Applets, JAXB and security policy

Discussion in 'Java' started by Myriam Abramson, Dec 3, 2007.

  1. Hello,

    I have an applet using JAXB. I was able to overcome the security
    restriction using appletviewer by specifying a java.policy that grants
    all permissions on the command line:

    appletviewer -J-Djava.security.policy=java.policy index.html

    Now, I need to deploy that applet on the web. How can I specify this
    policy encoded in the file named java.policy on the APPLET tag of
    index.html?

    TIA
    --
    myriam
    Myriam Abramson, Dec 3, 2007
    #1
    1. Advertising

  2. Myriam Abramson wrote:
    ...
    >I have an applet using JAXB. I was able to overcome the security
    >restriction


    What 'security restriction'? Applets should be able to access
    documents relative to their own codebase while *sandboxed.*
    Resources from the same server are a little harder to get an
    URL to, but still accessible to the sandboxed applet.

    >..using appletviewer by specifying a java.policy that grants
    >all permissions on the command line:
    >
    >appletviewer -J-Djava.security.policy=java.policy index.html


    That is extremely non-optimal. It is impractical to go
    editing the java.policy file on user machines, and they
    certainly would not gain from having all applets allowed
    to do anything.

    --
    Andrew Thompson
    http://www.physci.org/

    Message posted via JavaKB.com
    http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1
    Andrew Thompson, Dec 3, 2007
    #2
    1. Advertising

  3. I get this message without a java.policy granting all permissions.

    Exception in thread "AWT-EventQueue-1" java.security.AccessControlException: access denied (java.util.PropertyPermission javax.xml.bind.JAXBContext read)
    at
    java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)

    JAXB tries to read something so it becomes a security issue for the
    applet if I understand it correctly?



    > "Andrew Thompson" <u32984@uwe> wrote:
    > Myriam Abramson wrote:
    > ..
    >>I have an applet using JAXB. I was able to overcome the security
    >>restriction

    >
    > What 'security restriction'? Applets should be able to access
    > documents relative to their own codebase while *sandboxed.*
    > Resources from the same server are a little harder to get an
    > URL to, but still accessible to the sandboxed applet.
    >
    >>..using appletviewer by specifying a java.policy that grants
    >>all permissions on the command line:
    >>
    >>appletviewer -J-Djava.security.policy=java.policy index.html

    >
    > That is extremely non-optimal. It is impractical to go
    > editing the java.policy file on user machines, and they
    > certainly would not gain from having all applets allowed
    > to do anything.
    >
    > --
    > Andrew Thompson
    > http://www.physci.org/
    >
    > Message posted via JavaKB.com
    > http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1
    >


    --
    myriam
    Myriam Abramson, Dec 4, 2007
    #3
  4. Myriam Abramson wrote:

    Please refrain from top-posting. I find it most confusing.

    >I get this message without a java.policy granting all permissions.


    No. You get that message..
    1) When the code is running with a security manager and
    2) Lacks 'full trust', when
    3) Attempting things that require full trust.

    The situation you describe is *one* way to get around
    that trust issue, but not a very good one.

    >Exception in thread "AWT-EventQueue-1" java.security.AccessControlException: access denied (java.util.PropertyPermission javax.xml.bind.JAXBContext read)


    OK - how exactly is the applet attempting to read the JAXBContext?
    Is it something done directly in your code (URL or File, perhaps) or is
    it invoked by other (e.g. JAXB) code over which you have no control?

    An URL should be able to work sandboxed, whereas the File will
    *not* be practical for an applet reading data off a remote server.

    >JAXB tries to read something ..


    That is sounding more like 'invoked from code beyond your control',
    but I'd be interested to hear how the initial connection is formeD (URL
    or File) as that might influence other later decisions between using Files
    or URLs.

    >..so it becomes a security issue for the
    >applet if I understand it correctly?


    It is not entirely clear to me yet, some 'read's will be allowed,
    but it seems (from the scant evidence so far) that this applet
    is trying to establish File objects, which makes little sense
    in an applet (ever).

    Can you provide a self contained code example that shows
    the same effect?

    --
    Andrew Thompson
    http://www.physci.org/

    Message posted via JavaKB.com
    http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1
    Andrew Thompson, Dec 4, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chance Hopkins

    Re: Error Security Policy.

    Chance Hopkins, Jun 28, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    422
    Chance Hopkins
    Jun 28, 2003
  2. Terry Orzechowski

    Error Security Policy - More information

    Terry Orzechowski, Jun 28, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    378
    Terry Orzechowski
    Jun 28, 2003
  3. Marcos MOS
    Replies:
    0
    Views:
    317
    Marcos MOS
    Apr 2, 2004
  4. Chris Bazalgette

    Security policy problem

    Chris Bazalgette, Sep 14, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    476
    Chris Bazalgette
    Sep 14, 2004
  5. jbl
    Replies:
    0
    Views:
    414
Loading...

Share This Page