G
Guest
I am developing an applet which loads data (an astronomical image) via
a DataInputStream/ BufferedInputStream/ FileInputStream from an URL
URL myurl = new URL ("http://host/file")
So far for testing I've been using a file residing on the same host
where I'm working (this host is also an apache web server). I'm invoking
the HTML page calling the applet either from appletviewer or firefox.
Now I wanted to use a file on a remote host (the production apache web
server). The remote host is where the actual files already reside.
Currently they are "protected" by .htaccess with a "SetEnvIf Referer",
so that the files can be accessed only if one gets to them from a
predefined set of pages (this is currently used for downloading from an
index page).
For preliminary testing I've disabled the .htaccess.
- QUESTION 1 : how to "relax" applet security ?
when I repointed the URL to the remote host I got an exception
"access denied java.net.SocketPermission remotehost... resolve"
I figured to go around it with the following procedure :
- I manually created a ~/.java.policy file (since policytools seems
not be working on my system... part of the input areas are in an
inaccessible part of the window !)
- In this I inserted two clauses.
The first one is honoured by the appletviewer
(invoked as appletviewer myApplet.html)
grant codebase "file:" {
permission java.net.SocketPermission "*", "accept,connect,resolve" ;
} ;
The second clause is preliminarily used by browsers
grant codebase "http://myhost/mypath/" {
permission java.net.SocketPermission "*", "accept,connect,resolve" ;
} ;
where /myhost/mypath is where myApplet.html resides
- I haven't found comprehensive documentation to the format of
the policy files. Pointers anybody ?
In particular what should go in place of "*" ? Could it be a
regexp for the URLs to be accessed ? (they will all be of the
form http://remotehost/somefixedpart/variablepart)
Also, if the applet has to be used by anybody else, I should
instruct my users to append to THEIR .java.policy the (final)
content of mine.
This seems a bit inconvenient. Why should each applet user need to
give permission to read something from a remote URL, instead
of being me as administrator of the central server to give
permission to read FROM me ?
Is there an (easy) way to embed grating the permission inside the
applet code ?
- QUESTION 2 : who is the referer of my URL ?
Assuming that the applet has permissions to read from my server
(at worst propagating my .java.policy above), I'd like to re-instate
the .htaccess to let external users access my data files only
- when coming from the download index page (as already setup)
- when coming from some form (as already setup)
- when coming from the applet (invoked by a browser)
- when coming from the applet (invoked by appletviewer)
The last is optional (used during development only)
So my question would be : what will be the Referer for the latter
two cases ?
I've been unable to figure it for the browser case
(myhost\.mydomain\/\.mypath\/myApplet.html seems not to work and
at least during testing I won't be using a stable path), and
I'm not sure the question makes sense for the appletviewer
Provisionally I solved it with
SetEnvIf Remote_Addr x.y.z.t okapplet
allow from env=okapplet
where x.y.z.t is the IP address of my host (the host where the
applet code resides ... but is that correct ? Assume that
- user is on machine a.b.c.d
- he calls an HTML page on x.y.z.t (which refers to a
class file also on x.y.z.t) to run the applet
- the applet opens the URL to the remote http server
- will the remote http server see as Remote_Addr x.y.z.t
or a.b.c.d ?
Obviously the first is good (always the same), the second not
(unpredictable a priori)
a DataInputStream/ BufferedInputStream/ FileInputStream from an URL
URL myurl = new URL ("http://host/file")
So far for testing I've been using a file residing on the same host
where I'm working (this host is also an apache web server). I'm invoking
the HTML page calling the applet either from appletviewer or firefox.
Now I wanted to use a file on a remote host (the production apache web
server). The remote host is where the actual files already reside.
Currently they are "protected" by .htaccess with a "SetEnvIf Referer",
so that the files can be accessed only if one gets to them from a
predefined set of pages (this is currently used for downloading from an
index page).
For preliminary testing I've disabled the .htaccess.
- QUESTION 1 : how to "relax" applet security ?
when I repointed the URL to the remote host I got an exception
"access denied java.net.SocketPermission remotehost... resolve"
I figured to go around it with the following procedure :
- I manually created a ~/.java.policy file (since policytools seems
not be working on my system... part of the input areas are in an
inaccessible part of the window !)
- In this I inserted two clauses.
The first one is honoured by the appletviewer
(invoked as appletviewer myApplet.html)
grant codebase "file:" {
permission java.net.SocketPermission "*", "accept,connect,resolve" ;
} ;
The second clause is preliminarily used by browsers
grant codebase "http://myhost/mypath/" {
permission java.net.SocketPermission "*", "accept,connect,resolve" ;
} ;
where /myhost/mypath is where myApplet.html resides
- I haven't found comprehensive documentation to the format of
the policy files. Pointers anybody ?
In particular what should go in place of "*" ? Could it be a
regexp for the URLs to be accessed ? (they will all be of the
form http://remotehost/somefixedpart/variablepart)
Also, if the applet has to be used by anybody else, I should
instruct my users to append to THEIR .java.policy the (final)
content of mine.
This seems a bit inconvenient. Why should each applet user need to
give permission to read something from a remote URL, instead
of being me as administrator of the central server to give
permission to read FROM me ?
Is there an (easy) way to embed grating the permission inside the
applet code ?
- QUESTION 2 : who is the referer of my URL ?
Assuming that the applet has permissions to read from my server
(at worst propagating my .java.policy above), I'd like to re-instate
the .htaccess to let external users access my data files only
- when coming from the download index page (as already setup)
- when coming from some form (as already setup)
- when coming from the applet (invoked by a browser)
- when coming from the applet (invoked by appletviewer)
The last is optional (used during development only)
So my question would be : what will be the Referer for the latter
two cases ?
I've been unable to figure it for the browser case
(myhost\.mydomain\/\.mypath\/myApplet.html seems not to work and
at least during testing I won't be using a stable path), and
I'm not sure the question makes sense for the appletviewer
Provisionally I solved it with
SetEnvIf Remote_Addr x.y.z.t okapplet
allow from env=okapplet
where x.y.z.t is the IP address of my host (the host where the
applet code resides ... but is that correct ? Assume that
- user is on machine a.b.c.d
- he calls an HTML page on x.y.z.t (which refers to a
class file also on x.y.z.t) to run the applet
- the applet opens the URL to the remote http server
- will the remote http server see as Remote_Addr x.y.z.t
or a.b.c.d ?
Obviously the first is good (always the same), the second not
(unpredictable a priori)