Geek Answers Handbook

How can I get a signed Java applet to perform privileged operations when called from unsigned Javascript?

Signed Java applets have the same security permission as a regular Java application running on the client. For a specific project, I need these permissions, and I need to perform privileged operations as a result of a JavaScript call.

Now the problem is that, at least for Firefox 3 in Ubuntu (target browser and platform), when the applet method is invoked through unsigned JavaScript, it loses its special permissions. Since signing JavaScript is not an option, I need a way around this limitation.

One way to achieve this is to create a thread when you start the applet and call methods on that thread whenever the main thread receives JavaScript calls. I implemented a working prototype of this idea, but I found it a little awkward because it uses too many reflections and is not as easy to reuse as I would like.

Is there a normal standard way to do what I'm trying to do? And, if my idea is the right way, how could you implement it reusable? What I'm trying to achieve is a structure that allows this running-methods-in-a-privileg-thread thing to be used for many objects. An ideal, utopian solution would be something like:

// when the applet starts-up PrivilegedExecuter priv = new PrivilegedExecuter(myObject); //or MyClass.class // ... // inside a JavaScript-called method (myObject has myMethod) priv.myMethod(); // myMethod is run synchronously in a privileged thread
+6
java javascript security applet
source share
2 answers

Use the java.security.AccessController class.

There is doPrivilegedAction and doPrivilegedExceptionAction that do exactly what you need.

For example:

  AccessController.doPrivileged (new PrivilegedAction () {
             public Object run () {
                .. do something that only works with signed applets ..
             }
         });
+7
source share

It is worth adding: make your privaction'd run() method as small and self-sufficient as possible. Obviously, you could just make your signed applet init () call privileged run() , which in turn makes the actual applet, but which simply begs to be abused, misused or used directly.

In addition, the fact that signed applets lose their special permissions when invoking JavaScript is not specific to a particular browser or platform. This is exactly what is, everywhere, all the time.

0
source share

More articles:


All Articles