Date: Mon, 9 Jan 2012 19:09:36 +0200 From: Achilleas Mantzios <achill@smadev.internal.net> To: freebsd-java@freebsd.org Subject: Re: applet security issue Message-ID: <201201091909.36863.achill@smadev.internal.net> In-Reply-To: <201201091534.46341.achill@smadev.internal.net> References: <201201091534.46341.achill@smadev.internal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Solved! i had to manually sign all jars involved. Also i had tried a packaging scheme like this: achill@smadev:~/workspace/SMA> jar tvf SMA_APPLETS.jar=20 1523 Mon Jan 09 18:55:28 EET 2012 META-INF/MANIFEST.MF 1517 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.SF 1100 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.DSA 0 Mon Jan 09 18:55:30 EET 2012 META-INF/ 0 Mon Jan 09 17:02:06 EET 2012 com/ 0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/ 0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/web/ 0 Mon Jan 09 17:47:04 EET 2012 com/gatewaynet/web/applets/ 1835 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/DirectoryJApplet.class 441 Mon Jan 09 18:55:28 EET 2012 com/gatewaynet/web/applets/Photo.class 1118 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$1.class 665 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$2.class 638 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$3.class 9393 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet.class 834 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJAppletTest.class 469 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$1.class 1011 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$2.class 427 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class 1552 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker.class 64667 Mon Jan 09 18:55:10 EET 2012 commons-logging-1.1.1.jar 248764 Mon Jan 09 18:55:26 EET 2012 commons-codec-1.6.jar 290818 Mon Jan 09 16:18:22 EET 2012 commons-httpclient-3.0.1.jar with META-INF/MANIFEST.MF reading : Manifest-Version: 1.0 Ant-Version: Apache Ant 1.7.1 Class-Path: commons-logging-1.1.1.jar commons-codec-1.6.jar commons-ht tpclient-3.0.1.jar Created-By: 20.0-b12 (Sun Microsystems Inc.) Name: com/gatewaynet/web/applets/PhotoJAppletTest.class SHA1-Digest: tVdZkLaPBO+2K7sXumm/UFrV33I=3D Name: com/gatewaynet/web/applets/PhotoWorker.class SHA1-Digest: ngl173D/yVdeVBNla7eA/g+pwns=3D Name: com/gatewaynet/web/applets/PhotoWorker$1.class SHA1-Digest: WA31AIKyDPK2YpyNkLVc8l+qyUc=3D Name: com/gatewaynet/web/applets/Photo.class SHA1-Digest: 9javBv5dnwqKgvP8lCRmYw/HvJM=3D Name: commons-httpclient-3.0.1.jar SHA1-Digest: y+YbW9oPtpE966w60dHhdMHJ/yk=3D Name: com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class SHA1-Digest: ZJhQ7ihMCWoeehE78Zr4vAE2lic=3D Name: com/gatewaynet/web/applets/PhotoJApplet.class SHA1-Digest: y1hVH2FJi0wjHb10IWdWCq4UYcU=3D Name: com/gatewaynet/web/applets/PhotoWorker$2.class SHA1-Digest: r8xW1aPUaXrwuL6QnPLYkOj+hts=3D =2E....... and applet tag like : <applet name=3D"PhotoJApplet" archive=3D"../SMA_APPLETS.jar" code=3D"com.gatewaynet.web.applets.PhotoJApplet.class" MAYSCRIPT width=3D"800" height=3D"300"> <PARAM NAME=3D"ImgPath" VALUE=3D"<%=3Dphotopath%>"> <PARAM NAME=3D"cookiename" VALUE=3D"JSESSIONID"> <PARAM NAME=3D"cookievalue" VALUE=3D"<%=3Dsession.getId()%>"> <PARAM NAME=3D"cookiehost" VALUE=3D"<%=3Drequest.getServerName()%>"> <PARAM NAME=3D"cookieport" VALUE=3D"<%=3Drequest.getServerPort()%>"> <PARAM