From owner-freebsd-java@FreeBSD.ORG Mon Jan 9 17:09:39 2012 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0ABC106566C for ; Mon, 9 Jan 2012 17:09:39 +0000 (UTC) (envelope-from achill@smadev.internal.net) Received: from smadev.internal.net (adsltrust.ath.forthnet.gr [194.219.204.174]) by mx1.freebsd.org (Postfix) with ESMTP id E186A8FC13 for ; Mon, 9 Jan 2012 17:09:38 +0000 (UTC) Received: from smadev.internal.net (localhost [127.0.0.1]) by smadev.internal.net (8.14.4/8.14.4) with ESMTP id q09H9btR082867 for ; Mon, 9 Jan 2012 19:09:37 +0200 (EET) (envelope-from achill@smadev.internal.net) Received: (from achill@localhost) by smadev.internal.net (8.14.4/8.14.4/Submit) id q09H9aIv082866 for freebsd-java@freebsd.org; Mon, 9 Jan 2012 19:09:36 +0200 (EET) (envelope-from achill@smadev.internal.net) From: Achilleas Mantzios Organization: Dynacom Tankers Mgmt To: freebsd-java@freebsd.org Date: Mon, 9 Jan 2012 19:09:36 +0200 User-Agent: KMail/1.13.7 (FreeBSD/8.2-RELEASE-p3; KDE/4.7.3; amd64; ; ) References: <201201091534.46341.achill@smadev.internal.net> In-Reply-To: <201201091534.46341.achill@smadev.internal.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201201091909.36863.achill@smadev.internal.net> Subject: Re: applet security issue X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 17:09:39 -0000 Solved! i had to manually sign all jars involved. Also i had tried a packaging scheme like this: achill@smadev:~/workspace/SMA> jar tvf SMA_APPLETS.jar=20 1523 Mon Jan 09 18:55:28 EET 2012 META-INF/MANIFEST.MF 1517 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.SF 1100 Mon Jan 09 18:55:28 EET 2012 META-INF/DYNACOM.DSA 0 Mon Jan 09 18:55:30 EET 2012 META-INF/ 0 Mon Jan 09 17:02:06 EET 2012 com/ 0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/ 0 Mon Jan 09 17:02:06 EET 2012 com/gatewaynet/web/ 0 Mon Jan 09 17:47:04 EET 2012 com/gatewaynet/web/applets/ 1835 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/DirectoryJApplet.class 441 Mon Jan 09 18:55:28 EET 2012 com/gatewaynet/web/applets/Photo.class 1118 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$1.class 665 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$2.class 638 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet$3.class 9393 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJApplet.class 834 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoJAppletTest.class 469 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$1.class 1011 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$2.class 427 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class 1552 Mon Jan 09 18:55:28 EET 2012=20 com/gatewaynet/web/applets/PhotoWorker.class 64667 Mon Jan 09 18:55:10 EET 2012 commons-logging-1.1.1.jar 248764 Mon Jan 09 18:55:26 EET 2012 commons-codec-1.6.jar 290818 Mon Jan 09 16:18:22 EET 2012 commons-httpclient-3.0.1.jar with META-INF/MANIFEST.MF reading : Manifest-Version: 1.0 Ant-Version: Apache Ant 1.7.1 Class-Path: commons-logging-1.1.1.jar commons-codec-1.6.jar commons-ht tpclient-3.0.1.jar Created-By: 20.0-b12 (Sun Microsystems Inc.) Name: com/gatewaynet/web/applets/PhotoJAppletTest.class SHA1-Digest: tVdZkLaPBO+2K7sXumm/UFrV33I=3D Name: com/gatewaynet/web/applets/PhotoWorker.class SHA1-Digest: ngl173D/yVdeVBNla7eA/g+pwns=3D Name: com/gatewaynet/web/applets/PhotoWorker$1.class SHA1-Digest: WA31AIKyDPK2YpyNkLVc8l+qyUc=3D Name: com/gatewaynet/web/applets/Photo.class SHA1-Digest: 9javBv5dnwqKgvP8lCRmYw/HvJM=3D Name: commons-httpclient-3.0.1.jar SHA1-Digest: y+YbW9oPtpE966w60dHhdMHJ/yk=3D Name: com/gatewaynet/web/applets/PhotoWorker$ThreadVar.class SHA1-Digest: ZJhQ7ihMCWoeehE78Zr4vAE2lic=3D Name: com/gatewaynet/web/applets/PhotoJApplet.class SHA1-Digest: y1hVH2FJi0wjHb10IWdWCq4UYcU=3D Name: com/gatewaynet/web/applets/PhotoWorker$2.class SHA1-Digest: r8xW1aPUaXrwuL6QnPLYkOj+hts=3D =2E....... and applet tag like : "> "> "> "> "> "> well, this worked *ONLY* in FreeBSD.... So, when packaging the other 3 apache libs in my applet jar, this worked fo= r=20 icedtea only, but for no windows plugin (jre 1.5, jre 1.6 U20, jre 1.6 U30). When i exported the 3 apache libs independently like in : "> "> "> "> "> "> all worked fine..... However, in any case *all* the jars where signed.... Forgetting to do so en= ded=20 in errors.... On =CE=94=CE=B5=CF=85 09 =CE=99=CE=B1=CE=BD 2012 15:34:46 Achilleas Mantzio= s wrote: > Hello java freebsd-ers! >=20 > After struggling for hours in order to even see the digital signature > security window appearing for my applet (and i did a lot of things, > bundling all libs in one jar, re-signing, etc...) > i got to the point where the applet starts, but then gives me a : > java.security.AccessControlException: access denied (java.io.FilePermissi= on > /usr/local/jboss-6.0.0.Final/paidia2.jpg read) >=20 > the stack trace is like : >=20 > java.security.AccessControlException: access denied (java.io.FilePermissi= on > /usr/local/jboss-6.0.0.Final/paidia2.jpg read) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.j= av > a:393) at > java.security.AccessController.checkPermission(AccessController.java:553) > at > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at > net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecu= ri > tyManager.java:284) at > java.lang.SecurityManager.checkRead(SecurityManager.java:888) at > java.io.File.isFile(File.java:793) > at > org.apache.commons.httpclient.methods.multipart.FilePartSource.(Fil= eP > artSource.java:67) at > org.apache.commons.httpclient.methods.multipart.FilePartSource.(Fil= eP > artSource.java:88) at > org.apache.commons.httpclient.methods.multipart.FilePart.(FilePart.= ja > va:178) at > com.gatewaynet.web.applets.PhotoJApplet.actionPerformed(PhotoJApplet.java= :2 > 85) >=20 > PhotoJApplet.java:285 reads : >=20 > FilePart filePart =3D new > FilePart(thisfile.getName(),thisfile.getName(),thisfile,"image/jpeg",null= ); >=20 > The funny thing is that the very same signed applet reads the contents of > the /usr/local/jboss-6.0.0.Final/ without problem: >=20 > String fname=3DimgPath + "/"+photos[i].filename; > ImageIcon icon =3D new ImageIcon(fname); >=20 > Its only when the IO is called from within apache's httpclient that i get > the problem. >=20 > (pls do not get confused, here jboss wears the hat of the dummy firefox > user, nothing j2ee involved!) >=20 >=20 > Any info would be great. =2D-=20 Achilleas Mantzios IT DEPT