Applets: can they connect to external websites? (security.AccessControlException)

[NickPick]

I get the following error message:
java.security.AccessControlException: access denied
(java.net.SocketPermission ichart.finance.yahoo.com:80
connect,resolve) at java.security.AccessControlContext.checkPermission
(Unknown Source)

My Applet is trying to connect to finance.yahoo.com to download stock
data. It all works fine when I start it from NetBeans but as an applet
there appears to be a permission problem. Is there any way around this
or are applets not allowed to connect to different servers?

thanks

 

[Arne Vajhøj]

I get the following error message:
java.security.AccessControlException: access denied
(java.net.SocketPermission ichart.finance.yahoo.com:80
connect,resolve) at java.security.AccessControlContext.checkPermission
(Unknown Source)

My Applet is trying to connect to finance.yahoo.com to download stock
data. It all works fine when I start it from NetBeans but as an applet
there appears to be a permission problem. Is there any way around this
or are applets not allowed to connect to different servers?

Applets are only allowed to connect to the site they were fetched
from. For obvious security reasons.

If you sign the applet and the user accepts to give it elevated
privs, then it can do it.

Arne

 

[NickPick]

Applets are only allowed to connect to the site they were fetched
from. For obvious security reasons.

If you sign the applet and the user accepts to give it elevated
privs, then it can do it.

Arne

Well that's annoying. I wrote this applet that downloads stock prices
from yahoo and displays a chart and now I can't even upload it? Other
the signing the applet, is there a way to deploy it differently
somehow?

many thanks for your help!

 

[NickPick]

Well that's annoying. I wrote this applet that downloads stock prices
from yahoo and displays a chart and now I can't even upload it? Other
the signing the applet, is there a way to deploy it differently
somehow?

many thanks for your help!

All right, that's working now. Many thanks for your help! This is the
result: it shows the Dow Jones Industrial of 1929 vs. 2007 until today
in percentage change:
http://www.dickreuter.com/res1.php

 

[Richard Maher]

Hi Arne,

Applets are only allowed to connect to the site they were fetched
from. For obvious security reasons.

I thought that since Java 1.6-10 an Applet could connect to anywhere the
target's policy file(s) let them; is this not the case?

Obviously Yahoo, in this example, would have to come to the party with a
policy file probably containing a wildcard client entry. But if they did,
would that not overcome the signing/acceptance requirement?

Cheers Richard Maher

PS. Anyone aware of any moves to unite the Socket Policy File behaviour
between Java, Flex, and Silverlight?

 

[Arne Vajhøj]

Well that's annoying.

The alternative is that the black hats put up a web site with
some interesting content and then have a small invisible applet
that read the entire intranet behind the firewall and send the
content to the black hats,

I wrote this applet that downloads stock prices
from yahoo and displays a chart and now I can't even upload it? Other
the signing the applet, is there a way to deploy it differently
somehow?

In general running code on the clients PC that accesses
anything except the site that it is retrieved from
is not allowed.

And it is not just Java.

Arne

 

[Arne Vajhøj]

I thought that since Java 1.6-10 an Applet could connect to anywhere the
target's policy file(s) let them; is this not the case?

> Obviously Yahoo, in this example, would have to come to the party with a
> policy file probably containing a wildcard client entry. But if they did,
> would that not overcome the signing/acceptance requirement?

I was not aware of that.

But a bit of googling indicates that indeed the new Java plugin
introduced support for "cross-domain policy files".

So if the original poster can get Yahoo to cooperate with him (and
his users are uptodate with their Java version), then there is
an alternative.

PS. Anyone aware of any moves to unite the Socket Policy File behaviour
between Java, Flex, and Silverlight?

I suspect that will happen the same year that Ford, Toyota and VW agrees
to make their auto parts interchangeable.

Arne

 

[Dave Miller]

But a bit of googling indicates that indeed the new Java plugin
introduced support for "cross-domain policy files".

So if the original poster can get Yahoo to cooperate with him (and
his users are uptodate with their Java version), then there is
an alternative.

