views:

2098

answers:

3

I have an easy self-signed an applet (done with keytool and the jarsigner):

public class NetAppletLauncher extends JApplet {

 private static final long serialVersionUID = 1L;

 public void init() {
  exec("notepad c:/hello.txt");
 }

 public void exec(String command) {

  try {

   // launch EXE and grab stdin/stdout and stderr
   Process process = Runtime.getRuntime().exec(command);
   //  OutputStream stdin = process.getOutputStream();
   InputStream stderr = process.getErrorStream();
   InputStream stdout = process.getInputStream();

   // "write" the parms into stdin
//   stdin.write(arguments.getBytes());
//   stdin.flush();
//   stdin.close();

   // clean up if any output in stdout
   String line = "";
   BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
   while ((line = brCleanUp.readLine()) != null) {
    //System.out.println ("[Stdout] " + line);
   }
   brCleanUp.close();

   // clean up if any output in stderr
   brCleanUp = new BufferedReader(new InputStreamReader(stderr));
   while ((line = brCleanUp.readLine()) != null) {
    //System.out.println ("[Stderr] " + line);
   }
   brCleanUp.close();

  } catch (Exception exception) {
   exception.printStackTrace();
  }

 }

}

Basically, what it does, is that it executes 'notepad c:/hello.txt'.

Then i embed the applet in html:

<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>

When i visit the page, JRE starts and asks me if i want to start this applet and if i trust it. I press ok. Then notepad starts - as it should. No problem here.

But then i add this into the HTML-page:

<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>

Now when i press on this text, calc should start - right? But this gives me:

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
 at java.security.AccessControlContext.checkPermission(Unknown Source)
  • whats up with this? Why does it give me a security exception now, but it could start notepad before?
+2  A: 

The Java 2 security model requires (roughly) that every frame on the stack must be granted a permission for the access control context (acc) to have that permission. JavaScript is on the stack and does not have file access permissions.

Tom Hawtin - tackline
He could also have used the AccessController.doPrivileged API to elevate the privileges of the javascript function call to the one of the signed applet.http://www.inf.puc-rio.br/~roberto/java/jdk1.2/docs/guide/security/doprivileged.html
Jean-Philippe Jodoin
A: 

Solved the problem with, in Java:

exec(getParameter("command"));

and then in JavaScript:

<script type="text/javascript">

function exec( command ) {

 var applet = "<applet id='applet' style='visibility: hidden' name='applet' archive='NetAppletLauncher4.jar' code='src.NetsetAppletLauncher' width='20' height='20' MAYSCRIPT ><param name='command' value='" + command + "' />Sorry, you need a Java-enabled browser.</applet>";

 var body = document.getElementsByTagName("body")[0];
 var div = document.createElement("div");
 div.innerHTML = applet;
 body.appendChild(div);

}

</script>
corgrath
A: 

Hi, I too am facing the same problem of executing a command on the client screen. I am trying to execute a method in the applet and am getting the following error. Please note that when I go to this page the first time the page prompts me for to allow executing the applet (permissions box).

Error in the JAVA CONSOLE LOG:

access denied (java.io.FilePermission <<ALL FILES>> execute)
java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)

I am little bit lost with your post above where you explain the answer. Can you please post your javascript and the entire applet code? Especially the java part where you only have the noted the command - exec(getParameter("command"));

Thanks.

Ritesh
Ritesh: See http://stackoverflow.com/questions/1577290/signed-java-applet-throws-security-exception-on-connect-to-a-webservice for the right solution.
Sasha