1 2 Previous Next 15 Replies Latest reply: Mar 11, 2010 5:38 PM by EJP RSS

    Please Help java.policy signedBy can't access file local

    843811
      i create keystore and signjar in web applet
      run tomcat access file in local but not acess file denied

      i goto edit file java.policy

      grant {
           permission java.security.AllPermission;
      };

      can access file
      but put SignedBy cannot access file

      grant SignedBy fuangchai{
           permission java.security.AllPermission;
      };


      Please help me example file keystore,applet.jar,java.policy
      to signedby access file local in webapplet
      env JDE 1.5 ,javascript yui 2.8 ,prototype js,tomcat6
      ---------------------------------------------------------------------------------------------------------------------------------------
      File html
      <object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
      codebase="http://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab#Version=5,0,0,5"
      width="1" height="1" >
      <param name=code value="com.arg.aes.test.FileDirectoryBS.class" >
      <param name=archive value="app.jar">
      <param name=codebase value="." >
      <param name="type" value="application/x-java-applet;version=1.5">
      <param name="scriptable" value="true">
      <param name="mayscript" value="true">
      <param name="debug" value="false">
      <comment>
      <embed name="myApplet" id="myApplet"
      type="application/x-java-applet;version=1.5"
      code="com.arg.aes.test.FileDirectoryBS.class"
      archive="app.jar"
      java_codebase="."
      width="1"
      height="1"
      scriptable="true"
      mayscript="true"
      pluginspage="http://java.sun.com/products/plugin/index.html#download">
      <noembed>
      </noembed>
      </embed>
      </comment>
      </object>
      <applet
      code="com.arg.aes.test.FileDirectoryBS"
      width="1"
      height="1"
      archive="app.jar"
      name="myApplet"
      codebase="."
      MAYSCRIPT="true"
      >
      </applet>

      --------------------------------------------------------------------------------------------------------------------------------
      javascript
      initlistfile : function() {
                try
                {
                     var list = $("myApplet").initlistfileInDir();     
                     var jsondata = list.evalJSON();
                     /*alert(jsondata.dirname);
                     alert(jsondata.dirpath);
                     alert(jsondata.listfile.length);*/
                     initTableLeft(jsondata.listfile);
                }     
                catch(e)
                {
                     alert("Exception : access denied.");
                     return;
                }
           }
      ---------------------------------------------------------------------------------------------------------------------------------

      import java.applet.Applet;
      import java.io.File;
      import java.security.Permission;
      import java.security.PermissionCollection;
      import java.security.Policy;
      import java.security.ProtectionDomain;
      import java.text.DecimalFormat;
      import java.text.NumberFormat;
      import java.util.ArrayList;
      import java.util.Enumeration;
      import java.util.List;

      /**
      *
      * @author fuangchai
      */
      public class FileDirectoryBS extends Applet{

      public static File[] ROOTS = File.listRoots();

      public static String HOME = System.getProperty("user.home");


      public String listDir()
      {     
      return JsonObj.makeTopDir((ROOTS.length > 0)?ROOTS : new Object[]{HOME});
      }

      public String initlistfileInDir()
      {
      return listfileInDir(null);
      }

      public String listfileInDir(String dirName)
      {
      if(null == dirName || dirName.equals(""))
      {
      System.out.println("root = " + ROOTS.length);
      try {
      dirName = (ROOTS.length > 0)?ROOTS[0].getPath():HOME;
      }
      catch (Exception e) {
      e.printStackTrace();
      return "";
      }
      }

      System.out.println("#########################");
      DirectoryDescImp obj = makeObjDir(dirName);

      return (null == obj)?null:JsonObj.makeDir(obj);
      }

      public String listlinkInDir(String dirName)
      {
      if(null == dirName || dirName.equals(""))
      {
      System.out.println("root = " + ROOTS.length);
      try {
      dirName = (ROOTS.length > 0)?ROOTS[0].getPath():HOME;
      }
      catch (Exception e) {
      e.printStackTrace();
      return "";
      }
      }
      System.out.println("#listlinkInDir#");
      try {
      File obj = new File(dirName);
      return (null == obj)?null:JsonObj.makelinkDir(obj.getName(),obj.getPath());

      } catch (Exception e) {
      System.out.println("I can't access a file here! Access Denied!");
      e.printStackTrace();
      return null;
      }
      }

      public boolean isEnc(File f)
      {
      //TODO
      return false;
      }

      public DirectoryDescImp makeObjDir(String dirName)
      {
      System.out.println("dirName = " + dirName);

      try{
      File dir = new File(dirName);
      String[] entries = dir.list();
      /*
      if(null == dir || null == entries || entries.length <= 0)
      {
      System.out.println("Data is null or not obj." );
      return null;
      }
      */
      System.out.println("Dir List = " + dir.list().length);
      System.out.println("Dir Name = " + dir.getName());
      System.out.println("Dir Path = " + dir.getPath());

