I have problem in setup of policy file for applet.I am doing this first time and don't know how to set the policy file for applet in java.Actually I want to give the permission to the applet to write on the file system. for Which I will have to give file permission to the applet
So I make a file named .java.policy and and put the following code in it
grant codeBase "file:/C://res/applet/*" { permission java.io.FilePermission "C:\res\applet\test.txt", "read, write"; };
and save this in users\jindal folder now i set the JAVA_HOME as c:\users\jindal
but still I found the exception that
java.security.AccessControlException: access denied (java.io.FilePermission C:\res\applet\test.txt write)
can any body please help what is wrong or what should i do.And I have to use jdk 1.4
You need to sign your jar file
see also : http://java.sun.com/developer/Books/javaprogramming/JAR/sign/signing.html
You are probably better of signing the jar. Signing the jar elevates the privileges for the applet, which enables file access.
First you need a certificate. You can create a temporary one by:
keytool -genkey -alias certAlias
Sign the jar:
jarsigner -storepass yourPwd -signedjar output.jar in.jar certAlias
Related
In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
I'm facing a problem when executing code that is part of an applet loaded in my browser. The jar file is generated via a maven build and then I signed the jar with the following command :
jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -keypass mypass library.jar MYALIAS
I activated my Java console when executing the applet. The applet is well launched but when I click on a button that call some piece of code in my applet, I'm getting the following error :
java.lang.IllegalArgumentException: Can not access public package.DataHolder()
(from class package.DataHolder; failed to set access: access denied
("java.lang.reflect.ReflectPermission" "suppressAccessChecks")**
After some investigations I "solved" the problem by adding permissions into the JVM. This may be done more properly in the code but I needed to solve my problem quickly.
Edit the file into java.policy in the JVM by adding all the needed permissions as follow :
grant {
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
I have being trying to get a clock applet to run on my locate PC outside of netbeans but the when I load the web page to run the applet I get “Application Blocked by Java Security”. Googling I then create a self-signed certificate thinking that would solve the problem.
I opened a command window and changed directory to where the jar and class were and the created the key and certificate.
cd C:\DEV\clock\classes
C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -genkey -alias selfsigned -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.jks
Enter keystore password: <password>
Re-enter new password: <password>
What is your first and last name?
[Unknown]: PC129.aa.dfdd.nasa.gov (this is fake but matches the pattern I used)
Etc.
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -selfcert -keystore keystore.jks -alias selfsigned -validity 3650
Enter keystore password: <password>
C:\DEV\NelsonsPrograms\clock\clock\classes>"C:\Program Files\Java\jdk1.8.0_45\bin\jarsigner" -keystore keystore.jks threeClock.jar selfsigned
Enter Passphrase for keystore: selfsigned
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a times tamp, users may not be able to validate this jar after the signer certificate's expiration date (2025-06-21) or after any future revocation date.
I this tried to start the web page again but this time I got “Application Blocked. Your security settings have blocked a self-signed application from running”. I again googled and they all seem to basically say that you need to still add a Java exception for you PC to make the applet run. But all the examples seem to be www.foo.com examples with either a full path name to the web/applet directory, domain name, or full domain name which all seem to be www or http addresses. So what is the correct input for a PC that is not a web server or has a www address setup for it? I don’t think I need the full path to the applet directory included in the exception name since I only saw that in one example.
So lets say this is my PC info: PC129 is the host name. Network: aa.dfdd.nasa.gov
So what should the the exception name be?
The SAs here have no idea since they always add exceptions for web servers that have www web addresses.
The SA finally came by and after lots of combinations we found that adding the following exception to the java site list will allow the applets to run.
file:/C:/DEV/NelsonsPrograms/clock/clock/classes/
The full path name was required to the location where the applet and web page was located otherwise the applet would be blocked.
Correction, while the signed jar is running correctly, web pages that try to just run the XXX.class don't run. The applet is displaying the layout, but nothing is running in it. I think the local input file is being blocked so there is no data to display. So make a jar, self sign it, and run the jar from the web page.
I turned on the java console via Java Control Panel - Advanced tab to see why the aosClock.class version didn't work while the signed clock.jar did and as you can see it’s the security stuff again stopping the applet from working. It’s stopping the applet from reading in the clock time data. Googling seems to indicate that I would have to insert grant code into the applet, but since the signed jar version works fine on my PC I will use that to test. I don't want to add extra stuff that is not needed in the applet when running on a real web server. The jar way also seems to be the standard way to do web applets now anyway.
aosClock: Thread-14: Forcing garbage collection...
Exception in thread "Thread-14" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\DEV\NelsonsPrograms\clock\clock\classes\aqua_aos_times" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.isDirectory(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.initializeHeaders(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.getLastModified(Unknown Source)
at singleClock.run(aosClock.java:679)
I've googled lots of links like oracle and velocity review and stackoverlow too, but still no success.
The point is simple. Jar is signed using:
keytool -genkey -alias signFiles -keystore compstore -keypass bca321 -dname "cn=test" -storepass abc123
jarsigner -keystore compstore -storepass abc123 -keypass bca321 -signedjar SignedJar.jar UnsignedJar.jar signFiles
And it runs perfectly on local machine. But when SignedJar.jar is used like an applet via HTTP(S), even if user accepts certificate (IE or FF or Chrome - no difference), it stops working with:
java.security.AccessControlException: access denied (javax.smartcardio.CardPermission Broadcom Corp Contacted SmartCard 0 connect)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.security.smartcardio.TerminalImpl.connect(Unknown Source)
Yes, it tries to read from smartcard inserted in terminal, and gets an exception on calling connect.
Yes, I've tried this approach too:
AccessController.doPrivileged(new PrivilegedAction() {
...
But with no luck. So where is the catch?
Thanks in advance,
Kirill
I ran into this problem today, java 1.7.0_11, applet jars signed with self-signed certificate added to the list of trusted certificates. It went away when I removed the section in my policy file that granted my applet's codebase all permissions.
After creating public/private keys, creating the associate certificate and signing which one of your applet jars with the certificate you should create a hash for each file in the JAR and sign them with the private key. These hashes, the public key, and the certificate must be added to the META-INF directory of the JAR file alongside the JAR’s manifest.
Here is the command line:
$ jar -tf SignedApplet.jar
See link
I'm running a set of tests on my custom JCE provider implemention (XYZProvider).
Most of my tests are failing with the following error:-
java.lang.SecurityException: JCE cannot authenticate the provider XYZProvider
I have installed (i.e. placed provider's jar file) outside of system JRE (I need to stick to this, can't install in JRE) and maybe this is the reason I'm getting this error.
I have tried to search on this error without much success, tried using
grant codeBase "//location of my provider class files" { permission java.security.AllPermission; } in java.security file to give the necessary permission but with no luck.
Have already added the following line in java.security
security.provider.9=com.ingrian.security.nae.XYZProvider
Any ideas?
Thanks.