I'm running into an issue with my applet. It's supposed to take a url and parse the html there to construct an image. I've gotten it to work on my eclipse debugger. However, when I try to use it on a web browser I get an AccessControlException. I'm using the jEditorPane.setPage(url) method. Currently both the applet and url are hosted on my localhost and I did self sign the applet.
java.lang.RuntimeException: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at javax.swing.JEditorPane.getStream(Unknown Source)
at javax.swing.JEditorPane.setPage(Unknown Source)
at javax.swing.JEditorPane.setPage(Unknown Source)
at com.mindbody.printer.PrinterApplet.print(PrinterApplet.java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSInvoke.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
An unsigned applet is only allowed to connect to the host it came from. And even for signed applets, in methods invoked from code less trusted (like the javascript code here), it has only the rights of this code (or more exactly, the intersection of all rights).
To be able to do everything for which your applet has the rights, wrap your rights-needing code with AccessController.doPrivileged(...). (But make sure that this can not do dangerous things when given malicious arguments from outside.)
Related
i'm currently attaching to a java webstart application (anything from here: https://docs.oracle.com/javase/tutorial/uiswing/examples/misc/index.html#security) using the Java Attach API.
That works without problems, but now i want to iterate over all available Frames using
for (Frame f : java.awt.Frame.getFrames())
But this results in
java.lang.NullPointerException
at java.awt.Window.getWindows(Unknown Source)
at java.awt.Window.getWindows(Unknown Source)
at java.awt.Frame.getFrames(Unknown Source)
at com.asc.screen.scan.javascan.javascanagent.util.GuiWalkerTexasRanger.walkGui(GuiWalkerTexasRanger.java:151)
at com.asc.screen.scan.javascan.javascanagent.ComponentRegistry.initialScan(ComponentRegistry.java:124)
at com.asc.screen.scan.javascan.javascanagent.ComponentRegistry.init(ComponentRegistry.java:76)
at com.asc.screen.scan.javascan.javascanagent.JavaScanAgent.loadFilter(JavaScanAgent.java:291)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
...
Maybe i'm missing something here, but shouldn't it be possible to access all frames within the applet? This method works fine for non applet applications.
The problem is that the error is thrown inside the java code, so there is no way for me to avoid or handle this nullpointer, and i'm not getting any frames back.
Thanks in advance.
I'm migrating an applet-based application into a Web Start application.
In the application a custom ClassLoader is needed in order to fetch resources and classes from different media. It also uses a JavaFX layer on the top.
All permissions are granted to the WebStart application, the manifest is complete and the jar is signed with a valid certificate. In fact, if I don't fetch the classes from the media and I load them with the default ClassLoader, everything works. But if I use the custom ClassLoader, we face problems like:
Caused by: java.security.AccessControlException: access denied
("java.net.SocketPermission" "www.mydomain.com:443" "connect,resolve")
For testing proposals, the custom SecureClassLoader is granting all permissions. That does not help.
I'm also trying to replace the Security Manager, but I cannot:
java.lang.SecurityException: JVM Shared, not allowed to set security
manager
even if I add the parameter to the applet descriptor inside the jnlp:
PARAM name="separate_jvm" value="true"
I cannot replace the manager.
Can anyone point what can I do to be able to grant permissions to those classes? It is not possible to change the policy files on the client side.
Here I add the stacktrace to point where the calls are coming from:
java.security.AccessControlException: access denied ("java.net.SocketPermission" "www.mydomian.com" "resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.addAccess(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.allowNoAccess(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at java.net.URLStreamHandler.getHostAddress(Unknown Source)
at java.net.URLStreamHandler.hashCode(Unknown Source)
at java.net.URL.hashCode(Unknown Source)
at java.util.HashMap.hash(Unknown Source)
at java.util.HashMap.get(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.getDefaultCodeSource(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.access$1400(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.<init>(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildCallback.openClassPathElement(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getCodebaseLookup(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getResourceAsResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourceAsStream(Unknown Source)
at java.lang.Class.getResourceAsStream(Unknown Source)
at mypackage.Util.readResource(Util.java:42)
at mypackage.CustomClassLoader.encryptedLookup(CustomClassLoader.java:101)
at mypackage.ClassLoader.findClass(CustomClassLoader.java:78)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at customUtil.ParametersGetter.getRole(ParametersGetter.java:80)
at com.application.ModuleConfig.main(ModConfig.java:448)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at mypackage.CustomClassLoader.launch(CustomClassLoader.java:126)
at mypackage.Browser$1.call(Browser.java:54)
at mypackage.Browser$1.call(Browser.java:45)
at javafx.concurrent.Task$TaskCallable.call(Task.java:1423)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Thanks.
