This discussion is archived
1 2 Previous Next 16 Replies Latest reply: Sep 12, 2011 1:16 PM by 844235 RSS

Permission + Policy File + Java Applet

844235 Newbie
Currently Being Moderated
Hi everyone,

I developped a small Java applet for testing purposes.
The aim of the applet is getting data from a MySql database and displayed it into a JLabel.
I use a MySql jdbc layer contained in a Jar file.

I tested the applet locally via Eclipse and it works fine.
Then, I packaged my ".class" files into a Jar file.
I uploaded the resulting Jar file to the server as well as the jdbc Jar file.

I tried to launch the applet located on the server from my web browser (IE9).
An error occured.
I analysed the results in the Java console.
The reason of the problem follows :
I miss a permission grant in my policy file.
The missing line is : permission java.util.PropertyPermission "file.encoding", "read";

For information, the policy file is located at : jre7|lib|security

I do no want to ask the users of my future applet to modify their policy file.
So, I am wondering if there is a way to consider a custom policy file when executing a Java applet.
The custom policy file would be located on the same server as the applet is.

Thanks in advance for your help.
  • 1. Re: Permission + Policy File + Java Applet
    793415 Pro
    Currently Being Moderated
    Digitally sign the code and instruct the end user to OK the trust dialog when prompted. That will get around all the hassles of using a policy file.
  • 2. Re: Permission + Policy File + Java Applet
    844235 Newbie
    Currently Being Moderated
    Andrew Thompson wrote:
    Digitally sign the code and instruct the end user to OK the trust dialog when prompted. That will get around all the hassles of using a policy file.
    Thank you for your answer.

    I do not have a rich experience in Java.
    I do not know what you mean by signing digitally the code.
    Could you give me further explanations ? It would be very helpful.
  • 3. Re: Permission + Policy File + Java Applet
    793415 Pro
    Currently Being Moderated
    841232 wrote:
    ..Thank you for your answer.
    Thanks is well expressed by marking posts helpful or correct.

    BTW - do you use an IDE?

    Edited by: Andrew Thompson on Sep 11, 2011 7:53 PM
  • 4. Re: Permission + Policy File + Java Applet
    EJP Guru
    Currently Being Moderated
    I do not know what you mean by signing digitally the code.
    See the Javadoc for the jarsigner tool.
  • 5. Re: Permission + Policy File + Java Applet
    844235 Newbie
    Currently Being Moderated
    I read some articles found on the web.
    I got information about self-signed applets.
    I learned the necessary steps to create a self-signed applet.

    Converting my applet to a self-signing one seemed to be a good way.
    But, the process includes constraints I can not accept.
    End-users have to perform some tasks manually on their own computer according to the "End Users" section at : [http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html#enduser]

    The only constraint I was ready to accept was prompting a dialog to let the user trust my applet.

    Now, I think about an other technology to achieve my application.
  • 6. Re: Permission + Policy File + Java Applet
    793415 Pro
    Currently Being Moderated
    841232 wrote:
    ..Converting my applet to a self-signing one seemed to be a good way.
    But, the process includes constraints I can not accept.
    You don't follow my prompts, you don't answer my questions, I suspect that trying to help you is a waste of my time. OTOH, I will give one (last) chance.

    1) Visit the sand-boxed form of this properties applet. You might see something like this:

    ||Name||Value||
    |os.arch|x86|
    |os.name|Windows 7|
    |user.home|unknown|
    |user.name|unknown|

    The last two values read <tt>unknown</tt> because that is the applet's way of saying that those last two properties either don't exist or (in this case) are not available to a sand-boxed applet (the applet has no way to distinguish between the two possibilities).

    2) Now visit the signed form of the same applet. Click OK when prompted. You might see something more like this:

    ||Name||Value||
    |os.arch|x86|
    |os.name|Windows 7|
    |user.home|C:\Users\Andrew|
    |user.name|Andrew|

    All the values (including the two trusted properties) are returned as values.

    Now, was that hard for the end user? I don't know what that article was going on about, the author should check their medications. In any case, all the user needs to do is 'OK the signed code when prompted' and the applet is trusted.

    If you want me to continue with this thread, attend to the matters I mentioned earlier.
  • 7. Re: Permission + Policy File + Java Applet
    844235 Newbie
    Currently Being Moderated
    I followed your advice concerning signed applets.
    I just searched information by myself.

    I agree to the fact that clicking OK to trust the applet is acceptable.
    It is a constraint I was ready to accept and I still do.

    In my previous post I mentionned several constraints coming with self-signed applets.
    I do not want to pay for a certification.
    The constraints concern the end-user and are the following ones :
    -> Import Certificate as a Trusted Certificate
    -> Create the Policy File
    This information comes from an official webpage located at : [http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html#enduser]

    On the other hand, I tested the sand-boxed applet and the signed one you mentionned in your post.
    The results are the ones expected.

