Applets, JAXB and security policy

[Myriam Abramson]

Hello,

I have an applet using JAXB. I was able to overcome the security
restriction using appletviewer by specifying a java.policy that grants
all permissions on the command line:

appletviewer -J-Djava.security.policy=java.policy index.html

Now, I need to deploy that applet on the web. How can I specify this
policy encoded in the file named java.policy on the APPLET tag of
index.html?

TIA

 

[Andrew Thompson]

Myriam Abramson wrote:
...

I have an applet using JAXB. I was able to overcome the security
restriction

What 'security restriction'? Applets should be able to access
documents relative to their own codebase while *sandboxed.*
Resources from the same server are a little harder to get an
URL to, but still accessible to the sandboxed applet.

..using appletviewer by specifying a java.policy that grants
all permissions on the command line:

appletviewer -J-Djava.security.policy=java.policy index.html

That is extremely non-optimal. It is impractical to go
editing the java.policy file on user machines, and they
certainly would not gain from having all applets allowed
to do anything.

--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1

 

[Myriam Abramson]

I get this message without a java.policy granting all permissions.

Exception in thread "AWT-EventQueue-1" java.security.AccessControlException: access denied (java.util.PropertyPermission javax.xml.bind.JAXBContext read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)

JAXB tries to read something so it becomes a security issue for the
applet if I understand it correctly?

 

[Andrew Thompson]

Myriam Abramson wrote:

Please refrain from top-posting. I find it most confusing.

I get this message without a java.policy granting all permissions.

No. You get that message..
1) When the code is running with a security manager and
2) Lacks 'full trust', when
3) Attempting things that require full trust.

The situation you describe is *one* way to get around
that trust issue, but not a very good one.

Exception in thread "AWT-EventQueue-1" java.security.AccessControlException: access denied (java.util.PropertyPermission javax.xml.bind.JAXBContext read)

OK - how exactly is the applet attempting to read the JAXBContext?
Is it something done directly in your code (URL or File, perhaps) or is
it invoked by other (e.g. JAXB) code over which you have no control?

An URL should be able to work sandboxed, whereas the File will
*not* be practical for an applet reading data off a remote server.

JAXB tries to read something ..

That is sounding more like 'invoked from code beyond your control',
but I'd be interested to hear how the initial connection is formeD (URL
or File) as that might influence other later decisions between using Files
or URLs.

..so it becomes a security issue for the
applet if I understand it correctly?

It is not entirely clear to me yet, some 'read's will be allowed,
but it seems (from the scant evidence so far) that this applet
is trying to establish File objects, which makes little sense
in an applet (ever).

Can you provide a self contained code example that shows
the same effect?

--
Andrew Thompson
http://www.physci.org/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200712/1