Signed Java Applet Throws Security Exception on Co

2019-05-30 14:33发布

问题:

I have an java applet running on tomcat 5.5. It is signed ( -selfcert). I still get an java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) Exception, when my Applet tries to connect to a webservice (already in this line):

ws_locator = new My_WebserviceLocator(ws_adress + "?wsdl",
                new javax.xml.namespace.QName("http://impl.webservice", "My_Webservice"));

Since there are some similar questions here, an i read them:

  • Yes, the applet is signed. I checked it with -verify.

  • Tomcat security exception, may be, but i have added to catalina.policy:

    grant codeBase "file:/home/me/apache-tomcat-5.5.27/webapps/myapplet/-" {
        permission java.security.AllPermission;    };
    

    grant codeBase "file:/home/me/apache-tomcat-5.5.27/webapps/myapplet/applet.jar" { permission java.security.AllPermission; };

and the usual stuff like is also in there:

grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};

with no result.

Ok, quick update, adding:

grant{
        permission java.security.AllPermission;
};

to the local java.policy file fixes the problem. BUT thats not what i am looking for, the applet should run on an avarage machine, with dafault java.policy file. So it has to be fixed from within the code.

回答1:

Do you call your WS from the applet main thread or from a thread initiated by a call to the applet's method using javascript?

See example below.

Hope it helps.

public class MyApplet extends JApplet {

    @Override
    public void start() {
        // It will work if your applet is signed
        callWebService();
    }

    public void methodCalledFromJavascriptWrong() {
        // It will NOT work even if your applet is signed
        callWebService();

    }

    public void methodCalledFromJavascriptGood() {
        AccessController.doPrivileged(new PrivilegedAction() {

            public Object run() {
                // It will work if your applet is signed
                callWebService();
                return null;
            }

        });

    }

    private void callWebService() {
        //Here you call your web service
    }
}


回答2:

Setting permissions on the server is not the solution. It is the security manager in the browser that complains.

The proposed use of AccessManager is indead mandatory or this will fail. But you also need to do the same when calling the webservice from start() or init().

Can I ask: is the WebService call the only reason why you have an applet ? It might be better to put a proxy servlet in place to avoid Same domain policy restrictions. Then you can use pure HTML + Javascript in the browser.

Calling into an applet from JS can fail if you do it before the applet is fully started, so you should wait for the applet to be ready.



回答3:

If you are using other libraries (jars) from your applet, that interract with any restricted resource, they should also be signed. So give the whole stacktrace, and the My_WebserviceLocator. (And don't use underscores). For example try signing the axis.jar.



回答4:

As a temporary workaround, you can disable the SecurityManager. Of course this have some security issues, but at least you will be able to track it down to the SecurityManager (ie, a permissions issue).

System.setSecurityManager(null);

If this indeed works, my guess is that you are configuring the wrong policy file. When running an applet from the browser, I'm almost sure that the applet launcher will be a regular consumer JRE, not the jre bundled with the JDK.