I suspect that will happen the same year that Ford, Toyota and VW agrees
to make their auto parts interchangeable.

Arne

I'm not so sure about that. (Presuming enough page views to make the
conversation worthwhile) I'll bet agreeing to carry the ads along with
the content would be viewed favorably by anyone using an ad driven model.

 

[Arne Vajhøj]

I'm not so sure about that. (Presuming enough page views to make the
conversation worthwhile) I'll bet agreeing to carry the ads along with
the content would be viewed favorably by anyone using an ad driven model.

If you had not omitted the part I was replying to the meaning
may have been clearer.

Arne

 

[Arne Vajhøj]

It really stood out for me when Java 6 came out!

But I am not much into applets, so ...

Your better at Google than me. I know there is a great little write-up about
it with an example from some SUN guy with a beard, but stiffed if I can find
it now.

What I found was:
https://jdk6.dev.java.net/plugin2/#CROSSDOMAINXML

IIRC it's got port-level granularity so who knows, maybe they're up for it?

Maybe.

But Yahoo thinks in big numbers.

You'd be surprised! Although Microsoft is once again doing their own thing
they are at least supporting Adobe's policy-files/format/behaviour. If
you've got a pointer to the SUN/Java document on socket policy files then
please post it here; in the meantime here's the Adobe one: -
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html

I assume we are back with client side policy file - not the server side
stuff mentioned above.

Java policy files are general:

http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html

but there are also applet specific stuff:

http://java.sun.com/developer/technicalArticles/Security/applets/
http://www.javaworld.com/javaworld/jw-11-1997/jw-11-hood.html

(there are 13 million hits on Google for java security policy, so
there are many other links than those above)

Arne

 

[Richard Maher]

Hi Arne,

I was not aware of that.

It really stood out for me when Java 6 came out!

(Just like the "new" asynchronous i/o functionality in Java 7 has stood out
for different reasons :-( but more on that elsewhere)

But a bit of googling indicates that indeed the new Java plugin
introduced support for "cross-domain policy files".

Your better at Google than me. I know there is a great little write-up about
it with an example from some SUN guy with a beard, but stiffed if I can find
it now.

So if the original poster can get Yahoo to cooperate with him (and
his users are uptodate with their Java version), then there is
an alternative.

IIRC it's got port-level granularity so who knows, maybe they're up for it?

I suspect that will happen the same year that Ford, Toyota and VW agrees
to make their auto parts interchangeable.

You'd be surprised! Although Microsoft is once again doing their own thing
they are at least supporting Adobe's policy-files/format/behaviour. If
you've got a pointer to the SUN/Java document on socket policy files then
please post it here; in the meantime here's the Adobe one: -
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html

Arne

Cheers Richard Maher

 

[Richard Maher]

Hi Arne,

http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html

I assume we are back with client side policy file - not the server side
stuff mentioned above.

Not sure. What I'm talking about is a SWF file that wants to make a Flex
Socket connection to port X at cross-domain Y. Now the Flash Player will go
to port 843 at WWW.Y.COM and ask for a copy of Y's lovely policy files (in a
crappy null terminated protocol that has notthing to do with http) The Flash
Player then checks whether the client is entitled to connect to port X using
Y's policy criteria.

I'd expect the JRE (Applet sandbox, or whatever) to perform a similar
function here. Like you I searched for "policy files" and got bogged down
with millions of hits on client-policy-files. . . .hold on, found it (Short
and worth a read): -
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html

So it looks like "crossdomain.xml" is the winner, or at least lowest common
denominator. Whether the "Policy-Server" idea gets up, who knows?

