Geek Answers Handbook

A signed applet provides an AccessControlException: access is denied when called from javascript

I have a simple self-signed applet (made with keytool and jarsigner):

public class NetAppletLauncher extends JApplet { private static final long serialVersionUID = 1L; public void init() { exec("notepad c:/hello.txt"); } public void exec(String command) { try { // launch EXE and grab stdin/stdout and stderr Process process = Runtime.getRuntime().exec(command); // OutputStream stdin = process.getOutputStream(); InputStream stderr = process.getErrorStream(); InputStream stdout = process.getInputStream(); // "write" the parms into stdin // stdin.write(arguments.getBytes()); // stdin.flush(); // stdin.close(); // clean up if any output in stdout String line = ""; BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout)); while ((line = brCleanUp.readLine()) != null) { //System.out.println ("[Stdout] " + line); } brCleanUp.close(); // clean up if any output in stderr brCleanUp = new BufferedReader(new InputStreamReader(stderr)); while ((line = brCleanUp.readLine()) != null) { //System.out.println ("[Stderr] " + line); } brCleanUp.close(); } catch (Exception exception) { exception.printStackTrace(); } } }

Basically what he does is that he executes 'notepad c: /hello.txt'.

Then paste the applet into html:

 <applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>

When I am on the page, the JRE starts up and asks if I want to run this applet and if I hope so. I click OK. Then the notebook starts - as you would expect. There is no problem.

But then I add this to the HTML page:

 <p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>

Now, when I click on this text, calc should start - right? But it gives me:

 java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute) at java.security.AccessControlContext.checkPermission(Unknown Source)
  • What's up with that? Why is he now giving me a security exception, but can he start notepad earlier?
+4
source share
4 answers

Solved the problem using Java:

 exec(getParameter("command"));

and then in JavaScript:

 <script type="text/javascript"> function exec( command ) { var applet = "<applet id='applet' style='visibility: hidden' name='applet' archive='NetAppletLauncher4.jar' code='src.NetsetAppletLauncher' width='20' height='20' MAYSCRIPT ><param name='command' value='" + command + "' />Sorry, you need a Java-enabled browser.</applet>"; var body = document.getElementsByTagName("body")[0]; var div = document.createElement("div"); div.innerHTML = applet; body.appendChild(div); } </script>
+5
source

The Java 2 security model (approximately) requires that each frame on the stack be granted permission for the access control context (acc) to obtain this permission. JavaScript is on the stack and does not have file permissions.

+6
source

I agree: to prohibit manipulating a signed applet from javascript, and a workaround is to rewrite the applet tag in javascript in the page document.

I found this source with some theory proving that we are right http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote

+1
source

In fact, calling an applet from javascript behaves like calling an unsigned applet (as stated in jsnote: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote . This is good and works when you use a class that you are not allowed to change, but since you are the author of a java class, you can always transfer this specific method that you need to call from javascript to execute in privileged mode, for example:

 AccessController.doPrivileged(new PrivilegedAction<String>() { @Override public String run() { exec(command); return null; } });

And it should work fine. (This is what is suggested in the above comment by @ Jean-Philippe Jodoin, but the link provided there is broken)

+1
source

More articles:


All Articles