Geek Answers Handbook

New java.security.AccessControlException in Java 8

Previously running network code throws java.security.AccessControlException in a fully isolated Java applet .

 Can't get socket 2255: java.security.AccessControlException: access denied ("java.net.SocketPermission" "50.31.1.13:2255" "connect,resolve")

What has Oracle changed - what new security hoop needs to be jumped to keep sockets in operation?

This worked / works in Java 1.7.0_55 and in all previous versions of java.

+7
java security sockets
source share
3 answers

It really changed ... From the documentation

http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/enhancements-8.html

  • For RIAs with a sandbox, URLPermission now used to return connections to the server from which they were started. URLPermissions provided based on the protocol, host, and source port of the code. This change has the following consequences:

    • For RIAs with a sandbox, SocketPermissions for the origin host is no longer provided. JavaScript calls to the RIA are not provided by SocketPermissions since JDK 8.

    ...

In other words, you can no longer create a new Socket in the sandbox. You can create URL only the same host, the same port and the same protocol as the code base, from a completely isolated applet.

If Oracle does not change its mind, there is no way to isolate an isolated applet (otherwise it will lead to the loss of the entire security concept).

+10
source share

Well, for me it sounds like Oracle decided to strengthen applet security requirements. Here is what I found on CodeRanch :

Make SecurityManager enable socket permissions check:

 System.getSecurityManager().checkPermission(new SocketPermission("50.31.1.13:2255", "accept, connect, listen")); //I used IP address from your exception

Now flow-related checks:

 System.getSecurityManager().checkPermission(new RuntimePermission("readerThread"));

These lines should be placed at the beginning of the main() method.

The second thing to do is sign your jar/war/ear file. First create a keystore:

 keytool -genkey -alias philip -keystore keystore

Now put the signed CA into your trust certificate or create a self-signed certificate:

 keytool -selfcert -alias philip -keystore keystore

And finally, sign the file:

 jarsigner -keystore keystore -signedjar WhatYouWantTheSignedJarToBeNamed.jar ThePreviousJARYouCreated.jar philip

Actually, for a signed JAR file, the SecurityManager magic can be invoice, but, in my opinion, it is safer to do both.

Also keep in mind that sometimes you may need to sign the external JAR s, not just the JAR where your applet is located.

+1
source share

Add permission to client.policy (for the application client) or server.policy (for web modules) for the application that needs to set the property. By default, applications have read permission for properties.

For example, to provide read and write permission for all files in the code base directory, add or add the following to client.policy or server.policy:

grant codeBase "file: /.../ build / sparc_SunOS / sec / -" {permission java.util.PropertyPermission "*", "read, write"; };

0
source share

More articles:


All Articles