Site Navigation

Date:      Mon, 9 Jan 2012 19:09:36 +0200
From:      Achilleas Mantzios <achill@smadev.internal.net>
To:        freebsd-java@freebsd.org
Subject:   Re: applet security issue
Message-ID:  <201201091909.36863.achill@smadev.internal.net>
In-Reply-To: <201201091534.46341.achill@smadev.internal.net>
References:  <201201091534.46341.achill@smadev.internal.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Solved!

i had to manually sign all jars involved.

Also i had tried a packaging scheme like this:

achill@smadev:~/workspace/SMA> jar tvf SMA_APPLETS.jar=20
  1523 Mon Jan 09 18:55:28 EET 2012 META-INF/MANIFEST.MF
  1517 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.SF
  1100 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.DSA
     0 Mon Jan 09 18:55:30 EET 2012 META-INF/
     0 Mon Jan 09 17:02:06 EET 2012 com/
     0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/
     0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/web/
     0 Mon Jan 09 17:47:04 EET 2012 com/gatewaynet/web/applets/
  1835 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/DirectoryJApplet.class
   441 Mon Jan 09 18:55:28 EET 2012 com/gatewaynet/web/applets/Photo.class
  1118 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoJApplet$1.class
   665 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoJApplet$2.class
   638 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoJApplet$3.class
  9393 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoJApplet.class
   834 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoJAppletTest.class
   469 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoWorker$1.class
  1011 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoWorker$2.class
   427 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
  1552 Mon Jan 09 18:55:28 EET 2012=20
com/gatewaynet/web/applets/PhotoWorker.class
 64667 Mon Jan 09 18:55:10 EET 2012 commons-logging-1.1.1.jar
248764 Mon Jan 09 18:55:26 EET 2012 commons-codec-1.6.jar
290818 Mon Jan 09 16:18:22 EET 2012 commons-httpclient-3.0.1.jar

with META-INF/MANIFEST.MF  reading :

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Class-Path: commons-logging-1.1.1.jar commons-codec-1.6.jar commons-ht
 tpclient-3.0.1.jar
Created-By: 20.0-b12 (Sun Microsystems Inc.)

Name: com/gatewaynet/web/applets/PhotoJAppletTest.class
SHA1-Digest: tVdZkLaPBO+2K7sXumm/UFrV33I=3D

Name: com/gatewaynet/web/applets/PhotoWorker.class
SHA1-Digest: ngl173D/yVdeVBNla7eA/g+pwns=3D

Name: com/gatewaynet/web/applets/PhotoWorker$1.class
SHA1-Digest: WA31AIKyDPK2YpyNkLVc8l+qyUc=3D

Name: com/gatewaynet/web/applets/Photo.class
SHA1-Digest: 9javBv5dnwqKgvP8lCRmYw/HvJM=3D

Name: commons-httpclient-3.0.1.jar
SHA1-Digest: y+YbW9oPtpE966w60dHhdMHJ/yk=3D

Name: com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class
SHA1-Digest: ZJhQ7ihMCWoeehE78Zr4vAE2lic=3D

Name: com/gatewaynet/web/applets/PhotoJApplet.class
SHA1-Digest: y1hVH2FJi0wjHb10IWdWCq4UYcU=3D

Name: com/gatewaynet/web/applets/PhotoWorker$2.class
SHA1-Digest: r8xW1aPUaXrwuL6QnPLYkOj+hts=3D
=2E.......

and applet tag like :

<applet name=3D"PhotoJApplet"
		archive=3D"../SMA_APPLETS.jar"
		code=3D"com.gatewaynet.web.applets.PhotoJApplet.class"
		MAYSCRIPT
		width=3D"800"
		height=3D"300">
<PARAM NAME=3D"ImgPath" VALUE=3D"<%=3Dphotopath%>">
<PARAM NAME=3D"cookiename" VALUE=3D"JSESSIONID">
<PARAM NAME=3D"cookievalue" VALUE=3D"<%=3Dsession.getId()%>">
<PARAM NAME=3D"cookiehost" VALUE=3D"<%=3Drequest.getServerName()%>">
<PARAM NAME=3D"cookieport" VALUE=3D"<%=3Drequest.getServerPort()%>">
<PARAM NAME=3D"cookiepath" VALUE=3D"<%=3Drequest.getContextPath()%>">
<PARAM NAME=3D"MaxPhotos" VALUE=3D"4">
<PARAM NAME=3D"marinerid" VALUE=3D"<%=3Did%>">
</applet>

well, this worked *ONLY* in FreeBSD....

