Java applet security warning for application involving disk read

views:

answers:

Java applet security warning for application involving disk read

I have a java applet that is downloaded to a user's browser when they visit a webpage and allows them resumable file uploads to my server. Obviously, this requires the applet to access the user's hard disk, which I understand is outside the regular sandbox applets can run in. The user sees a security warning popup which asks for their permission to allow this applet to run.

I have signed the applet using verisign and the link from where is applet is fetched is over SSL with a versigned cert. None of these make the warning go away.

Is there a way to make all warnings go away? Can anyone explain what is going on behind the scenes?

+1 A:

You can't avoid this message, it would be a security issue if you could.

Granting Applets Permission

If you tried to run the applet example, you undoubtedly saw errors when you clicked the Click Me button. This is because the Java 2 Platform security does not permit an applet to write to and read from files without explicit permission.

An applet has no access to local system resources unless it is specifically granted the access. So for the FileUIAppl program to read from text.txt and write to text.txt, the applet has to be given the appropriate read or write access permission for each file.

Access permission is granted with a policy file, and appletviewer is launched with the policy file to be used for the applet being viewed.

What you can do is having a configuration (a policy file) to allow this applet to use some files. But you would have to do this manually (for obvious security reasons). Check the link below.

Resources :

sun.com - Applets, File Access and Permissions

Colin Hebert 2010-09-23 20:12:53

Does this get rid of the confirmation dialog? I hope not, otherwise I would be really scared: Any website with a signed applet I visit could read my hard disk?

nhnb 2010-09-23 20:52:05

No, the user have to use a preconfigured policy file manually added. But you're right it would be a terrible security issue

Colin Hebert 2010-09-23 21:00:55

+1 A:

JNLP has a FileOpenService which allows the untrusted Java Webstart applications to show a File Open dialog to the user and access the file the user selected:

http://download-llnw.oracle.com/javase/1.5.0/docs/guide/javaws/jnlp/javax/jnlp/FileOpenService.html

nhnb 2010-09-23 20:17:13

Even if JNLP is a better idea, I think that the application of the OP already exists and works with applets so this doesn't really answers the question.

Colin Hebert 2010-09-23 20:46:55

I am not sure if it works if the services is invoked from an old style applet with the <object>-tag. But JNLP can start applets and there it works.

nhnb 2010-09-23 20:50:54

For a demo. of the FileObject see http://pscode.org/jws/api.html#fs. JNLP applets can be embedded in a web page since the Plug-In 2 architecture was introduced in 1.6.0_10. The applet form of GIFanim at http://pscode.org/gifanim/#run is an embedded JNLP applet. JNLP based prompts are less scary than the traditional prompt because they occur at the exact moment they are needed, and are more specific to the extended permission required.

Andrew Thompson 2010-09-24 02:30:38

ansaurus

tags:

views:

answers:

Java applet security warning for application involving disk read

related questions