Another link fwiw: -
http://www.adobe.com/devnet/flashpl...9_security_05.html#_Configuring_Socket_Policy

Now if you were to indulge the arrogance and detachment of the HTML5 people
with their WebSockets (and totally rule out policy files 'cos "If it ain't
HTML then it just ain't" then you could just cling to the securityblanket of
port 80/443 and hope the big, bad world would just go away

Cheers Richard Maher

 

[Roedy Green]

I get the following error message:
java.security.AccessControlException: access denied
(java.net.SocketPermission ichart.finance.yahoo.com:80
connect,resolve) at java.security.AccessControlContext.checkPermission
(Unknown Source)

see http://mindprod.com/jgloss/applet.html
http://mindprod.com/jgloss/signedapplet.html


Applet may not talk to strangers, or the server they were loaded from,
unless they are signed.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"Learning is not compulsory... neither is survival."
~ Dr. W. (William) Edwards Deming (born: 1900-10-14 died: 1993-12-20 at age: 93))

 

[Arne Vajhøj]

Well that's annoying. I wrote this applet that downloads stock prices
from yahoo and displays a chart and now I can't even upload it? Other
the signing the applet, is there a way to deploy it differently
somehow?

If I were to create such an app then I would:
- embed the applet in a dynamic page (ASP, PHP, ASP.NET, JSP etc.)
- have that server side page retrieve the data and expose them
as params to the applet
- make the applet unsigned
- build the applet for as low as Java 1.4.2
- have the applet display the params data graphically and allow
users to change view without hitting the server

Arne

 

[NickPick]

If I were to create such an app then I would:
- embed the applet in a dynamic page (ASP, PHP, ASP.NET, JSP etc.)
- have that server side page retrieve the data and expose them
   as params to the applet
- make the applet unsigned
- build the applet for as low as Java 1.4.2
- have the applet display the params data graphically and allow
   users to change view without hitting the server

Arne

That sounds like the solution. But then why not do it all in php
directly with the GD extension?

How can I build an applet so that it runs on lower Java versions?

tx

 

[Arne Vajhøj]

That sounds like the solution. But then why not do it all in php
directly with the GD extension?

If you only want the applet to display a static image, then you can just
as well make it server side with GD.

What applet provides you is the ability to manipulate the data: show
last 3 months, last years, last 5 years, show in different types of
diagrams etc. - all without requesting data or anything else from
the server.

Arne

 

[NickPick]

If you only want the applet to display a static image, then you can just
as well make it server side with GD.

What applet provides you is the ability to manipulate the data: show
last 3 months, last years, last 5 years, show in different types of
diagrams etc. - all without requesting data or anything else from
the server.

Arne

All right, many thanks guys. The php solution is implemented and works
fine: http://www.dickreuter.com/res1.php

 

[Richard Maher]

Hi Arne,

What applet provides you is the ability to manipulate the data: show
last 3 months, last years, last 5 years, show in different types of
diagrams etc. - all without requesting data or anything else from
the server.

Depends how it's coded doesn't it? If you look at: -
http://manson.vistech.net/t3$examples/demo_client_flex.html

Username: TIER3_DEMO
Password: QUEUE
(Don't bother putting in any partial surname. Just hit the "GO" button)

You will see an example of different filters being applied to the same Flex
ArrayCollection depending on which piece of the pie charts has been
exploded. Click on one of the charts and then watch the DataGrid contents
change with the ArrayCollection.refresh() method. I'm guessing here that a
1day, 5day, 1mth, 1yr could be applied to the ArrayCollections for the pie
chat(s) equally as easily.

But when it comes to NASDAQ I think you're right in that I don't believe
they have discovered the wonders of Adobe's FABridge and the ability to
expose MXML methods and objects to JavaScript.

OK, technically this isn't JAVA but a Java Applet *is* being used to form a
Socket connection to the server and retrieve the data that is being
populated into the Flex charts - I like it! Flex Socket support is pretty
rudamentary and Java's is pretty feature-rich.

All Java Source-Code (CornuCopiae.java - a new tighter version on the way)
and MXML can be found at http://manson.vistech.net/t3$examples/

Policy-Files are coming, IPSec is here, it's all gravy!

Cheers Richard Maher

 

[Arne Vajhøj]

How can I build an applet so that it runs on lower Java versions?

javac has -source and -target to specify language and JVM versions.

You can also just build with an old Java version.

Arne

 

[Arne Vajhøj]

Depends how it's coded doesn't it?

You have the ability no matter how you code it, but
you obviously need to code for it to actually get it.

Arne