      DirectoryDescImp dirDesc = new DirectoryDescImp();
      dirDesc.setDirName(dir.getName());
      dirDesc.setDirPath(dir.getPath());

      List<FileDescImp> list = new ArrayList<FileDescImp>();
      for(int i=0; i < entries.length; i++) {

      File f = new File(dir, entries);
      FileDescImp fDesc = new FileDescImp();
      fDesc.setFile(f);
      fDesc.setFileEncrept(isEnc(f));
      list.add(fDesc);
      }

      dirDesc.setListfile(list);
      return dirDesc;
      }
      catch(Exception e){
      System.out.println("I can't access a file here! Access Denied!");
      e.printStackTrace();
      return null;
      }
      }


      }


      Thank you
      Fuangchai Jum
      Mail prositronta@gmail.com

      Edited by: prositron on Jan 13, 2010 7:35 AM
        • 1. Re: Please Help java.policy signedBy can't access file local
          843811
          I don't understand why you are modifying a "java.policy" file. If you sign the Applet then it will be able to do just about anything except System.exit().

          P.S. It's a bad idea to include your email address in a posting. It invites loads of spam from email address harvesters.
          • 2. Re: Please Help java.policy signedBy can't access file local
            843811
            concept in work java web applet can encrypt file local
            it used
            1 html set applet
            1 js is connect to applet
            1 keystore to sign jar

            but cannot access file with set java.policy

            i impasse true example concept genkey with keytools It used policy signedBy
            i research all but cannot used signedBy at one's wits' end T_T
            Thank with you help
            • 3. Re: Please Help java.policy signedBy can't access file local
              843811
              prositron wrote:
              concept in work java web applet can encrypt file local
              it used
              1 html set applet
              1 js is connect to applet
              1 keystore to sign jar

              but cannot access file with set java.policy
              Why do you think you need to do this? If the Applet is signed, this is not necessary.

              >
              i impasse true example concept genkey with keytools It used policy signedBy
              i research all but cannot used signedBy at one's wits' end T_T
              Thank with you help
              • 4. Re: Please Help java.policy signedBy can't access file local
                843811
                Are you sure?

                What about this:
                Message: java.lang.RuntimeException: Applet Error: initKeyStore() - Cannot add security provider - SecurityException
                In my Applet, I'm trying to add security provider:
                Security.addProvider(new sun.security.mscapi.SunMSCAPI());
                • 5. Re: Please Help java.policy signedBy can't access file local
                  843811
                  makinus wrote:
                  Are you sure?

                  What about this:
                  Message: java.lang.RuntimeException: Applet Error: initKeyStore() - Cannot add security provider - SecurityException
                  In my Applet, I'm trying to add security provider:
                  Security.addProvider(new sun.security.mscapi.SunMSCAPI());
                  You might be right about not being able to add a provider using a signed Applet (I have never tried this but I may spend some time investigating this later) but you don't need to add the SunMSCAPI provider since in 1.6 and 1.7 it is already in the java.security file. I have not checked if it is in 1.5 .

                  Edited by: sabre150 on Mar 11, 2010 7:53 PM

                  I have just added
                   Security.addProvider(new sun.security.mscapi.SunMSCAPI());
                  to one of my standard signed Java Applets and on Windows Firefox clients it works without problems. Of course it fails on Linux clients with a java.lang.ClassNotFoundException: sun.security.mscapi.SunMSCAPI
                  since class sun.security.mscapi.SunMSCAPI is not part of the JRE for Linux.
                  • 6. Re: Please Help java.policy signedBy can't access file local
                    EJP
                              catch(e)
                              {
                                   alert("Exception : access denied.");
                                   return;
                              }
                    How do you know what that exception is without displaying it?
                    • 7. Re: Please Help java.policy signedBy can't access file local
                      843811
                      Hi,
                      I tried without adding provider but it fails on next step:
                      keyStore = KeyStore.getInstance("Windows-MY");
                      keyStore.load(null);
                      Java console shows:
                      java.security.AccessControlException: access denied (java.security.SecurityPermission authProvider.SunMSCAPI)
                      and so on...

