java.security.AccessControlException issue

Thread view:

merrittr - 23 Mar 2007 17:44 GMT

I have a simple java program that reads a file from the OS filesystem
like this:

File file = new File("test.pdf");
FileInputStream in = new FileInputStream(file);
acrobat.setDocumentInputStream(in);

what I get from the JAVA console is:

Netscape security model is no longer supported.
Please migrate to the Java 2 security model instead.

java.lang.ExceptionInInitializerError:
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertiesAccess(Unknown Source)
    at java.lang.System.getProperties(Unknown Source)
    at com.adobe.acrobat.gui.ReaderPrefs.<clinit>(ReaderPrefs.java:514)
    at com.adobe.acrobat.Viewer.createViewer(Viewer.java:237)
    at com.adobe.acrobat.Viewer.<init>(Viewer.java:211)
    at SampleReader.<init>(SampleReader.java:46)
    at java.lang.Class.newInstance0(Native Method)
    at java.lang.Class.newInstance(Unknown Source)
    at sun.applet.AppletPanel.createApplet(Unknown Source)
    at sun.plugin.AppletViewer.createApplet(Unknown Source)
    at sun.applet.AppletPanel.runLoader(Unknown Source)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

so what don't I have access to? the file being read is set up that I
have access to t?

Reply to this Message

Tom Hawtin - 23 Mar 2007 18:43 GMT

> I have a simple java program that reads a file from the OS filesystem
> like this:

The important point is that it's an applet. As such it runs in a
sandbox, so it can't interfere with your files, or in this case System
properties.

> what I get from the JAVA console is:
>
> Netscape security model is no longer supported.
> Please migrate to the Java 2 security model instead.

I believe the applet is trying to use the very old Netscape security
API, which required the applet to request the permissions it was going
to use (typically, applets would ask for everything, which completely
missed the point).

Tom Hawtin

Reply to this Message

merrittr - 23 Mar 2007 21:17 GMT

Yep I am using jdk 1.1.8 , that is what this applet requires (its the
adobe java pdf viewer).
So how do I get a java applet to request only the access I need namely
read a pdf file on my web-servers file system?

> > I have a simple java program that reads a file from the OS filesystem
> > like this:
[quoted text clipped - 14 lines]
>
> Tom Hawtin

Reply to this Message

Tom Hawtin - 23 Mar 2007 21:27 GMT

> Yep I am using jdk 1.1.8 , that is what this applet requires (its the
> adobe java pdf viewer).

If you want to use the Netscape security features, I guess you'll need
to get hold of a copy of Netscape 4.7.

Tom Hawtin

Reply to this Message

merrittr - 23 Mar 2007 21:43 GMT

That is a bummer, so there is no way in the code to ask for only
certain access rights?

> > Yep I am using jdk 1.1.8 , that is what this applet requires (its the
> > adobe java pdf viewer).
[quoted text clipped - 3 lines]
>
> Tom Hawtin

Reply to this Message

merrittr - 23 Mar 2007 23:45 GMT

Ok eliminated the netscape message by including \netscape\security in
the jar file :

<applet
code="SampleReader.class"
archive="acrobat.jar"
width=900
height=140>
</applet>

so Now I get:

java.lang.ExceptionInInitializerError:
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertiesAccess(Unknown Source)
    at java.lang.System.getProperties(Unknown Source)
    at com.adobe.acrobat.gui.ReaderPrefs.<clinit>(ReaderPrefs.java:514)
    at com.adobe.acrobat.Viewer.createViewer(Viewer.java:237)
    at com.adobe.acrobat.Viewer.<init>(Viewer.java:211)
    at SampleReader.<init>(SampleReader.java:46)
    at java.lang.Class.newInstance0(Native Method)
    at java.lang.Class.newInstance(Unknown Source)
    at sun.applet.AppletPanel.createApplet(Unknown Source)
    at sun.plugin.AppletViewer.createApplet(Unknown Source)
    at sun.applet.AppletPanel.runLoader(Unknown Source)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

I am still not entirly clear on what is happening. Is the applet
asserting that it needs to
read and write to this directory?

Reply to this Message

Tom Hawtin - 24 Mar 2007 02:22 GMT

> java.lang.ExceptionInInitializerError:
> java.security.AccessControlException: access denied
[quoted text clipped - 19 lines]
> asserting that it needs to
> read and write to this directory?

You can see from the stack trace that the problem is calling
System.getProperties. Unfortunately it's doing it in a static
initialiser so it's probably impossible to hack around (rarely a good
idea to do much in the static initialiser).

You need to drop security in some way. I really wouldn't recommend it,
but you can sign all the classes of the applet (see the Java tutorial).
You shouldn't do it with a genuine certificate, unless you (a)
understand the code and (b) understand all the consequences of signing
it. The set of people in (b) is, for non-trivial example, empty.

Tom Hawtin

Reply to this Message

Andrew Thompson - 24 Mar 2007 03:51 GMT

> Yep I am using jdk 1.1.8 , that is what this applet requires (its the
> adobe java pdf viewer).

Tom has covered most aspects relevant to
this problem, I'd just like to take it in
a slightly different direction for a moment.

