AccessControlException

[Roedy Green]

I have been blithely reading files via URL from an Applet. They
worked fine locally, but with Java 1.5 I'm getting
AccessControlExceptions. I should have been getting these all along.

Any comments on this?
--
Bush crime family lost/embezzled $3 trillion from Pentagon.
Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

Canadian Mind Products, Roedy Green.
See http://mindprod.com/iraq.html photos of Bush's war crimes

 

[Roedy Green]

I have been blithely reading files via URL from an Applet. They
worked fine locally, but with Java 1.5 I'm getting
AccessControlExceptions. I should have been getting these all along.

Any comments on this?
--

Is an unsigned Applet supposed to be able to read arbitrary files from
the server it came from with

url = new URL( getDocumentBase(), "../xxxx.ser" );
URLConnection urlc = (URLConnection)url.openConnection();
urlc.setAllowUserInteraction( false );
urlc.setDoInput( true );
urlc.setDoOutput( false );
urlc.setUseCaches( false );
urlc.connect();
InputStream is = urlc.getInputStream();

--
Bush crime family lost/embezzled $3 trillion from Pentagon.
Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

Canadian Mind Products, Roedy Green.
See http://mindprod.com/iraq.html photos of Bush's war crimes

 

[Roland]

Is an unsigned Applet supposed to be able to read arbitrary files from
the server it came from with

url = new URL( getDocumentBase(), "../xxxx.ser" );
URLConnection urlc = (URLConnection)url.openConnection();
urlc.setAllowUserInteraction( false );
urlc.setDoInput( true );
urlc.setDoOutput( false );
urlc.setUseCaches( false );
urlc.connect();
InputStream is = urlc.getInputStream();

AFAIK, this should be possible. But judging from your question, you seem
to have trouble with it.
I've created a test applet using your code snippet, and hosted on my
local Apache webserver. It works perfectly with JRE 1.5.0_03 (no
AccessControlExceptions).
--
Regards,

Roland de Ruiter
` ___ ___
`/__/ w_/ /__/
/ \ /_/ / \

 

[Lucy]

Is an unsigned Applet supposed to be able to read arbitrary files from
the server it came from with

I was under the impression that the unsigned Applet could be able
to access (read and write) from the server it came from, but only
within the same directory (sub)tree if that is the right word. I.e.
if ~jones has an applet, it cannot access ~smith files.

 

[Roland]

I was under the impression that the unsigned Applet could be able
to access (read and write) from the server it came from, but only
within the same directory (sub)tree if that is the right word. I.e.
if ~jones has an applet, it cannot access ~smith files.

This is not the case: an applet is allowed to read a resource at levels
higher than the document base (i.e. where the document containing the
applet resides).

A Java applet has no knowledge of what "~jones" means. That's entirely
defined by the webserver. Though, it is possible that the webserver does
not allow to access resources of "~smith" (for instance because user
"smith" has restricted access rights of his/her files or folders). In
that case the webserver probably would return a 403 (Forbidden) or a 404
(Not Found) response, and the urlc.connect() below would throw an
IOException, rather than the applet throwing an AccessControlException.

--
Regards,

Roland de Ruiter
` ___ ___
`/__/ w_/ /__/
/ \ /_/ / \

 

[Lucy]

This is not the case: an applet is allowed to read a resource at levels
higher than the document base (i.e. where the document containing the
applet resides).

A Java applet has no knowledge of what "~jones" means. That's entirely
defined by the webserver. Though, it is possible that the webserver does
not allow to access resources of "~smith" (for instance because user
"smith" has restricted access rights of his/her files or folders). In
that case the webserver probably would return a 403 (Forbidden) or a 404
(Not Found) response, and the urlc.connect() below would throw an
IOException, rather than the applet throwing an AccessControlException.

Guess I better go protect my files right away WOWOWOWOWOWOWOW.
And, also, YIPES !!!

 

[Roland]

Guess I better go protect my files right away WOWOWOWOWOWOWOW.
And, also, YIPES !!!