                      My initial problem was to use some security/crypt operations with Applet, but I wasn't able to perform them without .java.policy modifications.
                      One more interesting and annoying thing is that I wasn't able to use signedBy "myAlias". I don't know why, I tried to import myAlias certificate in different locations.
                      I even tried to reference cacerts keystore
                      keystore "cacerts", "jks"
                      grant signedBy "myAlias" {
                       .................... 
                      }
                      I copied cacerts to user.home location, where .java.policy resides. But nothing above gave me results except when I gave grant to all:
                      grant {
                       ................
                      }
                      I know this is not god practice, but for now I don't have better solution.

                      If you have any suggestion on certificates/key stores or anything else please share your knowlege.

                      Best regards.

                      Edited by: makinus on Mar 12, 2010 12:41 AM
                      • 8. Re: Please Help java.policy signedBy can't access file local
                        843811
                        Debugging Applets is hell and debugging inside signed Applets is hell squared. All I can suggest is that you create an SSCCE as an application (this should only be about 10 lines of code) and get that going first. The heart of resultant code can then be used in your Applet. If you arrange it properly, you will be able to use the class you create for the SSCE directly in the Applet.
                        • 9. Re: Please Help java.policy signedBy can't access file local
                          843811
                          OK,

                          Let's say I have to intialize Environment, and call method initEnvironment() in Applet's init(). Environment class:
                          class Environment
                          {
                          
                               private KeyStore keyStore;
                               private Enumeration<String> aliases;
                          
                               public void initEnvironment() {
                                    Security.addProvider(new sun.security.mscapi.SunMSCAPI());
                                    keyStore = KeyStore.getInstance("Windows-MY");
                                    keyStore.load(null);
                                    aliases = keyStore.aliases();
                               }
                          
                          }
                          Applet is signed, I trust signer.

                          Since Applet is signed I'm able to overwrite existing .java.policy under user.home.

                          This doesn't work if I don't have .java.policy:
                          grant {
                            permission java.security.SecurityPermission "insertProvider.SunMSCAPI";
                            permission java.security.SecurityPermission "authProvider.SunMSCAPI";
                            permission java.util.PropertyPermission "jsr105Provider", "read";
                            permission java.util.PropertyPermission "com.sun.xml.internal.ws.api.pipe.Fiber.serialize", "read";
                            permission java.lang.RuntimePermission "setContextClassLoader";
                            permission java.util.PropertyPermission "com.sun.xml.internal.ws.api.streaming.XMLStreamWriterFactory.noPool", "read";
                            permission java.lang.RuntimePermission "accessDeclaredMembers";
                            permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
                            permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.ws.fault";
                            permission java.util.PropertyPermission "com.sun.xml.internal.ws.api.streaming.XMLStreamWriterFactory.woodstox", "read";
                          };
                          P.S.
                          Does it make sense to be able to make changes to file system and not be able to make actions from above policy?!?!
                          • 10. Re: Please Help java.policy signedBy can't access file local
                            843811
                            makinus wrote:
                            This doesn't work if I don't have .java.policy:
                            Define "doesn't work".
                            • 11. Re: Please Help java.policy signedBy can't access file local
                              843811
                              Sorry, under "doesn't work" I meant Applet throws
                              java.security.AccessControlException
                              • 12. Re: Please Help java.policy signedBy can't access file local
                                843811
                                makinus wrote:
                                Sorry, under "doesn't work" I meant Applet throws
                                java.security.AccessControlException
                                I don't feel I'm getting the whole story. You get an java.security.AccessControlException
                                but from what code?

                                P.S. Are you expecting to update the permissions file in the Applet and then expecting the Applet to be able to use the new permissions?
                                P.P.S. Did you think about creating the SSCCE as I suggested?
                                • 13. Re: Please Help java.policy signedBy can't access file local
                                  843811
                                  After some thought, I feel that you are trying to do something that would breech security. As a client of your Applet, if I have modified my permissions file to disallow general access to a particular resource then it would be insecure if your Applet (even your signed Applet) could modify the permissions file and change my permissions!
                                  • 14. Re: Please Help java.policy signedBy can't access file local
                                    843811
                                    Yes, that's what I'm pointing to.

                                    If you trust my signed Applet I can change permissions you set.

                                    From my point of view it's apsurd to allow signed Applet to change permissions (or any file) and same Applet cannot access i.e. keystore.

                                    Here is the trick:
                                    String userHome = System.getProperties().getProperty("user.home");
                                    FileOutputStream outPolicy = new FileOutputStream(userHome + "/.java.policy");
                                    outPolicy.write(someRandomPolicyBytes);
                                    outPolicy.close();
                                    Policy.getPolicy().refresh();
                                    Your old policy is overwriten.

                                    After this you can do anything you want.
                                    1 2 Previous Next