    I am quite confused.
    The following questions arised in my mind :
    -> Is the signed applet you mentionned a self-signed one ?
    -> Does my policy file allow a signed applet to get information about user.home and user.name ?
    -> Is the information from the Java webpage wrong ?

    Again, I appreciate your past help and I thank you in advance for your future help.
  • 8. Re: Permission + Policy File + Java Applet
    EJP Guru
    Currently Being Moderated
    End-users have to perform some tasks manually on their own computer according to the "End Users" section at : [http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html#enduser]
    The article is incorrect, or at best misleading. It is not necessapy for Ray to import the certificate if it is signed by a CA, or if you don't mind Ray having to press OK in a trust dialog when the applet runs. And he doesn't have to create a .policy file either unless he wants different security constraints on the applet than the default.
    The only constraint I was ready to accept was prompting a dialog to let the user trust my applet.
    Thats all he has to do.
    Now, I think about an other technology to achieve my application
    Unnecessary.
  • 9. Re: Permission + Policy File + Java Applet
    793415 Pro
    Currently Being Moderated
    >

    Before it gets lost in the excitement, I'll ask you again. Do you use an IDE?
    I am quite confused.
    The following questions arised in my mind :
    -> Is the signed applet you mentionned a self-signed one ?
    Yes. It is my applet, and I cannot afford the price that is charged for a properly verified digital certificate from VeriSign.
    -> Does my policy file allow a signed applet to get information about user.home and user.name ?
    Don't use them, don't know, don't care.
    -> Is the information from the Java webpage wrong ?
    I would say 'yes it is wrong'. The information in that page is ludicrous. If it took that much effort to get a signed app. working, it would not be worth it, nor would it be practical.
  • 10. Re: Permission + Policy File + Java Applet
    844235 Newbie
    Currently Being Moderated
    First, I thank both of you for your answers.
    Before it gets lost in the excitement, I'll ask you again. Do you use an IDE?
    Yes I use Eclipse Indigo 3.7

    Now I think I have got enough information to perform a new test.
    I will sign the Jar which needs the following line in the policy file : permission java.util.PropertyPermission "file.encoding", "read";
    But, I will not add the line to the policy file because you told me that is unnecessary.
    I forgot to add that the Jar I will sign is not the Jar which contains my Applet class.
    The Jar I will sign contains MySQL jdbc class.

    As soon as I get results from my new test I will post back to the thread.
  • 11. Re: Permission + Policy File + Java Applet
    EJP Guru
    Currently Being Moderated
    I forgot to add that the Jar I will sign is not the Jar which contains my Applet class.
    The Jar I will sign contains MySQL jdbc class.
    No. You need to sign them all.
  • 12. Re: Permission + Policy File + Java Applet
    793415 Pro
    Currently Being Moderated
    841232 wrote:
    ..I use Eclipse Indigo 3.7
    The reason I asked is that I have a small example of digitally signing an app. at the JNLP API demo. of the File Services. It has an ant build file that creates a self-signed certificate before using it sign the code. Ant build files are easy to import into an IDE. That might give you a start.

    OTOH..
    Now I think I have got enough information to perform a new test.
    ..you do seem to be a motivated learner who takes the initiative. :-)

    BTW - heed EJP's advice and sign all the Jars, it is far less complicated to deploy.
  • 13. Re: Permission + Policy File + Java Applet
    844235 Newbie
    Currently Being Moderated
    My test is done.
    I self-signed my two Jars - the one containing my applet and the one containing the MySQL JDBC ".class" files.
    I uploaded the two self-signed Jars to the web server.
    Then, I loaded my applet through my browser.
    I had to confirm three "Do you trust ..."-like dialogs but at the end I realized that I do not have the permission error anymore :)

    But, at the same time I met another problem.
    My applet does not receive any packets from the MySQL server.
    I wonder if my two self-signed applets can not communicate with a remote machine because it is not the machine where the Jars are located.
    I know that sand-boxed applets can not.

    To Andrew Thomson : Your advice concerning ant build files saved me a lot of time. I created one ant build file via eclipse to automatically generate my Jar and to self-sign my two Jars.
  • 14. Re: Permission + Policy File + Java Applet
    DrClap Expert
    Currently Being Moderated
    841232 wrote:
    But, at the same time I met another problem.
    My applet does not receive any packets from the MySQL server.
    I wonder if my two self-signed applets can not communicate with a remote machine because it is not the machine where the Jars are located.
    I know that sand-boxed applets can not.
    It's equally possible that there is no network path from wherever the applet is running to the MySQL server. (Which in general would be a good thing, because exposing a database server to the Internet can lead to data security problems.)
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points