views:

1588

answers:

6

I've recently gotten my hobby java project embedded into a page thanks to this very site, but now I'm having some security issues.

I have the include:

import java.sql.*;

and the line:

Class.forName("com.mysql.jdbc.Driver").newInstance();

as well as a mysql .jar file in my src directory, it works from the console, and in the applet works fine from the applet - up until that forName() line in my code, where it throws the exception:

    Exception: com.mysql.jdbc.Driverjava.lang.ClassNotFoundException: com.mysql.jdbc.Driver
    java.security.AccessControlException: access denied (java.lang.RuntimePermission exitVM.-1)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkExit(Unknown Source)
    at java.lang.Runtime.exit(Unknown Source)
    at java.lang.System.exit(Unknown Source)
    at applet.Database.connectDB(Database.java:80)
    etc...

I think I may be able to fix it with a client.policy file, otherwise I might need to write an abstraction layer which uses a server-client network connection to query from the server-side...

I'm sure the Java gurus here probably know the best way about it.

A: 

Try getting rid of the newInstance() part. I think just having the Class.forName() does it for loading the driver.

Cem Catikkas
You're right, I didn't need that bit. but it's still not working in the embedded applet. Same problem.
Dean
+2  A: 

If you're trying to use the a JDBC driver from the applet, then the applet needs to be signed with a certificate, and your server needs to deliver this certificate when the applet is loaded on the client side.

gizmo
+1  A: 

The accepted way to do this is to make HTTP requests for data from the server from which the applet was loaded, and run the queries from the server. JSON or XML are good ways to exchange data between the applet and the server (similar to the way you do an AJAX application, sending XML or JSON between the browser and the server).

Tony BenBrahim
+2  A: 

I think the security exception is actually from a System.exit() call in your applet, after the Class.forName(). Generally you are not allowed to call System.exit() in unsigned applets as it shuts the whole JVM down. Have you checked if line 80 is actually the Class.forName() line, or does line 80 have some kind of exception handler which tries to call System.exit() if the driver does not load?

Anyway, in order to load the mysql jar file in your applet, you need to include it in an ARCHIVE attribute like this:

<APPLET ARCHIVE="mysql.jar" CODEBASE="./src/" ...

Once you get past this stage, you will still need to host the mysql server at the same IP number/hostname as the webserver, and open it to all the same people who can access your applet. As Tony said, this isn't how people normally do it, for security reasons. Better to write something on the server side, if you have control of the app server, and use XML or some other data exchange method to get the data out to the applet. Of course if you are just experimenting to learn about applets, then it's probably fine - but do take care to keep mysql behind your firewall if possible.

Leigh Caldwell
Adding this attribute to the HTML tag works perfectly! Thanks!And thanks to everyone who warned about how easy it is to grab the authentication details through de-compilation, I thought this might be an issue, before making the app public I'll use a network protocol and do all the SQL server-side.
Dean
A: 

The exception tells you that the applet has been unable to load the driver class. Your applet needs to download the jar containing the class at runtime, via HTTP, so you must have the jar (mysql.jar or whatever it is called) available on the webserver.

Once you solve this problem the user will have to allow the applet permissions so that it can make a TCP socket connection to the mysql db server. They will prompted with a dialog box...

johnstok
+1  A: 

As mentioned in one of the other answers (@Leigh Caldwell), I would strongly recommend not doing things this way. If your applet has access to MySQL then so does everyone else in the world. Decompilation is so trivial these days that it would only be a moment's work for an industrious hacker to get the applet credentials to the database. Also, MySQL's user/pass authentication is fairly weak, most of its security is IP-based. By opening it up to the world, you're throwing away your first line of deference.

A better approach would be to build some sort of frontend protocol on the server side (XMLRPC would be a good foundation and easy to use). If the applet absolutely needs access to a database, your best bet would be HSQLDB in memory. This doesn't require any file permissions and can be run completely in-sandbox. The local in memory database could be synchronized with the server as necessary using the aforementioned XMLRPC facade.

Daniel Spiewak