I'm developping a Java Applet that must access the visitor's filesystem, so i compressed my .class file to a .jar file with self-signed cert, when I'm opening the call.html file with my browser (file where is located the <applet> HTML tag), I accept the security popup then i'm getting this error in the Java console:
java.security.AccessControlException: access denied (java.io.FilePermission output.txt write)
I'm using a FileInputStream and a FileOutputStream. FileInputStream works but not FileOutputStream, why?
Here's my code:
try {
AccessController.doPrivileged(
new PrivilegedExceptionAction() {
#Override
public Object run() throws FileNotFoundException {
outFile = new FileOutputStream("output.txt");
inFile = new FileInputStream("input.txt");
return "test";
}
}
);
} catch (PrivilegedActionException e) {
throw (FileNotFoundException) e.getException();
}
I've tried many way to make privileged actions, FileInputStream is always working, whereas FileOutputStream isn't. output.txt is not read-only file.
Access permission is granted with a policy file, and appletviewer is launched with the policy file to be used for the applet being viewed.
Creating a Policy File
Policy tool is a Java 2 Platform security tool for creating policy files. The Java Tutorial trail on Controlling Applets explains how to use Policy Tool in good detail. Here is the policy file you need to run the applet. You can use Policy tool to create it or copy the text below into an ASCII file.
grant {
permission java.util.PropertyPermission
"user.home", "read";
permission java.io.FilePermission
"${user.home}/text.txt", "read,write";
};
Here is the full link for applets permission
http://java.sun.com/developer/onlineTraining/Programming/BasicJava1/data.html
Related
File file = new File ("D:\\Folder\\Folder2\\");
Desktop desktop = Desktop.getDesktop();
try {
desktop.open(file);
} catch (IOException e) {
e.printStackTrace();
}
The following code supposed to open Folder2, but instead it opens D:\Folder\Folder2.bat file.
How to fix that?
Opening folder through Deskopt.open() would be delegated to Desktop.browseFileDirectory() (JDK 8/9)
But, as seen in JDK-8233994, that is not supported/implemented for Windows.
So the alternative with explorer.exe is indeed the recommended way:
Process p = new ProcessBuilder("explorer.exe", "/select,D:\\Folder\\Folder2").start();
The Desktop API describes the method open() clearly:
Launches the associated application to open the file. If the specified
file is a directory, the file manager of the current platform is
launched to open it.
Or see the reply of #vonC
I am trying to access client's temp directory through my applet on my web project.
When I run the applet by itself, it gets the tempdir with no problem.
When I try to get it on my project using javascript and calling the applet method, I am having accessControlException on my javascript console. Also I am getting the same exception when I try to read a file under the temp directory.
This is what I see exactly:
java.security.accesscontrolexception access denied (java.util.propertypermission java.io.tmpdir read)
java.security.accesscontrolexception access denied (java.io.filepermission read)
How to solve java.security.AccessControlException?
Simplest solution is just to sign the applet.
final File parentDir = new File("S:\\PDSPopulatingProgram");
parentDir.mkdir();
final String hash = "popupateData";
final String fileName = hash + ".txt";
final File file = new File(parentDir, fileName);
file.createNewFile(); // Creates file PDSPopulatingProgram/popupateData.txt
I am trying to create a file in a folder but I am getting exception as
java.security.AccessControlException: Access denied
I am working in windows environment. I can create a folder from the Windows Explorer, but not from the Java Code.
How can I resolve this issue?
Within your <jre location>\lib\security\java.policy try adding:
grant {
permission java.security.AllPermission;
};
And see if it allows you. If so, you will have to add more granular permissions.
See:
Java 8 Documentation for java.policy files
and
http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html
Although it is not recommended, but if you really want to let your web application access a folder outside its deployment directory. You need to add following permission in java.policy file (path is as in the reply of Petey B)
permission java.io.FilePermission "your folder path", "write"
In your case it would be
permission java.io.FilePermission "S:/PDSPopulatingProgram/-", "write"
Here /- means any files or sub-folders inside this folder.
Warning: But by doing this, you are inviting some security risk.
