All geek questions in one place

Setting policies for an applet embedded in HTML

I developed an applet to take a screenshot and save it to the user's computer using the java.awt.Robot class. I need to insert this applet into an html page (using an object tag) so that when a user clicks a button on a web page, a screenshot is taken.

The applet itself works fine, I tested it by adding a temporary main method to it and running it on my local computer as a regular Java application.

In cases where I am having difficulty, you set permissions to allow it to run from its built-in location. Obviously, the class of robots is somewhat dangerous, so you need to install AWTPermission, and the applet itself must be signed.

I went through the tutorial at http://download.oracle.com/javase/tutorial/security/toolsign/index.html and was able to create a signed .jar file and then the policy file that allowed the demo application in this tutorial to run. Where I am now facing problems is how to reconcile what I learned with the situation in which my applet will be used.

My target audience is about 100 machines, and I need it to run on all of them. I packed my java.class file in .jar and signed it with keytool and jarsigner. Then I uploaded the .jar and .cer files to the server directory where the pages are located.

However: when I used policytool to create a new policy file on one of the computers to verify the installation, I still cannot run the applet from HTML. I get Java.Security.AccessControlException Acess Denied java.awt.AWTPermission createRobot.

I rather suspect that this political step is contrary, so I will describe the steps I took: I upload the certificate to the local computer and generate a keystore from it, I run "policytool" from this directory via the command line I add the directory on the local computer where the keystore is stored, and my certificate. Then I click the Add Policy button and enter the alias SignedBy. Then add permissions and select AWTPermission. Target name. I select createRobot. The function field I leave empty, because I can’t think what will be applied here. The signature in this window is also left empty Then I click β€œOK” and β€œFinish” and I get a warning that there is no public key for the alias that I entered in the first step. I do "save as" and save the policy file in the same directory where I put the certificate and the keystore from it.

This does not allow me to run the applet from a web page, but my limited understanding of this aspect of programming does not provide any indication as to what went wrong.

Ideas, thoughts, observations? If I did not mention something, then I did not. My biggest suspect is the warning I get, but I can't find why his appearance

EDIT: Forgot to mention the step. I manually added the line "policy.url.3 = file: / C: / Testing / debugpolicy" to my jre \ lib \ security \ java.security file, since this is the path and policy file name that I created during the above steps . I also just deleted the warning that I mentioned earlier, I mixed my alias "and gave an alias for a private keystore, not a public one, during the creation of the policy file, however I still encounter the same problems.

+2
source share
1 answer

If the applet is correctly signed, a policy file is not required and it is not required to separately download any certificate. A properly signed applet will ask the user for permission when visiting the applet before it boots. Does the invitation appear?

Here is a small demonstration. I wrote that demonstrates the defensive loading of trusted applets . This is the security request I'm talking about.

If the applet is both a digital signature of the developer and a trusted end user, he should be able to shoot the screen.

There is one more thing you can try if the applet is trusted as an experiment (1). At the beginning of the init() applet, call System.setSecurityManager(null) . This will be checked if the applet has trust, and destroy the last vestiges of the "reliable" security manager provided to the applets.

And in the case when it works, and this makes the screen capture successful, it either offers an error or Oracle changed its mind about the values ​​of what the trusted applet could do.

1) Do not do this in the real world or in a production environment. To quote Tom Hawtin:

This question seemed to give the impression that calling System.setSecurityManager(null); okay .... If anyone has any doubts, changing the global state in the applet will affect all applets in the same process. Clearing the security manager will allow any unsigned applet to do what he likes. Please do not sign the code that reproduces with global status, with the certificate you expect to be trusted.

Edit 1: Here is the source of the simple applet used in this demo. For some reason, when I initially downloaded it, I decided that the source was irrelevant. OTOH 3 people are now asked to see the source for one reason or another. When I get the round tuit, I will upload the source to my site. At the same time I will put it here.

 package org.pscode.eg.docload; import java.awt.*; import java.awt.event.*; import javax.swing.*; import java.net.*; import java.io.*; import java.security.*; /** An applet to display documents that are JEditorPane compatible. */ public class DocumentLoader extends JApplet { JEditorPane document; @Override public void init() { System.out.println("init()"); JPanel main = new JPanel(); main.setLayout( new BorderLayout() ); getContentPane().add(main); try { // It might seem odd that a sandboxed applet can /instantiate/ // a File object, but until it goes to do anything with it, the // JVM considers it 'OK'. Until we go to do anything with a // 'File' object, it is really just a filename. File f = new File("."); // set up the green 'sandboxed page', as a precaution.. URL sandboxed = new URL(getDocumentBase(), "sandbox.html"); document = new JEditorPane(sandboxed); main.add( new JScrollPane(document), BorderLayout.CENTER ); // Everything above here is possible for a sandboxed applet // *test* if this applet is sandboxed final JFileChooser jfc = new JFileChooser(f); // invokes security check jfc.setFileSelectionMode(JFileChooser.FILES_ONLY); jfc.setMultiSelectionEnabled(false); JButton button = new JButton("Load Document"); button.addActionListener( new ActionListener(){ public void actionPerformed(ActionEvent ae) { int result = jfc.showOpenDialog( DocumentLoader.this); if ( result==JFileChooser.APPROVE_OPTION ) { File temp = jfc.getSelectedFile(); try { URL page = temp.toURI().toURL(); document.setPage( page ); } catch(Exception e) { e.printStackTrace(); } } } } ); main.add( button, BorderLayout.SOUTH ); // the applet is trusted, change to the red 'welcome page' URL trusted = new URL(getDocumentBase(), "trusted.html"); document.setPage(trusted); } catch (MalformedURLException murle) { murle.printStackTrace(); } catch (IOException ioe) { ioe.printStackTrace(); } catch (AccessControlException ace) { ace.printStackTrace(); } } @Override public void start() { System.out.println("start()"); } @Override public void stop() { System.out.println("stop()"); } @Override public void destroy() { System.out.println("destroy()"); } }
+6
source

Source: https://habr.com/ru/post/1333345/

More articles:


All Articles