Giving Applet Full Permission Without Policy File

Discussion in 'Java' started by Darol, Aug 24, 2005.

  1. Darol

    Darol Guest

    I have a signed applet that needs the Java Plug-in to grant it full
    permission to use system resources (files, sockets). I know that I can
    do this by adding certificate info to the policy file, but I don't want
    my users to have to modify their policy files. In short, how can my
    applet get full permission without making any changes to the users'
    policy file?
     
    Darol, Aug 24, 2005
    #1
    1. Advertising

  2. Darol

    Roedy Green Guest

    On 24 Aug 2005 14:57:22 -0700, "Darol" <>
    wrote or quoted :

    >I have a signed applet that needs the Java Plug-in to grant it full
    >permission to use system resources (files, sockets). I know that I can
    >do this by adding certificate info to the policy file, but I don't want
    >my users to have to modify their policy files. In short, how can my
    >applet get full permission without making any changes to the users'
    >policy file?


    That is like asking how can I pick the policy file lock.

    The whole point of the policy file is to stop signed applets from
    running without permission or manual grant.

    Imagine if there were an answer to your question. Pirates could use
    it to hack every machine that ran an Applet. The loophole would have
    to be quickly closed.

    However, what you might do, is use a signed Applet to modify the
    policy file. But that Applet has to be given a manual one-time grant.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com
     
    Roedy Green, Aug 25, 2005
    #2
    1. Advertising

  3. On 24 Aug 2005 14:57:22 -0700, Darol wrote:

    > I have a signed applet that needs the Java Plug-in to grant it full
    > permission to use system resources (files, sockets).


    If your applet is signed, the user should be asked if they
    will accept the signature. If they do, the applet will be
    granted full privileges.

    >...I know that I can
    > do this by adding certificate info to the policy file, but I don't want
    > my users to have to modify their policy files.


    In other words, AFAIU, you should not need to adjust any
    policy files even now.

    Report back if that is correct. There is one more step you
    can take to make sure the code is accepted as priviliged,
    but I think it should not be necesary.

    HTH

    --
    Andrew Thompson
    physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
    "Her voice was soft and cool, her eyes were clear and bright, ..but she's
    not there"
    The Zombies 'She's Not There'
     
    Andrew Thompson, Aug 25, 2005
    #3
  4. Darol

    Darol Guest

    Full permission is not given simply if the user accepts the signed
    applet if the applet has not been RSA-signed. I don't want to get an
    official certificate and I don't want to create a test certificate,
    which requires that the client user import this certificate. Ideally, I
    would like the user to just accept a self-signed applet, which would
    then be given full permission.
     
    Darol, Aug 26, 2005
    #4
  5. Darol

    Darol Guest

    I'm not asking for a lock pick. My intent is to have the user accept a
    self-signed applet, which is a permission grant.
     
    Darol, Aug 26, 2005
    #5
  6. On 26 Aug 2005 15:08:36 -0700, Darol wrote:

    > Full permission is not given simply if the user accepts the signed
    > applet if the applet has not been RSA-signed.


    What does 'not been RSA-signed' mean? Self-signed?

    Got an URL that suppports that self-signed certificates
    (that are accepted by the user) get anything less than
    full access/full privileges?

    --
    Andrew Thompson
    physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
    "Ain't it dark, wrapped up in that tarp.."
    Dixie Chicks 'Goodbye Earl'
     
    Andrew Thompson, Aug 27, 2005
    #6
  7. Darol wrote:

    > I'm not asking for a lock pick. My intent is to have the user accept a
    > self-signed applet, which is a permission grant.


    The problem is that anyone could self sign their own applet. If the client
    were to accept such a thing it would be completely open to anybody who
    wanted to write malicious code.

    --
    Kenneth P. Turvey <>

    Currently seeking employment as a Java developer in the St. Louis area.
     
    Kenneth P. Turvey, Aug 27, 2005
    #7
  8. Darol

    Roedy Green Guest

    On 26 Aug 2005 15:10:23 -0700, "Darol" <>
    wrote or quoted :

    >I'm not asking for a lock pick. My intent is to have the user accept a
    >self-signed applet, which is a permission grant.