1) The PDF viewer does not require '1.1.8',
it requires '1.1.8+'. That is an important
distinction, since the 1.1.8 VM's are becoming
as rare as the teeth of a hen.
2) It will almost certainly be able to accept
an URL as argument for the file.
3) If the PDF is coming off the server, it
should be possible to read it by URL, without
any special privileges.
4) ..and why would you want to use an applet
(as opposed to an application) for reading
PDF's off the local file system (i.e. not
available by URL from the server)?

Andrew T.

Reply to this Message

merrittr - 24 Mar 2007 09:11 GMT

Thanks Andrew,

so you think a newer sdk is the answer? I want to use the java
pdfviewer
because this site will be used to display answer sets for students.
The idea being I want
to wrap the pdf document and hide from the students the url (as much
as possible) disabling the prnting and
save function they wont be able to pass the answer sets to next years
students

here is the way i was trying to open the file:
File file = new File("http://128.233.22.97/test.pdf");
FileInputStream in = new FileInputStream(file);
acrobat.setDocumentInputStream(in);

here is the code I am trying ;

import java.awt.*;
import java.awt.event.*;
import java.io.*;
import java.applet.*;
import com.adobe.acrobat.*;
import java.lang.*;
import java.net.URL;
import java.util.*;
import java.net.MalformedURLException;

public class SampleReader extends Viewer {

public SampleReader() throws Exception {
}

public static void main(String args[]) {
Frame f = new Frame("Sample Acrobat Reader");

f.setLayout(new BorderLayout());
Label top = new Label("Acrobat Reader created using
adobe.Acrobat.Viewer", Label.CENTER);
top.setBackground(Color.red);
f.add(top, BorderLayout.NORTH);
f.add(new Label("Adobe Acrobat Reader - Alpha release - 1998",
Label.CENTER), BorderLayout.SOUTH);
try {

// Construct a acrobat object aka Acrobar Reader
// note that you must also call its activate
// method before you show the containing panel,
// in this case the frame object.

// The acrobat object is declared as final
// so that it could be referenced in the
// following windowClosing method.

final Viewer acrobat = new Viewer();

f.addWindowListener(new WindowAdapter() {
public void windowClosing(WindowEvent e) {

if (acrobat != null) {

// The deactivate method will ensure that the
// acrobat.properties file is saved
// upon exit.

acrobat.deactivate();
}

System.exit(0);
}
});

try
{

// assumes that args[0] is the name of a file
//File file = new File(getParameter("pdffile"));
File file = new File("http://128.233.22.97/test.pdf");
FileInputStream in = new FileInputStream(file);
acrobat.setDocumentInputStream(in);

} catch (FileNotFoundException x) {
System.out.println("File not found!");
// The viewer will display a blank screen.
// You can then use the Viewer's pop-up menu
// to open a local or remote PDF file.
}

f.add(acrobat, BorderLayout.CENTER);

// you must call activate to enable the Viewer object
// to layout its sub-components and the further
initialization
// needed for it to be displayed.

acrobat.activate(); //WithoutBars();

} catch (Exception x) {
f.add(new Label("Unable to create an Acrobat Reader"),
"Center");
}

f.setSize(400, 400);
f.show();

}
}

> > Yep I am using jdk 1.1.8 , that is what this applet requires (its the
> > adobe java pdf viewer).
[quoted text clipped - 18 lines]
>
> Andrew T.

Reply to this Message

Andrew Thompson - 24 Mar 2007 10:02 GMT

> so you think a newer sdk is the answer?

No. I was merely pointing out that Java
bytecodes are 'upward compatible', and anything
that can run in 1.1, should also be able to run
in 1.2 through 1.6(+).

That, of course, is assuming the code does
not rely on quirky behaviour of a particular
JVM, as some code (rarely) does. I doubt
Adobe would be that silly.

>..I want to use the java
> pdfviewer
> because this site will be used to display answer sets for students.
> The idea being I want
> to wrap the pdf document and hide from the students the url

Uh-huh..

Be aware that a network sniffer can tell me
(or your students) the exact calls that are
being made, as can bringing up the Java console
and increasing the trace level.

So if I did your course and got '100%', would
you assume I was very clever, or that maybe
I had simply realised where/how to get the
'secret' docs.?

>..(as much
> as possible) disabling the prnting and
> save function they wont be able to pass the answer sets to next years
> students

I am bowing out of this thread. I do not
know how you can provide answers to your
students without them cheating

As an aside, there are documents that I
desperately wanted to possess, that had
similar protection schemes. When I was not
in a position to install network sniffers
(or whatever), I would transcribe* the
document.

* As in, read it, then retype the text into
a text editor. For images, it was a simple
matter of taking a screenshot (which is what
I preferred - since I could generally compress
images to a smaller size - than what they were,
when delivered).

Andrew T.

Reply to this Message

merrittr - 25 Mar 2007 05:54 GMT

This will be a best effort
system. Currently the pdf sets are just posted so right now they are
downloading and 'owning'
the documents. I they have tcpdump installed and capture the url oh
well...

> ..
>
[quoted text clipped - 52 lines]
>
> Andrew T.

Reply to this Message

java.security.AccessControlException issue

Free Magazines