Just document it here
on Windows you need to escape the \ character:
"e:\\directory\\-"
I have problem in setup of policy file for applet.I am doing this first time and don't know how to set the policy file for applet in java.Actually I want to give the permission to the applet to write on the file system. for Which I will have to give file permission to the applet
So I make a file named .java.policy and and put the following code in it
grant codeBase "file:/C://res/applet/*" { permission java.io.FilePermission "C:\res\applet\test.txt", "read, write"; };
and save this in users\jindal folder now i set the JAVA_HOME as c:\users\jindal
but still I found the exception that
java.security.AccessControlException: access denied (java.io.FilePermission C:\res\applet\test.txt write)
can any body please help what is wrong or what should i do.And I have to use jdk 1.4
You need to sign your jar file
see also : http://java.sun.com/developer/Books/javaprogramming/JAR/sign/signing.html
You are probably better of signing the jar. Signing the jar elevates the privileges for the applet, which enables file access.
First you need a certificate. You can create a temporary one by:
keytool -genkey -alias certAlias
Sign the jar:
jarsigner -storepass yourPwd -signedjar output.jar in.jar certAlias
I have created simple Java class to test file writes from applets:
update appeared
public class localfile extends Applet{
public localfile(){
try {
File f = new File("testfile.txt");
BufferedWriter out = new BufferedWriter(new FileWriter(f,true));
out.write("test");
out.close();
}
catch(Exception x)
System.err.println(x.toString());
}
}
I have created and signed jar:
jar cvf localfile.jar localfile.java
jarsigner localfile.jar yourkey
html looks like:
<applet code="localfile.class" archive="localfile.jar", width=300, height=600>
The error I get every time I run this applet is:
java.lang.SecurityException: trusted loader attempted to load sandboxed resource from file:/home/w/test/
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(CPCallbackHandler.java:308)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(CPCallbackHandler.java:121)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(CPCallbackHandler.java:473)
at sun.plugin2.applet.Plugin2ClassLoader.checkResource(Plugin2ClassLoader.java:701)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Applet2ClassLoader.java:206)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Plugin2ClassLoader.java:520)
at sun.plugin2.applet.Plugin2Manager.createApplet(Plugin2Manager.java:2940)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1444)
at java.lang.Thread.run(Thread.java:619)
Exception: java.lang.SecurityException: trusted loader attempted to load sandboxed resource from file:/home/w/test/
What is strange: I have created similar applet to read files and it works ok.
Any thoughts?
I was running this applet on both browser and applet viewer. What is strange given applet doesn't work on applet viewer and throws exception, but on browser it is fine.
java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.System.setProperty(System.java:725)
at localfile.<init>(localfile.java:15)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:785)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:714)
at sun.applet.AppletPanel.run(AppletPanel.java:368)
at java.lang.Thread.run(Thread.java:619)
So, beside this strange behaviour I consider my problem solved. Thanks everyone:)
Did you provide a policy to allow reading files from the filesystem?
Seems that you only signed the jar but didn't use policytool.
With some finagling, you can include a policy file in a jar. Refer to the SO question jar policy file for more information.
Otherwise, consider making a Java WebStart application, which can read/write files more easily.
http://java.sun.com/docs/books/tutorial/security/tour1/step2.html
This should help you out with creating the policy file and associating with your code base
I knew this is quite late. But just to help whoever look-up to this error -
Using Ant, multiple jars can be signed at one shot, for example java-comm.jar etc
<target name="applet.sign" description="Sign the applet jar">
<signjar jar="${applet.dir}/*.jar"
storepass="${applet.key.password}"
keystore="${applet.keystore}"
alias="${applet.key.alias}"
keypass="${applet.key.password}" />
This wil sign all the jar in the directory.
I believe your problem is that directory including the file you are trying to load is within the codebase where class files and application resources are looked up. So, you end up mixing trusted and untrusted resources, which is not secure. If the applet is hosted on an http, or better https, server then the issue doesn't arise for files.
Note you can use the JNLP APIs for applets to "open" or write files through a file dialog.
Your resource handling leaves the file open in the case of exceptions. Resource handling should be written in the style:
Resource resource = acquire();
try {
use(resource);
} finally {
resource.release();
}
In your specific case:
final FileOutputStream rawOut = new FileOutputStream(file);
try {
...
out.flush();
} finally {
rawOut.close();
}