Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Signed Applet security issues.

7 views
Skip to first unread message

SPG

unread,
Sep 21, 2004, 11:47:41 AM9/21/04
to
Hi,

I have a signed applet, with which I need to make a TCP or HTTP connection
to a remote server.

Sounds simple enough. The old version supported only MS JVM and SUN < 1.3.
This worked fine by perfroming the following checks befor connecting:

private void sampleConnect(){
//ASSUME THESE ARE CONSTANTS.
//This code is from a MS J++ project using conditional compilation
if (!SUN_JVM ){
PolicyEngine.assertPermission(PermissionID.NETIO);
}else{
System.getSecurityManager().checkConnect("127.0.0.1",0);
}

Socket sock = new Socket("170.198.239.115 ", 80);
InputStream is = sock.getInputStream();
//Blah blah blah..
}

Now, as I said this works fine in the old JVMs. But now I have to support
the newer JVMs also.

I have recompiled my code using the AccessController.doPrivileged() method.
The implementation is as follows:


public int verifyNetworkPrivileges(final String psHost, final int piPort)
{
Integer i = AccessController.doPrivileged(new PrivilegedAction()
{
public Object run()
{
int i_Connect = 0;
try
{
SocketPermission test = new SocketPermission(psHost +
":" + piPort, "connect");
java.security.AccessController.checkPermission(test);
i_Connect = 1;
}
catch (SecurityException e)
{
i_Connect = 0;
}
// Return the connect value
return (new Integer(i_Connect));
}
});

return i.intValue();
}

then the code in my new connect routine is as follows:

private void sampleConnect(){
try{
int allowed = verifyNetworkPrivileges( "170.198.239.115 ", 80);
if( allowed != 0){
Socket sock = new Socket("170.198.239.115 ", 80);
InputStream is = sock.getInputStream();
//Blah blah blah..
}
}catch(Exception err){
err.printStackTrace();
System.out.println(err.getMessage());
}
}


The resulting error is as follows:


Certificate has been verified with Root CA certificates sucessfully
Modality pushed
Modality popped
User selected: 0
User has granted the priviledges to the code for this session only
Adding certificate in JPI session certificate store
Added certificate in JPI session certificate store
Saving certificates in JPI session certificate store
Saved certificates in JPI session certificate store
Invoking method: public boolean JXDataFeed.Subscribe(java.lang.String)
Needs conversion: java.lang.String --> java.lang.String
Attempting to connect via TCP/IP
General exception in getTCPSocket() Connection refused: connect
com.fdlweb.net.xfire.client.JXTCPConnect.Connect Error: null
TCP/IP Failed, Attempting to Connect via HTTP
170.198.239.115 - 80
java.security.AccessControlException: access denied
(java.net.SocketPermission 170.198.239.115:80 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at
com.fdlweb.net.xfire.client.JXHTTPConnect.Connect(JXHTTPConnect.java:168)
at com.fdlweb.net.xfire.client.JXHTTPConnect.run(JXHTTPConnect.java:323)
at java.lang.Thread.run(Unknown Source)
com.fdlweb.net.xfire.client.JXHTTPConnect.SendDataHTTP Exception: access
denied (java.net.SocketPermission 170.198.239.115:80 connect,resolve)


I have correctly signed the applet, and have accepted the certificate. This
is starting to drive me crazy.. Has anyone got a solutions for this? Please?

Steve


SPG

unread,
Sep 21, 2004, 2:38:38 PM9/21/04
to
All,

I think I fixed it..
The problem appears to be that the security applies on the thread it was
created on only.
Make sure that the security is applied to the thread requesting the socket
and all is lovelly!

Steve

"SPG" <steve.nosp...@nopoo.blueyonder.co.uk> wrote in message
news:x2Y3d.604$jC7.6...@news-text.cableinet.net...

SPG

unread,
Sep 22, 2004, 6:34:35 AM9/22/04
to
A
"SPG" <steve.nosp...@nopoo.blueyonder.co.uk> wrote in message
news:x2Y3d.604$jC7.6...@news-text.cableinet.net...

KC Wong

unread,
Sep 22, 2004, 9:08:40 PM9/22/04
to
<snip>

You need to do the whole task that requires additional permission *inside*
the doPrivileged() method... it is not used to check permission.

If you just want to check permission, do this (code cut from API doc of
java.security.AccessController):
FilePermission perm = new FilePermission("/temp/testFile", "read");
AccessController.checkPermission(perm);

Read the API docs carefully on how to use, and when to use, doPrivileged().


SPG

unread,
Sep 23, 2004, 6:55:42 AM9/23/04
to
Hi,

OK, I am a bit confused..

This fails with a security exception:

SecurityManager security = System.getSecurityManager();
security.checkConnect(psNetworkAddress, piPort);

But this passes:

AccessController.doPrivileged(new PrivilegedAction(){
public Object run(){

SocketPermission test = new SocketPermission(psNetworkAddress + ":"


+ piPort,
"connect");
java.security.AccessController.checkPermission(test);

return new Socket(psNetworkAddress, piPort);
}
});

I would really like to use the SecurityManager version of this as it
is available in the MS JVM also, which means I do not have to keep two
sets of code..

I am really stuck with this one.

Steve

0 new messages