is in a Web application that call it using javascript and it runs in terminals with Windows XP.
The problem is that when you use the applet always displays the prompt to run the application and users have to confirm to print.
Is there any way around this without ever having to confirm?
UPDATE:
i google the problem and i see that applet is dying (like #user3712670 says),
there are another alternative to run java code on client pc from a web page?
i need to use it locally
Short answer: no.
Any settings for those confirmation dialogs are client-side, so there's nothing you can do in your code or on your server to prevent them.
You might be able to get rid of some of them by making your clients change their security settings, but this is probably not advised. And you probably can't get rid of all of them.
You can check the plugin settings for the particular browser you're running, and you can check the Java security settings from the Control Panel.
The real answer is that applets are a dying technology, and trying to make them work is a bit like plugging up the holes in a sinking ship.
Related
So, how much trust do I need to have in a publisher before I run their applet in the web browser?
In other words, I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
Can you please clarify the security limits of a java applet run in a modern browser, such as Firefox 50?
I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
There are potentially three different levels of security available to a Java applet.
The first is as you described 'sandboxed'. They can only access resources from their own server, nothing on your local file system unless they are launched using Java Web Start & will thereby have access to the services of the JNLP API. You might note that two of the services are the FileOpenService / FileSaveService! If the applet goes to use these, the end user will be prompted to permit the action via a dialog that states what the applet is trying to do, and asking for permission to proceed (to show a file chooser & go from there). These services provide back a 'file like' object that is more limited than the normal File API would supply. For example, it will not provide the path to the resource, just it's name and access to the content.
The level up from that can be specified in the launch file - '(J2EE) application client permissions'. This level removes the prompts for use of the JNLP API services.
The highest level of access is obtained by requesting, and being granted, 'all permissions'. Then the applet should have full access to File objects, be able to communicate with servers other than the one that launched it, etc. One of the few things they would still not be permitted to do in this mode is to call System.exit(n) to effectively 'kill the JRE' - this is something that is commonly done in other desktop apps.
But then there are JRE bugs, that screw all that up. Sun, then Oracle, kept stuffing up security so poorly (& regularly) that many browser manufacturers are entirely removing the support for applets (and other embedded objects requiring plug-ins) in web pages.
See Java Plugin support deprecated and Moving to a Plugin-Free Web for more detail.
..how much trust do I need to have in a publisher before I run their applet in the web browser?
I cannot answer for you, but my take would be that I would need to know them personally, and trust completely both their integrity and competence before I'd run their code in any browser I controlled.
Having said that, I don't think I have a single browser installed that even supports applets, and my complete lack of motivation to set something up, is probably a good view on whether I'd allow applets to run on this PC at all.
Today I'm using an applet to modify client-side information, considering the new browsers i have to found out a new workaround to continue modifying file and execute windows command at client-side because some browser are suspending the applet execution.
Any ideia for solution that has allow windows command execution and access file at client side like Activex ?
Applets have always been sitting between webapps and desktop apps. In that sense, what you want to achieve is exactly what every hacker in the world wants to achieve, that is gain access to your computer from a browser. And I think it would fair to say that for that reason, applets are dying and are not coming back from the dead anytime soon.
But unfortunatly some functionalities need applets to run, and what you can do really depends on those functionalities.
Statu-quo
They are still working in IE (not Edge), Firefox and Safari. If you control your clients environment you can maybe still use them as is. But for how long ?
Move to Server
You move your functionalities on the server. In your case, it would probably mean upload files on the server, execute your commands there and send the file back on the client. Javascript and HTML 5 can certainly help here improve the overall user experience.
Move to Desktop
If you are doing some pretty intensive stuff on the client (processing multiple files, accessing resources that cannot be used from a browser, etc), you should consider regrouping this into a desktop app. You can even launch your app from a browser and sends some parameters to it by registering a Custom Protocol Handler, a la iTunes. Again, this is certainly not an easy replacement, as functionalities will often be spread out between the desktop app and the web app, which makes for some interesting scratch head moments trying to link the 2.
I am developing a web application using HTML5, AngularJS, REST Webservices, Java etc. I will be hosting it over company's intranet. I have a peculiar requirement where I need to run exes which are already copied to client machine. The 'run' should be triggered from backend java code and user need not click on any UI link.
I am exploring Java Web Start, but I guess some user interaction in mandatory in it. If some signed content, certificates are required I can do that.
Is this feasible?
What you want is exactly what any virus builder dreams of. Therefor, it has been made VERY difficult. There are only 2 ways in which I think you could do this:
Use a java applet. It needs to be signed perfectly and the security settings in the users browsers need to be lowered. Even then I'm not entirely sure they don't have to click 'accept' somewhere.
Create a browser plugin. You could write a browser plugin, which would allow you to do basically anything you want. You would need to install it everywhere though.
If there is any way of getting around the requirement of running an exe from a web browser, I suggest you take it.
Is there any way to convert self signed certificate to trusted one?
So can I by pass below alert?
I have one applet which trying to run some application on user's machine.
I am using self signed jar.
No, you cannot stop that warning from appearing. It exists exactly for the purpose of preventing developers from doing what you're trying to do, as running executables without permission can be dangerous for the end user's system and personal data.
You have to choose between uninstalling Java or using an older version. Otherwise you have to OK every single JSP page you ever use. Don't ever upgrade your Java because it will reset all of these warnings and you'll have to go through the process all over again. Our internal LAN uses a JSP application as a frontend to our Oracle database, and I have to check this box about 2 - 300 times every time Java is upgraded. I finally installed an older version. If Oracle was trying to make people even more averse to upgrading Java, good job.
Another choice is to open a page, accept and run the application, then leave the page open. Add a new tab open the page again and you wont get the warnings.
I want to read the web address of all open windows. As soon as the window closes, I should know it too.
One way to do this is by asking the user to download a firefox plugin. This plugin should monitor the user web address.
But is this possible? How to go about executing it. I am pretty decent in Java and PHP.
EDIT:
What if the user wants to give permission to access all the websites he or she visits?
I want to display in a visual manner the statistics of the sites being visited by users who grant permission.
As noted, this cannot be done with standard JavaScript/DOM methods that run inside a page, for security and privacy reasons.
You could definitely do it with a Firefox add on, plugin or extension.
I suggest reading the Firefox addons developer guide and the Developer Hub in general. The language used to develop for Firefox is JavaScript.
nsIWindowMediator can be used to enumerate open windows, and properties can be obtained through the nsIDOMWindow objects. As explained here,
"While you can use JavaScript to get child windows opened from the parent window, you cannot get dialogs or windows that have no relation to that window. To overcome this limitation, nsIWindowMediator makes it possible to access all of Firefox's windows."
this likely violates the same origin policy, which rules this out
it basically controls the code so that it does not read anything it did not create
so no spying can be done
No, this would be a major security and privacy issue.
This is definitely a security violation similar to sniffing; and would require certain privileges to run on each platform (such as an activeX or plugin or a privileged applet).
However, this can be done using javascript only the page containing the script it self is responsible for opening windows (meaning not all windows such as window opened by user) - if that is what you are looking for, let me know.