Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / October 2003

Tip: Looking for answers? Try searching our database.

Java Web Start security

Thread view: 
Enable EMail AlertsStart New Thread
Anders Lybecker - 23 Oct 2003 15:40 GMT
Hi,

I've made a small application with database access which I would like
to distribute with Java Web Start. The application is located on the
same server as the database.

I've signed the .jar file, but I get this error when connecting to the
database:

Unable to connect to any hosts due to exception:
java.security.AccessControlException: access denied
(java.net.SocketPermission java.lybecker.com resolve)

If I set the <all-permissions/> in the .jnlp file - I obviously works,
but I don't want access to the client machine.

The Java Web Start FAQ
(http://java.sun.com/products/javawebstart/faq.html#20) states:
"If an application is written to run in a restricted execution
environment (sandbox), then access to disk is not permitted and the
application may only connect to the host on which it resides."
Therefore I should be able to connect to the server without requesting
any permissions - or am I wrong?

Here is the database connection code:

       Class.forName("com.mysql.jdbc.Driver").newInstance();
       
       String url = "jdbc:mysql://java.lybecker.com/test";
       Connection con = DriverManager.getConnection(url, "user",
"password");

Thanks
Anders Lybecker
Reply to this Message
daniel - 23 Oct 2003 17:19 GMT
Hello,

> I've made a small application with database access which I would like
> to distribute with Java Web Start. The application is located on the
> same server as the database.

The application executes locally in the user side. Webstart only provides a
way to download and update Java applications via a web browser maintainig
the security execution environment sandbox as in an Applet.

> I've signed the .jar file, but I get this error when connecting to the
> database:
[quoted text clipped - 5 lines]
> If I set the <all-permissions/> in the .jnlp file - I obviously works,
> but I don't want access to the client machine.

You do not need to grant all permissions but only those to allow the
application to establish the "now" remote database.

> The Java Web Start FAQ
> (http://java.sun.com/products/javawebstart/faq.html#20) states:
[quoted text clipped - 3 lines]
> Therefore I should be able to connect to the server without requesting
> any permissions - or am I wrong?

Correct but the database is not in the same host, is in a remote one.

I hope this will clarify the situation and helps you.

Sorry for my bad english. It is not my native languaje.

Daniel.
Reply to this Message
Anders Lybecker - 24 Oct 2003 09:44 GMT
>> The Java Web Start FAQ
>> (http://java.sun.com/products/javawebstart/faq.html#20) states:
[quoted text clipped - 5 lines]
>
>Correct but the database is not in the same host, is in a remote one.

I'm not so sure about that - if you look at this section taken from
the Developer's Guide ():

If an application is written to run in a secure sandbox, it must
follow these restrictions:
- No access to local disk.
- All JAR files must be downloaded from the same host.
- Network connections are enabled only to the host from which the JAR
files are downloaded.
- No security manager can be installed.
- No native libraries.
- Limited access to system properties. The application has read/write
access to all system properties defined in the JNLP File, as well as
read-only access to the same set of properties than an Applet has
access to.

"Network connections are enabled only to the host from which the JAR
files are downloaded". The .jar and the database resides at the same
server (actually it's also the client :-)
Therefore I should be able to connect the the database without
requesting permissions.

Thanks
Anders Lybecker
Reply to this Message
daniel - 24 Oct 2003 10:49 GMT
> >Correct but the database is not in the same host, is in a remote one.
>
[quoted text clipped - 19 lines]
> Therefore I should be able to connect the the database without
> requesting permissions.

Yes,  but...

I have found the same problem as you but accesing a LDAP server located in
the same host where the webstart aplication was downloaded and the only
solution that work for me was ask for connection permissions.

Daniel
Reply to this Message
Anders Lybecker - 24 Oct 2003 12:51 GMT
>> >Correct but the database is not in the same host, is in a remote one.
>>
[quoted text clipped - 25 lines]
>the same host where the webstart aplication was downloaded and the only
>solution that work for me was ask for connection permissions.

Damn.

How do you request connection permissions only?

:-)
Anders Lybecker
Reply to this Message
daniel - 24 Oct 2003 14:06 GMT
> How do you request connection permissions only?

You can not or at least I have not found how to do it. I had to use the
<all-permisions> tag.

Sorry :-(

Daniel
Reply to this Message
Michael Amling - 24 Oct 2003 14:15 GMT
> I've made a small application with database access which I would like
> to distribute with Java Web Start. The application is located on the
[quoted text clipped - 25 lines]
>         Connection con = DriverManager.getConnection(url, "user",
> "password");

  I haven't tried Java WebStart, but with applets in the sandbox, the
host has to be specified as getCodeBase().getHost(). If that's a domain
name, you have to specify that domain name when opening a Socket. If the
domain name resolves to IP address 1.2.3.4, then trying to open a new
Socket("1.2.3.4", portnumber) won't work.
  To determine if this is the problem, you would have to know if the
client "downloads" the .jar file from "java.lybecker.com" or from
"127.0.0.1" or from java.lybecker.com's numeric IP address, or what.

--Mike Amling
Reply to this Message
Anders Lybecker - 24 Oct 2003 14:45 GMT
>> I've made a small application with database access which I would like
>> to distribute with Java Web Start. The application is located on the
[quoted text clipped - 34 lines]
>client "downloads" the .jar file from "java.lybecker.com" or from
>"127.0.0.1" or from java.lybecker.com's numeric IP address, or what.

I would guess that I download the application from java.lybecker.com,
because that's what I write in the browser.

I added the java.lybecker.com (127.0.0.1) in the host file so the
domain name resolves to 127.0.0.1.

Can you please clarify what I have to do with getCodeBase().getHost().
What does getCodeBase() do?

The security issues should be the same on an applet as with Java Web
Start.

Thanks
Anders Lybecker
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.