How to avoid java.security.AccessControlException through jtwitter (twitter API) from java applet

Question

I am writing a simple applet (my first) to retrieve the most recent status from a twitter account. This works fine when running from javaw.exe launched from within eclipse. However, when run from a browser I get the error:

java.security.AccessControlException: access denied (java.net.SocketPermission twitter.com:80 connect, resolve)

Any advice on how to avoid this?

The call:

private void updateStatus() {
    try {
        Twitter client = new Twitter("user", "pw");
        Status status = client.getStatus();
        addItem(status.toString());
    }
    catch (Throwable t) {
        addItem(t.getMessage());
    }
}

The connection to the client is succeeding. It is the getStatus() call which throws the exception. I notice that eclipse adds "-Djava.security.policy=java.policy.applet" to javaw.exe, not sure if this has anything to do with why it works from eclipse and not from within a browser. Frustratingly, I tried to run the same javaw.exe command directly with the same CL parameters and PATH as eclipse uses successfully. However, when I run it directly javaw.exe exits immediately. jtwitter is a simple wrapper on the Twitter API.

Answer 1

Browser applets are running in a sandbox with lower security permissions. Certain operations are not allowed, such as certain GUI operations (to prevent e.g. an applet from secretly running a key logger in the background). Apparently the operation you're trying to do isn't allowed either.

To solve this, you have to sign your applet. A signed applet is allowed to run under normal security permissions. To do that you have to create a security certificate and sign your applet with jarsigner.

No need to buy expensive certificates, at least not if this is a small personal project. A self-signed certificate will do (the only trouble is that the browser will pop-up a message saying "certificate could not be confirmed" or something like that).

See also: Signed applet tutorial

Answer 2

I'm having the same problem except I did go through and sign my applet jar file for -selfcert, but I still get the same exception thrown.

I am using jre 1.6.0.20 and have checked the "Security -> Certificates" tab of the java control panel and it shows the certificate that I answered "Run" to in IE when first accessing the html file.

I followed the instructions here to do the self certification process on the jar file I exported from exclipse that has 3 classes one being the extended Applet class and interface.

Any ideas on why I would still receive the AccessControlException even after certifying the jar file?

http://forums.sun.com/thread.jspa?threadID=174214

java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)

Thanks in advance for any help.

Answer 3

@ Dave

In addition to getting your jar signed you have to ensure the code you need marked as privileged is wrapped in a privileged block.

final String googleUrl = "www.google.com"
URL url = (URL) AccessController.doPrivileged(new PrivilegedAction() 
    {
        public Object run() 
        {
            try
            {
                return new URL(googleUrl);
            }
            catch (MalformedURLException e)
            {
                e.printStackTrace();
                return null;
            }
        }  
    });