Java applet AccessControlException (apache httpclient)

Question

I have the following HttpGet() function:

    HttpGet request = new HttpGet(url);

    request.setHeader("User-Agent", userAgent);
    request.setHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    request.setHeader("Accept-Language", "en-US,en;q=0.5");
    if (!cookies.equals(""))
        request.setHeader("Cookie", this.cookies);

    for (Map.Entry<String, String> header : tempHeaders.entrySet())
    {
        request.setHeader(header.getKey(), header.getValue());
    }
    tempHeaders.clear();

    HttpResponse response = client.execute(request);

This function is part of a Browser() class that wraps the Apache's HttpClient. When I run the applet in the Applet viewer, everything works fine. However, when I embed the applet into a page, I get the following exception :

java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:80" "connect,resolve")
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkConnect(Unknown Source)
    at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
    at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:117)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
    **at vidinstant.HttpBrowser.Get(HttpBrowser.java:60)**
    at vidinstant.ServerThread$1.run(ServerThread.java:201)
    at vidinstant.ServerThread$1.run(ServerThread.java:197)
    at java.security.AccessController.doPrivileged(Native Method)
    at vidinstant.ServerThread.GetLink(ServerThread.java:196)
    at vidinstant.ServerThread.run(ServerThread.java:95)

You can see that the "source" of the exception is at line 60 in the Browser class, more precisely, it is this line from the above excerpt of the code:

  HttpResponse response = client.execute(request);

I have self-signed the applet .jar and the manifest file has the line "Permissions: all-permissions" in it.

Why do I get this exception and why is the access denied? The user which runs the applet in it's browser clicks Allow and Don't block, yet it still doesn't work. Do Apache's library .jars have to be signed too? Do they need to have "all-permisions" in their manifest? How to get permission to run such functions, without the user having to fiddle with their Java policy files?

Answer 1

Do Apache's library .jars have to be signed too?

Yes. There is no '90%' secure allowed. Deployed code is either considered secure, ..or not secure.