I am beginner.it is first applet that i writing
i want run exe application with applet
java code
package appletexample;
import java.io.*;
import java.awt.*;
import java.applet.Applet;
public class Welcome extends Applet {
public void init() {
String execommand = "C:\\windows\\notepad.exe" ;
try {
Process proc = Runtime.getRuntime().exec(execommand) ;
}
catch(IOException ieo) {
System.out.println("Problem starting " + execommand) ;
}
}
}
java.policy.applet
grant {
permission java.security.AllPermission;
};
i run this code in eclipse Run As->Java Applet worked and opened NotePade
but when Export->Jar File(with .classPath,.project,java.policy.applet)
and use in
Html
<applet archive="test.jar" code="appletexample/Welcome.class" width=550 height=300>
in firefox say error access denied ("java.io.FilePermission" "execute")?
how can fix this problem?
download my java and Html code
I assume that you just want to practice how to write a applet.
For development purpose, you can create a keystore and then use it to sign your applet.jar.
Go: Start Menu > Execute > cmd.exe
Input:
cd /
keytool -genkey -dname "cn=CN, ou=OU, o=O, l=L, st=ST, c=C" -alias mykey -keypass mypass -keystore mystore -validity 3650 -storepass mypass
jarsigner -keystore c:\mystore -storepass mypass C:\path\to\applet.jar mykey
Then:
Refresh your HTML page.
As beginner you should start with something much much simpler. When you play with Applets not all security rules apply. But when you come to real world (Browser in your case or, in other terms, sandbox) security rules are in force to prevent your code from harming the host computer.
What you are doing - you are running some program on the client computer when the client opens your web page with an Applet. That what viruses do. People will not want to allow it.
Of course you can the use Signed Applet approach or other ways to run program on another computer, but is it your goal? If it is to learn basics, then run easy stuff. Eventually, you will understand JNLP (Java Web Start) and other methods useful for you and your clients.
Related
I'm facing a problem when executing code that is part of an applet loaded in my browser. The jar file is generated via a maven build and then I signed the jar with the following command :
jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -keypass mypass library.jar MYALIAS
I activated my Java console when executing the applet. The applet is well launched but when I click on a button that call some piece of code in my applet, I'm getting the following error :
java.lang.IllegalArgumentException: Can not access public package.DataHolder()
(from class package.DataHolder; failed to set access: access denied
("java.lang.reflect.ReflectPermission" "suppressAccessChecks")**
After some investigations I "solved" the problem by adding permissions into the JVM. This may be done more properly in the code but I needed to solve my problem quickly.
Edit the file into java.policy in the JVM by adding all the needed permissions as follow :
grant {
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
I have being trying to get a clock applet to run on my locate PC outside of netbeans but the when I load the web page to run the applet I get “Application Blocked by Java Security”. Googling I then create a self-signed certificate thinking that would solve the problem.
I opened a command window and changed directory to where the jar and class were and the created the key and certificate.
cd C:\DEV\clock\classes
C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -genkey -alias selfsigned -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.jks
Enter keystore password: <password>
Re-enter new password: <password>
What is your first and last name?
[Unknown]: PC129.aa.dfdd.nasa.gov (this is fake but matches the pattern I used)
Etc.
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -selfcert -keystore keystore.jks -alias selfsigned -validity 3650
Enter keystore password: <password>
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\jarsigner" -keystore keystore.jks threeClock.jar selfsigned
Enter Passphrase for keystore: selfsigned
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a times tamp, users may not be able to validate this jar after the signer certificate's expiration date (2025-06-21) or after any future revocation date.
I this tried to start the web page again but this time I got “Application Blocked. Your security settings have blocked a self-signed application from running”. I again googled and they all seem to basically say that you need to still add a Java exception for you PC to make the applet run. But all the examples seem to be www.foo.com examples with either a full path name to the web/applet directory, domain name, or full domain name which all seem to be www or http addresses. So what is the correct input for a PC that is not a web server or has a www address setup for it? I don’t think I need the full path to the applet directory included in the exception name since I only saw that in one example.
So lets say this is my PC info: PC129 is the host name. Network: aa.dfdd.nasa.gov
So what should the the exception name be?
The SAs here have no idea since they always add exceptions for web servers that have www web addresses.
