 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / November 2003applet problem with plugin 1.4.2
Hey, I got a verisign signed applet that worked well with the java plugin 1.4.1_xxx, but since I updated my client to 1.4.2_01 or 1.4.2_02 I always get the error "access denied (java.util.PropertyPermission user.home read) The applet methods are accessed through JavaScript. What has changed in the new plugin versions 1.4.2 that my plugin isn't working anymore. Are there new security features in 1.4.2? thanks in advance Cyrill In 1.4.2 they finally fixed the security hole allowing access Java methods in a signed applet via unsigned JavaScript methods on the page. I'm not saying that YOU used this hole for something bad. But the security risk was obvious: 1. Get some signed applet from a respectable provider (Sun itself for example) with file-access methods (an FTP client for example). 2. Make a page with JavaScript functions accessing these methods (a "download" page for example). 3. Wait the user clicks "Allow". 4. Have a hey-day on his harddrive. By new requirements to access privileged methods in a signed applet you have to put your JavaScript (.js) in a separate jar file and sign it with the same certificate you used to sign your applet. Not a big problem with Netscape, but you are busted with Explorer, because it never implemented signed JScript technology. Hi, thanks for your help, I'll try it out... an give you feedback...! >> By new requirements to access privileged methods in a signed applet you >> have to put your JavaScript (.js) in a separate jar file and sign it >> with the same certificate you used to sign your applet. >> Not a big problem with Netscape, but you are busted with Explorer, >> because it never implemented signed JScript technology. I was looking for some documentation that explained what you did but couldn't find anything. cyrill Hello, First I put the js file into a jar file... and then I signed (with a versign certificate) this jar file with the jarsigner. I invoked the jar with the following html code. <script archive="/mainframe_files/system.jar" src="system.js"></script> But I still get the same Error: access denied (java.util.PropertyPermission user.home read) cheers, Cyrill > In 1.4.2 they finally fixed the security hole allowing access Java > methods in a signed applet via unsigned JavaScript methods on the page. [quoted text clipped - 12 lines] > Not a big problem with Netscape, but you are busted with Explorer, > because it never implemented signed JScript technology. Well, then it's time to go to http://java.sun.com/webapps/bugreport/ and make a new submission. It may be another case when Sun documentation has nothing to do with the reality. At least Sun guys come back to you in a couple of weeks or so. So by the end of November you'll no for sure is it a bug, a "feature of the current release" or some specifics of your own system. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.