I am working on an HTML page that is using Javascript to interact with a Java applet. The HTML page, javascript files, and .jar file for the applet will be deployed locally to a folder on the user's filesystem.
(Implmenting this as a standalone Java application is not an option here; for various reasons I will not explain here).
The applet needs to do local file i/o. As such, I'm attempting to tweek the settings in the user's .java.policy file to permit this.
I have found the following setup is the only one that works:
grant
{
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
This is not ideal, as that it grants all applets permissions to read write all files. Naturally I would prefer to isolate to the particular code base. However I could not find a "grant codeBase" syntax that works.
I have tried:
grant codeBase "file:/C:/Files/FileIOApplet/-" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
grant codeBase "file:///-" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
grant codeBase "file:${user.home}/-"
{
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
This is running using this configuration:
Firefox 3.6.10
Java 1.6 update 25
Windows 7 64 bit
Where I am I going wrong in setting up this .java.policy file?
I am pretty rusty to the Java world, especially working with applets - so your expertise is appreciated!
To connect an Applet with access here are the policy tool settings:
Go to policyTool, you will find it in following path:
java->jdk1.3->bin->policyTool Application
There appears Policy Tool window.
In the Policy Tool window select the "Add Policy Entry" button.
This will take you to Policy Entry window
There enter the CodeBase as "file:/path of your java bin". For example
CodeBase file:/c:/java/jdk1.3/bin/
Now press "Add Permission" button in the Policy Entry window.
This will take you to the "Permissions" window
There Select "All permission" from permission drop down list box.
And click "ok".
Now again press the "Add Permission" button in the Policy Entry window.
Now Select "Select "RunTimepermission" from permission drop down list box.
Now in the Target Name drop down list box select "accessClassInpackage", in the text box enter accessClassInpackage.sun.jdbc.odbc
Now click "ok".
Now click "done" in "Policy Entry" window.
Now in the Policy Entry window file->save
Save it in "bin" of your Java installation.
Remember the name...
for example say..
appletpermission
'save'
Now you have a created policy file for access
Now to compile your java file at the command prompt
javac programname.java
To run your program type the following at the cmd prompt:
appletviewer -J-Djava.security.policy=appletpermission programname.java
Now everything is done.
don't waste your time with syntax, use the policy tool instead :
click here : Policy Tool
Related
I am investigating java security manager. I see that 'grant' is required attribute for *.policy file and it is global. But how it will behave in case if I add 'grant codeBase' for the same resoure. For example:
grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/log4j-1.2.17.jar!/-" {
permission java.io.FilePermission "${catalina.base}/logs/-", "delete";
};
grant {
permission java.io.FilePermission "${catalina.base}/logs/-", "write";
};
Will log4j-1.2.17.jar has a permission to delete files in the log folder?
Can 'grant codeBase' override 'grant' section?
Thank you!
I've a little java code that writes a string to a file. I've created a .java.policy file in my home directory in ubuntu with the following contents:
/* AUTOMATICALLY GENERATED ON Mon Jun 24 11:27:02 IST 2019*/
/* DO NOT EDIT */
grant codeBase "" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
grant codeBase "file:/home/ScienceGuy/Desktop/Testing/javasecurity/*" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
When I run my java code, it simply creates the file and writes the string. I expect it to fail because the policy gives it read only access to files. How can I make the policy file work?
I tried to edit the java.security file and check the url.2 line to make sure it points to the policy file. Doesn't help.
I want to implement a security policy file in the following way :-
Restrict access to all files except for files in 3 directories, i.e. if code accesses files from these 3 directories, it should be allowed but file access for any other directory is restricted.
Grant all other permissions to the code base.
How can I proceed for creating policy file for this requirement.
You need to create next policy file (yourPolicy.policy):
grant codeBase "file:/location_of_your_code/-" {
permission java.io.FilePermission "/tmp/f1/*", "read, write";
permission java.io.FilePermission "/tmp/f2/*", "read, write";
permission java.io.FilePermission "/tmp/f3/*", "read, write";
};
And launch your code with next arguments:
java -Djava.security.manager -Djava.security.policy=yourPolicy.policy YourClassName
It will restrict access of your java program to only these three folders.
About requirement “grant all other permissions” it seems that you can’t grant all permissions and override some specific permissions (grant access to only three folders) using java policy syntax. Thus you need explicitly specify all permissions that you want to grant to your application.
I'm learning to use Security Manager, and I'm getting this error when I run my unit tests:
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\[username]\AppData\Local\NetBeans\Cache\7.4\executor-snippets\junitvmwatcher1469887727677239882.properties" "write")
It's simple enough grant permission to that directory. The problem is I run this code on different computers. Ideally, I'd like to do something like this:
permission java.io.FilePermission "*/NetBeans/Cache/7.4/-", "write";
But apparently SecurityManager doesn't recognize wildcard characters at the beginning of the path. I've tried using both an asterisk and a dash. Neither works.
Basically, I'd like to get my tests to run without needing to hard-code an absolute path. Is there another way to achieve this?
You can use property expansion in policy files:
For example, permission java.io.FilePermission "${user.home}", "read";
will expand "${user.home}" to use the value of the "user.home" system property.
Could you set:
permission java.io.FilePermission "${user.home}/AppData/Local/NetBeans/-", "write";
to get what you wanted?
I am very new to Java, just completed a Java fundamentals coarse. already found a lot of answers and help on the diffenrent forums on the web.
I have designed an Applet with sql db access. Running it on NetBeans IDE 7.2.1, it works 100%, but as soon as i run it with a .html file with the NetBeans view command, I get the following error.
äccess denied "java.lang.RuntimePermission" "accessClassInpackage.sun.jdbc.odbc"
I have already added the following lines to the java policy file in the jre directory.
permission java.lang.RuntimePermission "accessClassInPackage.sun.jdbc.odbc", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.jdbc.odbc", "write";
permission java.util.PropertyPermission "file.encoding", "read";
permission java.util.PropertyPermission "file.encoding", "write";
what am i doing wrong, or what is required to run the applet in the browser?
I don't think that applets can open JDBC connections from sandbox. You probably have to sign your applet something like this
http://www.qoppa.com/faq/signapplet.htm