    In that case, there is nothing to do to the policy file.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
     
    Roedy Green, Aug 29, 2005
    #8
  9. Darol

    Roedy Green Guest

    On 26 Aug 2005 15:08:36 -0700, "Darol" <>
    wrote or quoted :

    > Ideally, I
    >would like the user to just accept a self-signed applet, which would
    >then be given full permission.


    The way it works if you don't want to buy a certificate, is you create
    a phony certificate (self signed) and sign your jar with it. When the
    user gets it, he is asked if he is willing to accept your phony cert.
    If he says "yes" then the Applet has full permission. If he says no,
    you have only the unsigned Applet privileged. You can see the process
    in action by going to http://mindprod.com/applets/wassup.html
    where I have a self-signed Applet.

    Anything else without a real certificate would require either
    modifying the policy files of all the users or importing the
    certificate as trusted in all the users' machines.

    See http://mindprod.com/jgloss/certificate.html
    http://mindprod.com/jgloss/keytool.html
    http://mindprod.com/jgloss/signedapplets.html
    http://mindprod.com/jgloss/jarsigner.html
    for the gory details.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
     
    Roedy Green, Aug 29, 2005
    #9
  10. Darol

    Darol Guest

    True, but that's the power I want to give my applet users. I understand
    that this is a dangerous capability to give the user.
     
    Darol, Aug 29, 2005
    #10
  11. Darol

    Darol Guest

    Yes, self-signed.

    I haven't found a URL yet that allows self-signed certificates full
    access.
     
    Darol, Aug 29, 2005
    #11
  12. Darol

    Darol Guest

    Ok, I'll try your links. My applet did not get full permission with the
    acceptance of the phony certificate.
     
    Darol, Aug 29, 2005
    #12
  13. On 29 Aug 2005 15:13:12 -0700, Darol wrote:

    > Ok, I'll try your links. My applet ...


    Where is your applet? What is the URL I can visit to see it?

    --
    Andrew Thompson
    physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
    "Use those seconds sensibly or you will inevitably die."
    Hawkwind 'Sonic Attack'
     
    Andrew Thompson, Aug 29, 2005
    #13
  14. On 29 Aug 2005 15:11:20 -0700, Darol wrote:

    > I haven't found a URL yet that allows self-signed certificates full
    > access.


    What does that mean? If you visited Roedy's Wassup applet
    and clicked OK at the appropriate moment, it would gain
    *full* access to your PC. It would not do anything
    malevonelent with that privilege, but it is *able*
    to do anything.

    --
    Andrew Thompson
    physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
    "Got no time to pack my bag, my foot's outside the door"
    Led Zeppelin 'The Ocean'
     
    Andrew Thompson, Aug 30, 2005
    #14
  15. Darol

    Darol Guest

    My applet is currently on a classified server so I can't let you access
    it - wish I could.

    Andrew Thompson wrote:
    > On 29 Aug 2005 15:13:12 -0700, Darol wrote:
    >
    > > Ok, I'll try your links. My applet ...

    >
    > Where is your applet? What is the URL I can visit to see it?
    >
    > --
    > Andrew Thompson
    > physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
    > "Use those seconds sensibly or you will inevitably die."
    > Hawkwind 'Sonic Attack'
     
    Darol, Aug 30, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Samuel R. Neff
    Replies:
    2
    Views:
    593
    bradley
    Jun 10, 2005
  2. =?Utf-8?B?U3JpZGhhcg==?=

    InputFile.PostedFile.FileName not giving full file path

    =?Utf-8?B?U3JpZGhhcg==?=, May 24, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    5,850
    =?Utf-8?B?U3JpZGhhcg==?=
    May 24, 2006
  3. sixteenmillion

    The giving that keeps on giving

    sixteenmillion, Nov 19, 2007, in forum: C Programming
    Replies:
    0
    Views:
    431
    sixteenmillion
    Nov 19, 2007
  4. Marcin Kasprzak

    java.policy permission question

    Marcin Kasprzak, Mar 8, 2008, in forum: Java
    Replies:
    2
    Views:
    437
    Marcin Kasprzak
    Mar 9, 2008
  5. MOHR
    Replies:
    0
    Views:
    220
Loading...

Share This Page