Finally the problem was detected.
The System Classloader was set as the parent classloader of our custom classloader instead of using the classloader that loaded our classloader class.
As a result, other classloaders cascaded by a library of our application where lost in the flow, and that created a conflict on the permission resolution.
i was trying out this example authentication code from ORacle. The only thing I change is the logincontext
try {
lc = new LoginContext("SampleConfig", new TextCallbackHandler());
}
my jaas.conf file looks like this
SampleConfig {
com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=false;
};
I put the conf file together with the class. However when i run it, it gives me this error
C:\AnotherDirectory> java -Djava.security.krb5.realm=corp.example.com -Djava.s
ecurity.krb5.kdc=corp.example.com -Djava.security.auth.login.config=jaas.conf JaasAcn
at JaasAcn.main(JaasAcn.java:37)
Caused by: java.net.UnknownHostException: corp.example.com
at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java.net.InetAddress$1.lookupAllHostAddr(Unknown Source)
at java.net.InetAddress.getAddressesFromNameService(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at sun.security.krb5.internal.UDPClient.<init>(Unknown Source)
at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
I am running a test AD in a VBox Host only adaptor. I guess I did not set up the AD properly. So I use the actual IP address (IPv4) instead.
C:\AnotherDirectory>java -Djava.security.krb5.realm=192.168.56.101 -Djava.secu
rity.krb5.kdc=192.168.56.101 -Djava.security.auth.login.config=jaas.config JaasAcn
Kerberos username [Administrator]: dorothy
Kerberos password for dorothy:
javax.security.auth.login.LoginException: null (68)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at JaasAcn.main(JaasAcn.java:37)
Caused by: KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
... 14 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 17 more
class sun.security.krb5.KrbException
dorothy is a normal test user that I created using "Active Directory Users and Computers". Does this account need to be "Administrator" because the prompt says [Administrator]? I have also ticked the "Use Kerberos DES Encryption types" and also the AES 128, 256 support in the user profile.
This is my AD (win 2008 server) setup
C:\> ksetup
default realm = corp.example.com (NT Domain)
No user mappings defined.
How to solve this? I am guessing this is a AD config problem and not with JAas? thanks
I'm trying to run my first java applet in my browser but when I open the HTML file which the applet class is embedded into, the following error occurs:
java.lang.RuntimeException: java.lang.ExceptionInInitializerError
at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ExceptionInInitializerError
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$12.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$000(Unknown Source)
at java.awt.EventQueue$1.run(Unknown Source)
at java.awt.EventQueue$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at Applet.MAIN.<clinit>(MAIN.java:39)
... 21 more
What should I do to solve this problem?
Here is the: entire error block
Applet has limited permissions. Non-signed applet cannot access file system and part of the system properties. In your case you tried to access user.dir.
You have the following solutions.
try to avoid using user.dir
sign your applet
do not use applet at all. Use java web start instead.
Youre trying to access something you dont have permission to
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
You can sign your applet
And/or set the permissions in the users home directory
http://docs.oracle.com/javase/1.4.2/docs/guide/security/permissions.html
I have one client getting this error whilst the applet is working properly for a number of other users.
java.lang.ClassFormatError: Incompatible magic value 1010792557 in class file %className%
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.SecurityException: class "%className%"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.preDefineClass(Unknown Source)
at java.lang.ClassLoader.defineClassCond(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$000(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I believe that the magic value represents the start of an xml tag (based on this Incompatible magic value 1010792557 when trying to run applet embedded in Facelets). The security error occurs after the magic value error and I suspect its a byproduct of the first problem.
What I can't fathom is why this is happening to one client only.
All clients are using JRE version 1.6.0_24-b07 and IE 8.0.6001.18702.
On the clients machine I have tried clearing the cache, deleting temporary internet files, and deleting temporary internet files via the java control panel. I have also tried deleting the certificate from the javacpl 'trusted certificates' list and even turning off verification from javacpl>Advanced>Security>Mixed Code.
I'm out of ideas and would love to hear any suggestions on what the problem/solution might be.
Oh, the applet is hosted in a java wicket project running on tomcat 7.0.19 via apache 2.2 (on windows server 2008).