On Unix/Linux systems running a webserver, the URL

http://your.server.com/~yourname/

typically --but not allways-- corresponds to the subdirectory
'public_html' in your home directory, e.g.

/usr/home/yourname/public_html/

and not your entire homedir tree:

/usr/home/yourname/

All files in 'public_html' and subdirs are typically readable by the
webserver (otherwise it cannot serve them to some browser, at the other
side of the world, for example). For the remaining files in your homedir
tree you should apply normal access rules, i.e. protecting files from
access by others if you want don't want to share them, and less strict
if you do.

I don't have experience with webservers running on a Windows host, but I
guess a similar setup is conceivable, i.e. some subfolder containing
files accessible and served by the webserver, remaining files protected
by normal access rules.
--
Regards,

Roland de Ruiter
` ___ ___
`/__/ w_/ /__/
/ \ /_/ / \

 

[John Currier]

Even if an applet had those restrictions the "protected" resources
would still be available from any browser not running the applet.

You're probably thinking of the visibility scope of an HTTP session.

John
http://schemaspy.sourceforge.net

 

[Lucy]

On Unix/Linux systems running a webserver, the URL

http://your.server.com/~yourname/

typically --but not allways-- corresponds to the subdirectory
'public_html' in your home directory, e.g.

/usr/home/yourname/public_html/

and not your entire homedir tree:

/usr/home/yourname/

All files in 'public_html' and subdirs are typically readable by the
webserver (otherwise it cannot serve them to some browser, at the other
side of the world, for example). For the remaining files in your homedir
tree you should apply normal access rules, i.e. protecting files from
access by others if you want don't want to share them, and less strict
if you do.

So it looks like you are saying that anyone can access any of my files
unless I protect each and every one of them. This is the YIKES scenario.
I better run over and protect them all. But wait, since I have access to
everyone elses files, I can just destroy them first.

 

[Roland]

So it looks like you are saying that anyone can access any of my files
unless I protect each and every one of them. This is the YIKES scenario.
I better run over and protect them all. But wait, since I have access to
everyone elses files, I can just destroy them first.

Yeah, right on... Eliminate your opponents before they harm you.

Files that reside on your website (/usr/home/yourname/public_html/)
should be *readable* by others (the webserver in particular), but this
doesn't mean others can --or rather should be allowed to-- replace,
alter or delete them. This is the way you should protect your website
files: readable for others, writable (changeable) only by yourself. For
other files, changeable only by yourself is always recommended, and
readable by others according to the confidentially of each file.
--
Regards,

Roland de Ruiter
` ___ ___
`/__/ w_/ /__/
/ \ /_/ / \

 

[Roedy Green]

I have been blithely reading files via URL from an Applet. They
worked fine locally, but with Java 1.5 I'm getting
AccessControlExceptions. I should have been getting these all along.

I think I have figured out what is going on. Running the applet
locally the applet is only allowed to access its directories and
descendants. Moving the files into a descendant seems to have cleared
up the problem. It a nuisance trying to share files.



Is this:

1. what is supposed to happen

2. a Java bug

3. an Opera bug

4. one of those vaguely defined things.

--
Bush crime family lost/embezzled $3 trillion from Pentagon.
Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

Canadian Mind Products, Roedy Green.
See http://mindprod.com/iraq.html photos of Bush's war crimes

 

[Roedy Green]

I have been blithely reading files via URL from an Applet. They
worked fine locally, but with Java 1.5 I'm getting
AccessControlExceptions. I should have been getting these all along.

I have discovered by experiment that when an Applet runs locally, it
is only allowed to read files in the same directory or in a
subdirectory of that directory. It can't read files in the parents or
sibling directories, just child directories. I have not performed the
corresponding experiments on websites. I did my tests with the Opera
browser on Win2K.

--
Bush crime family lost/embezzled $3 trillion from Pentagon.
Complicit Bush-friendly media keeps mum. Rumsfeld confesses on video.
http://www.infowars.com/articles/us/mckinney_grills_rumsfeld.htm

Canadian Mind Products, Roedy Green.
See http://mindprod.com/iraq.html photos of Bush's war crimes