So, when packaging the other 3 apache libs in my applet jar, this worked fo=
r=20
icedtea only, but for no windows plugin (jre 1.5, jre 1.6 U20, jre 1.6 U30).

When i exported the 3 apache libs independently like in :

<applet name=3D"PhotoJApplet"
		archive=3D"../SMA_APPLETS.jar, ../commons-httpclient-3.0.1.jar,=20
=2E./commons-logging-1.1.1.jar, ../commons-codec-1.6.jar"
		code=3D"com.gatewaynet.web.applets.PhotoJApplet.class"
		MAYSCRIPT
		width=3D"800"
		height=3D"300">
<PARAM NAME=3D"ImgPath" VALUE=3D"<%=3Dphotopath%>">
<PARAM NAME=3D"cookiename" VALUE=3D"JSESSIONID">
<PARAM NAME=3D"cookievalue" VALUE=3D"<%=3Dsession.getId()%>">
<PARAM NAME=3D"cookiehost" VALUE=3D"<%=3Drequest.getServerName()%>">
<PARAM NAME=3D"cookieport" VALUE=3D"<%=3Drequest.getServerPort()%>">
<PARAM NAME=3D"cookiepath" VALUE=3D"<%=3Drequest.getContextPath()%>">
<PARAM NAME=3D"MaxPhotos" VALUE=3D"4">
<PARAM NAME=3D"marinerid" VALUE=3D"<%=3Did%>">
</applet>

all worked fine.....

However, in any case *all* the jars where signed.... Forgetting to do so en=
ded=20
in errors....

On =CE=94=CE=B5=CF=85 09 =CE=99=CE=B1=CE=BD 2012 15:34:46 Achilleas Mantzio=
s wrote:
> Hello java freebsd-ers!
>=20
> After struggling for hours in order to even see the digital signature
> security window appearing for my applet (and i did a lot of things,
> bundling all libs in one jar, re-signing, etc...)
> i got to the point where the applet starts, but then gives me a :
> java.security.AccessControlException: access denied (java.io.FilePermissi=
on
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
>=20
> the stack trace is like :
>=20
> java.security.AccessControlException: access denied (java.io.FilePermissi=
on
> /usr/local/jboss-6.0.0.Final/paidia2.jpg read)
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.j=
av
> a:393) at
> java.security.AccessController.checkPermission(AccessController.java:553)
>         at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at
> net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecu=
ri
> tyManager.java:284) at
> java.lang.SecurityManager.checkRead(SecurityManager.java:888) at
> java.io.File.isFile(File.java:793)
>         at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(Fil=
eP
> artSource.java:67) at
> org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(Fil=
eP
> artSource.java:88) at
> org.apache.commons.httpclient.methods.multipart.FilePart.<init>(FilePart.=
ja
> va:178) at
> com.gatewaynet.web.applets.PhotoJApplet.actionPerformed(PhotoJApplet.java=
:2
> 85)
>=20
> PhotoJApplet.java:285 reads :
>=20
> FilePart filePart =3D new
> FilePart(thisfile.getName(),thisfile.getName(),thisfile,"image/jpeg",null=
);
>=20
> The funny thing is that the very same signed applet reads the contents of
> the /usr/local/jboss-6.0.0.Final/ without problem:
>=20
> String fname=3DimgPath + "/"+photos[i].filename;
> 			 ImageIcon icon =3D new ImageIcon(fname);
>=20
> Its only when the IO is called from within apache's httpclient that i get
> the problem.
>=20
> (pls do not get confused, here jboss wears the hat of the dummy firefox
> user, nothing j2ee involved!)
>=20
>=20
> Any info would be great.

=2D-=20
Achilleas Mantzios
IT DEPT

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201091909.36863.achill>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact