For my education I often have to program math exercises for our site, which will be used in schools.
I had to port a .swf file to java applet, mainly because the .swf ran really slow.
The game/excercise worked fine in both Eclipse and my localhost, but when we put it on the site it always got blocked by Java.
I have read that you need a certificate, but that self signed certificates dont work.
I have tried to do it (Not sure if I was succesful), and the applet was still blocked.
What am I supposed to do to make it work?
Why don't you try Java Web Start instead of applets?
You chan check it at http://www.oracle.com/technetwork/java/javase/applet-migration-139512.html
From https://www.java.com/en/download/help/java_blocked.xml
Java has further enhanced security to make the user system less
vulnerable to external exploits. Starting with Java 7 Update 51, Java
does not allow users to run applications that are not signed
(unsigned), self-signed (not signed by trusted authority) or that are
missing permission attributes.
So, from Java 7 Update 51, users cannot run unsigned application (without a certificate), self-signed application (applications signed with a certificate that doesn't come from trusted authority), or applications missing Permission Attribute.
As the documentation says about self signed applications,
Applications of this type present the highest level of risk because
publisher is not identified and the application may be granted access
to personal data on your computer.
Also, as stated in the documentation, if you can still use self signed applications you need to add it to the exception site list,
As a workaround, you can use the Exception Site list feature to run
the applications blocked by security settings. Adding the URL of the
blocked application to the Exception Site list allows it to run with
some warnings.
I know a real Java Applet on a Website should be officially signed to work properly and have full access. I just want to test the functionality of a java applet on my localhost without buying a certificate. So the question to me is can a self signed Java Applet have full permissions if executed on the localhost?
Yes, but it might involve changing the security settings of the Java plug-in and the browser.
This may be old error but I am stuck here.
I created Java applet to access an Oracle database. I am going to put this applet in Local Network. My applet works fine in Eclipse and Netbeans but when I run through 'appletviewer' it goes at connection string and showing an error:
Error e java.security.AccessControlException: access denied (
"java.util.PropertyPermission" "oracle.net.wallet_location" "read")
I already signed applet using this Oracle technique for Signed Applets.
I used the user of database who has full rights. Also when I run using policy file, it shows the same error.
How do I connect the applet to the database successfully?
The HTML used to load the applet is:
<applet
code=tree.pacg.DrawApplet.class
codebase=c:\tree\pacg
archive=DrawApplet.jar,ojdbc14.jar
height="800"
width="1000">
</applet>
Its solved !!
I signed the ojdbc14.jar file and it works !!
also I create new policy file and gave it 'All' access permission then it also work through 'appletviewer'
Thanks..Thank you sir..
when i run the applet in ie, it show security warning Java has discovered application components that could indicate a secuirty concern.
Something like this?
BTW - if you click No at this point, the code should not be blocked and should therefore run.
But even seeing that dialog is a nuisance. If it can be confusing to developers, it is bound to be confusing to an end user.
See Mixing Signed and Unsigned Code
Ensuring Application and Applet Security for an explanation of this behavior. But see particularly Deploying Signed Applications and Applets Securely Without a Mixed Code Warning for how to allow mixing of unsigned & signed code.
The other alternative - to sign all Jars using the same certificate - also works, but is sometimes forbidden by deployment licenses or other factors.
On signing the code.
Me.
3) ojdbc14.jar needs to be digitally signed when deploying this way. Is ojdbc14.jar digitally signed?
OP.
3) ojdbc14.jar is a oracle database drivers so that they are already signed
..followed 4 hours later by..
I signed the ojdbc14.jar file and it works !!
Why doesn't my Java Applet ask me for permission to start when I open HTML page with it on my localhost?
What is more, the applet starts but it cannot do anything. One of its duties is to connect with a webpage. But it doesn't. In console I can read:
java.security.AccessControlException: access denied (java.net.SocketPermission www.onet.pl:80 connect,resolve)
I guess there is a problem with the security settings of my Java.
It's some time since I programmed my last Applet, but I think you probably need to sign your jars.
The general policy for untrusted (i.e. not signed) applets is that they are only allowed (network-wise) to connect to the server they are loaded from. For applets loaded locally from the file system, this means they can connect localhost.
Asking the user for permission will only occur if either the applet is signed (but then the user gives permission for everything, if there is not a special security policy file) or the applet uses the JNLP functions to request some access (but this is only for local access) - for this, you would need the latest plugin (1.6.0_10 or later).
As Tom mentioned, a remote server can permit applets (and other dynamic web-content like JavaScript, Flash and so on) from other sites to access his server with a cross domain policy file. I'm not sure from which version on the Java plugin implements this, though.
I have a Java Applet inserted on a simple HTML page located at http://localhost:8080/index.html:
<applet id="applet" code="SomeCode.class" archive="lib.jar" Width="1" Height="1"></applet>
The Java Applet has a method that looks similar to the code below:
public void PostStuffToServer() {
String server = "http://localhost:8080/PostHandler.ashx";
URL u = new URL(server);
URLConnection con = u.openConnection();
con.setDoOutput(true);
con.getOutputStream().write(stream.toByteArray());
con.connect();
}
When I execute the applet code from JavaScript like so:
obj = document.getElementById('applet');
obj.getClipboardImageURL();
I get the following error:
access denied (java.net.SocketPermission 127.0.0.1:8080 connect,resolve)
It seems like the Java code resolves the domain localhost to its equivalent IP address and therefore raises a cross domain security restrain. It works fine when I execute the same code from http://127.0.0.1:8080/index.html. The lib.jar file is signed.
Is there anyway to avoid this?
I encountered the same problem after installing Java 6 Update 22. My applet has been online for several years with no reported errors. When I downgrade to version 6 Update 21, everything works perfect. My applet is not signed.
SOLUTION:
It took me ha while to find the cause of the problem. Actually in my case there were several factors causing the security error. The problem was solved by the crossdomain.xml file. The Java applet tried to download the crossdomain file, failed, and did not even bother to display an error in the java console (debug level 5). Java tried to download the file from the ip adress of my domain (http://ip-address/crossdomain.xml), and not the root of my website (http://domain-name/crossdomain.xml). I guess it is better for the security aspect? I then had to configure the webserver to expose the crossdomainfile on the IP address. In my case I have removed the default website in ISS for security reasons, and had to create a new website. I then discovered that the java applet did not work with the crossdomain files i use with flash:
<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="*" headers="*"/>
<allow-access-from domain="*" />
</cross-domain-policy>
I had to remove the site-control and allow-http-request-headers-from nodes from the xml file in order to make the applet work.
I think I'm too late, but anyways... Guys you cannot believe how easy a solution this problem has.
The problem is that Java applet code called from JavaScript has only permissions that are the intersection of the JavaScript's code and your applet code - and somehow the JavaScript's permissions are seen as less, which results in this Exception.
Here is what I did: assume you have a function innocentFunc() that throws the java.net.SocketPermission exception, so your code is something like so:
String s = innocentFunc();
Now what you can do is to change it to something like so:
String s = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return innocentFunc();
}
}
);
This AccessController call basically states to the Java Virtual Machine that the code it runs should not obey to the permissions from the call chain, but rather only the caller's permissions in its own.
Of course, you should do something like this only after making sure that this innocentFunc call can't do anything bad, even if invoked by malicious code.
Just to add, there's some stuff here which exactly matches the issue I've been getting - it specifically mentions controlling an applet with JavaScript.
http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html
The fix for CVE-2010-3560 could cause
certain Java applets running in the
new Java Plug-in to stop working if
they are embedded in web pages which
contain JavaScript that calls into
Java in order to perform actions which
require network security permissions.
These applets may fail with a network
security exception under some
circumstances if the name service
which resolved the original web page
URL host name does not return a
matching name as the result of a
reverse address lookup.
Their suggestion is to add a special crazy just-for-Java A record to the DNS, like:
10.11.12.13 foo.bar.com.auth.13.12.11.10.in-addr.arpa
I'm getting the same thing with Update 22, and not Update 21.
I'm using the TinyPlayer applet, which I'm controlling via JavaScript.
I'm loading audio files from the same domain (mydomain.example.com, IP 1.2.3.4) as the page the applet is loading on - everything is referenced using relative URLs.
When I try to play the audio, it fails to play and I get:
access denied (java.net.SocketPermission 1.2.3.4:80 connect,resolve)
Looking at the access logs, I get a request for crossdomain.xml right before this happens. But the catch is that Java isn't asking for a crossdomain.xml from
mydomain.example.com/crossdomain.xml
...but instead from
1.2.3.4/crossdomain.xml
The workaround that seems to work for me is to set up a virtual host that responds for the IP address 1.2.3.4, and give it a crossdomain.xml, so that Java can find the crossdomain.xml in the (wrong) place that it's looking for it.
I just tested with the contents:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...but it's probably possible to make this more restrictive.
With that in there, the audio plays correctly.
IIRC, the JavaScript same-origin policy prevents access to same-host/different-port. The PlugIn's LiveConnect enforces this policy for localhost only.
See: http://download.oracle.com/javase/tutorial/deployment/applet/security.html
Unsigned applets can perform the following operations:
They can make network connections to the host they came from.
If Java does not resolve the originating system to localhost then the applet will not be able to open sockets.
I had the similar issue and it only occurs when I use the "localhost" as a part of the URL for the page with the applet. When I used the URL with the actual host name or IP address as a part of the URL, the problem didn't happen. I am not sure this is a defect for the Java plug-in...
For example when I used the URL like http://localhost:9080/app_id/appletPage the problem occurred but when I use the URL by using the actual IP or host name, the problem did not occur.
I don't think is possible to made the crossdomain.xml file more restrictive, at current time Java applets only support the (domain="*")
see here http://www.oracle.com/technetwork/java/javase/index-135519.html#CROSSDOMAINXML
You should check your virtual directory permissions.
Update from #Kristian above saved my day.
I had access denied (java.net.SocketPermission <server_ip>:<server port> connect,resolve) from an applet in a web application.
There had been change in our DNS, such that the IP of the load-balancer of the application server was not resolving to a name with domain. Therefore the suspected "cross-domain connection" from applet back to server was blocked.
I added crossdomain.xml with
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
to <tomcat-home>/webapps and checked that it is accessible with http://<server name>:<server port>/crossdomain.xml