Question

I have an easy self-signed an applet (done with keytool and the jarsigner):

public class NetAppletLauncher extends JApplet {

    private static final long serialVersionUID = 1L;

    public void init() {
        exec("notepad c:/hello.txt");
    }

    public void exec(String command) {

        try {

            // launch EXE and grab stdin/stdout and stderr
            Process process = Runtime.getRuntime().exec(command);
            //      OutputStream stdin = process.getOutputStream();
            InputStream stderr = process.getErrorStream();
            InputStream stdout = process.getInputStream();

            // "write" the parms into stdin
//          stdin.write(arguments.getBytes());
//          stdin.flush();
//          stdin.close();

            // clean up if any output in stdout
            String line = "";
            BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stdout] " + line);
            }
            brCleanUp.close();

            // clean up if any output in stderr
            brCleanUp = new BufferedReader(new InputStreamReader(stderr));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stderr] " + line);
            }
            brCleanUp.close();

        } catch (Exception exception) {
            exception.printStackTrace();
        }

    }

}

Basically, what it does, is that it executes 'notepad c:/hello.txt'.

Then i embed the applet in html:

<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>

When i visit the page, JRE starts and asks me if i want to start this applet and if i trust it. I press ok. Then notepad starts - as it should. No problem here.

But then i add this into the HTML-page:

<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>

Now when i press on this text, calc should start - right? But this gives me:

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
  • whats up with this? Why does it give me a security exception now, but it could start notepad before?
Was it helpful?

Solution 2

Solved the problem with, in Java:

exec(getParameter("command"));

and then in JavaScript:

<script type="text/javascript">

function exec( command ) {

    var applet = "<applet id='applet' style='visibility: hidden' name='applet' archive='NetAppletLauncher4.jar' code='src.NetsetAppletLauncher' width='20' height='20' MAYSCRIPT ><param name='command' value='" + command + "' />Sorry, you need a Java-enabled browser.</applet>";

    var body = document.getElementsByTagName("body")[0];
    var div = document.createElement("div");
    div.innerHTML = applet;
    body.appendChild(div);

}

</script>

OTHER TIPS

The Java 2 security model requires (roughly) that every frame on the stack must be granted a permission for the access control context (acc) to have that permission. JavaScript is on the stack and does not have file access permissions.

I agree : it is prohibited to manipulate a signed applet from javascript, and the workaround is to rewrite the applet tag in javascript in the page document.

I found this source with a bit of theory proving we are right http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote

Actually, calling applet from javascript behaves as calling unsigned applet (as specified in the jsnote: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote. That is fine and is valid when you're using a class you are not allowed to change, but since you're the author of the java class you can always wrap that specific method you need to call from javascript to be executed in the privileged mode, like this:

AccessController.doPrivileged(new PrivilegedAction<String>() {
    @Override
    public String run() {
        exec(command);
        return null;
    }
});

And it should work ok. (This is what is suggested in the upvoted comment by @Jean-Philippe Jodoin but the link provided there is broken)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top