The SA finally came by and after lots of combinations we found that adding the following exception to the java site list will allow the applets to run.
file:/C:/DEV/NelsonsPrograms/clock/clock/classes/
The full path name was required to the location where the applet and web page was located otherwise the applet would be blocked.
Correction, while the signed jar is running correctly, web pages that try to just run the XXX.class don't run. The applet is displaying the layout, but nothing is running in it. I think the local input file is being blocked so there is no data to display. So make a jar, self sign it, and run the jar from the web page.
I turned on the java console via Java Control Panel - Advanced tab to see why the aosClock.class version didn't work while the signed clock.jar did and as you can see it’s the security stuff again stopping the applet from working. It’s stopping the applet from reading in the clock time data. Googling seems to indicate that I would have to insert grant code into the applet, but since the signed jar version works fine on my PC I will use that to test. I don't want to add extra stuff that is not needed in the applet when running on a real web server. The jar way also seems to be the standard way to do web applets now anyway.
aosClock: Thread-14: Forcing garbage collection...
Exception in thread "Thread-14" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\DEV\NelsonsPrograms\clock\clock\classes\aqua_aos_times" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.isDirectory(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.initializeHeaders(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.getLastModified(Unknown Source)
at singleClock.run(aosClock.java:679)
I'm having the following method in an applet which is called via JavaScript
public String getAString()
{
Object rc = AccessController.doPrivileged(
new java.security.PrivilegedAction()
{
public Object run()
{
try
{
return "OK";
}
catch (Throwable t)
{
t.printStackTrace();
return "ERROR: " + t.getMessage() + " " + t.getCause();
}
}
});
// Return value
return rc.toString();
}
The applet is signed using a certificate created with keytool
When I call getAString() if throws the InvocationTargetException.
If I call other methods which don't use the AccessController class, I'm not having this problem.
Also, each time I open the browser I'm asked to allow the applet to run even the the applet is signed.
How can I fix this?
edit
I added a button and now I'm getting more info:
signer information does not match signer information of other classes
in the same package
I'm using a third party archive. In the original form is unsigned, but I signed it using the same cert (although with different commands).
edit 2
Here is how I sign the jars
keytool -genkey -keystore vkeystore -keyalg rsa -dname "CN=XXX, OU=XXX, O=XXX, L=Atlanta, ST=GA,C=NL" -alias printer -validity 3600 -keypass XXX-storepass XXX
jarsigner -keystore vkeystore -storepass XXX -keypass XXX -signedjar JSPrintS.jar JSPrint.jar printer
jarsigner -keystore vkeystore -storepass XXX -keypass XXX -signedjar jPDFPrintS.jar jPDFPrint.jar printer
JSPrint.jar contains the applet
edit 3
the applet definition is (located in JSPrint.jar)
package Eplatforms;
import java.net.URL;
import java.security.AccessController;
import javax.swing.JApplet;
import java.awt.event.*;
import java.awt.*;
import com.XXX.pdfPrint.PDFPrint;
public class JSPrint extends JApplet implements ActionListener
....
jPDFPrint.jar is a third party jar
EDIT 4
I tried to minimize the problem a bit and I found out that when calling AccessControler.doPrivileged from a jar file (even signed one), I get the following exception:
Exception in thread "main" java.lang.NoClassDefFoundError: TestPrivileges$1
at TestPrivileges.getAString(TestPrivileges.java:14)
at TestPrivileges.main(TestPrivileges.java:7)
Caused by: java.lang.ClassNotFoundException: TestPrivileges$1
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
Here is a testing class:
http://pastebin.com/EgmdwuqL
Notice that calling other methods doesn't raise this exception.
Here is how I compile and run it:
javac TestPrivileges.java
java TestPrivileges
jar cvf TestPrivileges.jar TestPrivileges.class
jarsigner -keystore vkeystore -storepass My0Company -keypass My0Company -signedjar TestPrivilegesS.jar TestPrivileges.jar printer
copy TestPrivilegesS.jar x /Y
copy TestPrivileges.jar x /Y
cd x
java -classpath TestPrivilegesS.jar TestPrivileges
java -classpath TestPrivileges.jar TestPrivileges
cd ..