NAME=3D"cookiepath" VALUE=3D"<%=3Drequest.getContextPath()%>"> <PARAM NAME=3D"MaxPhotos" VALUE=3D"4"> <PARAM NAME=3D"marinerid" VALUE=3D"<%=3Did%>"> </applet> well, this worked *ONLY* in FreeBSD.... So, when packaging the other 3 apache libs in my applet jar, this worked fo= r=20 icedtea only, but for no windows plugin (jre 1.5, jre 1.6 U20, jre 1.6 U30). When i exported the 3 apache libs independently like in : <applet name=3D"PhotoJApplet" archive=3D"../SMA_APPLETS.jar, ../commons-httpclient-3.0.1.jar,=20 =2E./commons-logging-1.1.1.jar, ../commons-codec-1.6.jar" code=3D"com.gatewaynet.web.applets.PhotoJApplet.class" MAYSCRIPT width=3D"800" height=3D"300"> <PARAM NAME=3D"ImgPath" VALUE=3D"<%=3Dphotopath%>"> <PARAM NAME=3D"cookiename" VALUE=3D"JSESSIONID"> <PARAM NAME=3D"cookievalue" VALUE=3D"<%=3Dsession.getId()%>"> <PARAM NAME=3D"cookiehost" VALUE=3D"<%=3Drequest.getServerName()%>"> <PARAM NAME=3D"cookieport" VALUE=3D"<%=3Drequest.getServerPort()%>"> <PARAM NAME=3D"cookiepath" VALUE=3D"<%=3Drequest.getContextPath()%>"> <PARAM NAME=3D"MaxPhotos" VALUE=3D"4"> <PARAM NAME=3D"marinerid" VALUE=3D"<%=3Did%>"> </applet> all worked fine..... However, in any case *all* the jars where signed.... Forgetting to do so en= ded=20 in errors.... On =CE=94=CE=B5=CF=85 09 =CE=99=CE=B1=CE=BD 2012 15:34:46 Achilleas Mantzio= s wrote: > Hello java freebsd-ers! >=20 > After struggling for hours in order to even see the digital signature > security window appearing for my applet (and i did a lot of things, > bundling all libs in one jar, re-signing, etc...) > i got to the point where the applet starts, but then gives me a : > java.security.AccessControlException: access denied (java.io.FilePermissi= on > /usr/local/jboss-6.0.0.Final/paidia2.jpg read) >=20 > the stack trace is like : >=20 > java.security.AccessControlException: access denied (java.io.FilePermissi= on > /usr/local/jboss-6.0.0.Final/paidia2.jpg read) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.j= av > a:393) at > java.security.AccessController.checkPermission(AccessController.java:553) > at > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at > net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecu= ri > tyManager.java:284) at > java.lang.SecurityManager.checkRead(SecurityManager.java:888) at > java.io.File.isFile(File.java:793) > at > org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(Fil= eP > artSource.java:67) at > org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(Fil= eP > artSource.java:88) at > org.apache.commons.httpclient.methods.multipart.FilePart.<init>(FilePart.= ja > va:178) at > com.gatewaynet.web.applets.PhotoJApplet.actionPerformed(PhotoJApplet.java= :2 > 85) >=20 > PhotoJApplet.java:285 reads : >=20 > FilePart filePart =3D new > FilePart(thisfile.getName(),thisfile.getName(),thisfile,"image/jpeg",null= ); >=20 > The funny thing is that the very same signed applet reads the contents of > the /usr/local/jboss-6.0.0.Final/ without problem: >=20 > String fname=3DimgPath + "/"+photos[i].filename; > ImageIcon icon =3D new ImageIcon(fname); >=20 > Its only when the IO is called from within apache's httpclient that i get > the problem. >=20 > (pls do not get confused, here jboss wears the hat of the dummy firefox > user, nothing j2ee involved!) >=20 >=20 > Any info would be great. =2D-=20 Achilleas Mantzios IT DEPT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201091909.36863.achill>