A quick for vkeystore:
keytool -genkey -keystore vkeystore -keyalg rsa -dname "CN=MyCompany, OU=MyCompany, O=MyCompany, L=Atlanta, ST=GA,C=NL" -alias printer -validity 3600 -keypass My0Company -storepass My0Company
The first run works ok (probably because the class file is in the same directory).
Then I create to archives, one signed and another unsigned. When I run them, I got those errors. Notice the jars are in a separate folder which contains only those jars and no class file.
I am with Andrew on this.
I've created an app that should help us find the code signing issue.
https://gist.github.com/2596125
(Since we don't want to Spam Andrew I've created this.)
With more information that finally came out it seems that you are not packing the TestPrivileges$1 class with the jar.
To fix this do this for jar packing:
jar cvf TestPrivileges.jar TestPrivileges.class TestPrivileges$1.class
New theory
The 3rd party Jar was already signed when it was signed it with your certificate. Now there are 2 lots of information on digital keys inside the Jar, which is confusing the JRE.
Either use the original Jar, as it was, or remove the digital signatures and sign it again with your own certificate.
Earlier answer
signer information does not match signer information of other classes in the same package
The actual error is because two jars are considered to be signed with different certificates, even I'm using the same certificate.
I suspect that the problem comes down to the part of the error/comment that I made bold.
Classes in the same package must be in the same Jar.
I've googled lots of links like oracle and velocity review and stackoverlow too, but still no success.
The point is simple. Jar is signed using:
keytool -genkey -alias signFiles -keystore compstore -keypass bca321 -dname "cn=test" -storepass abc123
jarsigner -keystore compstore -storepass abc123 -keypass bca321 -signedjar SignedJar.jar UnsignedJar.jar signFiles
And it runs perfectly on local machine. But when SignedJar.jar is used like an applet via HTTP(S), even if user accepts certificate (IE or FF or Chrome - no difference), it stops working with:
java.security.AccessControlException: access denied (javax.smartcardio.CardPermission Broadcom Corp Contacted SmartCard 0 connect)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.security.smartcardio.TerminalImpl.connect(Unknown Source)
Yes, it tries to read from smartcard inserted in terminal, and gets an exception on calling connect.
Yes, I've tried this approach too:
AccessController.doPrivileged(new PrivilegedAction() {
...
But with no luck. So where is the catch?
Thanks in advance,
Kirill
I ran into this problem today, java 1.7.0_11, applet jars signed with self-signed certificate added to the list of trusted certificates. It went away when I removed the section in my policy file that granted my applet's codebase all permissions.
After creating public/private keys, creating the associate certificate and signing which one of your applet jars with the certificate you should create a hash for each file in the JAR and sign them with the private key. These hashes, the public key, and the certificate must be added to the META-INF directory of the JAR file alongside the JAR’s manifest.
Here is the command line:
$ jar -tf SignedApplet.jar
See link
One of the security reps at my company gave me a keystore to use when I sign my applet. However, I'm having issues actually importing the keystore. I tried executing the following, but nothing happened... well almost nothing... The keytool application prompted me for my password which I entered and then hit return. The tool responded by placing the cursor on the next line and it just sat there for like 10 minutes at which time I killed the process. I'm assuming that I'm doing something wrong and am hoping that someone can point me in the right direction.
C:/program files/java/jdk1.6.0_19/bin/keytool" -import -alias company -keystore D:/companysig.jks
Thanks,
Jeremy
If you have a keystore, you can just use that keystore with the jarsigner command. For an example, see here (you inform the keystore to be used for signing, as well as the alias of the key to use):
http://www.owasp.org/index.php/Signing_jar_files_with_jarsigner
When you use they keytool import option, you will be importing a key you specify (that's in a file) to the keystore you specify. If you don't specify the file, the command probably wants to read the key from standard input, and the process was waiting for the key that never arrived. But in any case, in your case I don't see why you'd need to use this.
If you wish to import the whole keystore into another keystore you need to use the importkeystore option:
-importkeystore [-v]
[-srckeystore <srckeystore>] [-destkeystore <destkeystore>]
[-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]
[-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]
[-srcprotected] [-destprotected]
[-srcprovidername <srcprovidername>]
[-destprovidername <destprovidername>]
[-srcalias <srcalias> [-destalias <destalias>]
[-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]
[-noprompt]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]