Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Granting access to signed applet not working

Reply
Thread Tools

Granting access to signed applet not working

 
 
Terri I.
Guest
Posts: n/a
 
      08-19-2003
I have a self-signed applet (NOT using commercial CA).
It appears that I have successfully generated the necessary key
and used it to sign my jar file.
When I load the page with the applet, I actually get the popup window
asking if I want to grant or deny privileges (which seems to tell me that
the plug-in figured out that the applet was signed, could read it's
signature, and validated the 'CA' that signed the code). But if I click on
Yes or Always, the applet still doesn't work - I get the securityexception
that access is denied trying to run the executable my applet is trying to
run.
Does anybody have any suggestions? Thanks!
 
Reply With Quote
 
 
 
 
Terri I.
Guest
Posts: n/a
 
      08-20-2003
How can I tell what file the browser's JRE is trying to write to when I
say to grant access to a signed applet?? I'm wondering if the problem is that
the JRE is trying to add a certificate to a keystore/cacerts file that I don't
have write access to?? On our network, I cannot write to the C: drive, so if
the JRE is trying to update a cacerts file in that location, it will not work.
I am not getting any error messages, but just wondered if this was a possibility.


http://www.velocityreviews.com/forums/(E-Mail Removed) (Terri I.) wrote in message news:<(E-Mail Removed). com>...
> I have a self-signed applet (NOT using commercial CA).
> It appears that I have successfully generated the necessary key
> and used it to sign my jar file.
> When I load the page with the applet, I actually get the popup window
> asking if I want to grant or deny privileges (which seems to tell me that
> the plug-in figured out that the applet was signed, could read it's
> signature, and validated the 'CA' that signed the code). But if I click on
> Yes or Always, the applet still doesn't work - I get the securityexception
> that access is denied trying to run the executable my applet is trying to
> run.
> Does anybody have any suggestions? Thanks!

 
Reply With Quote
 
 
 
 
Roedy Green
Guest
Posts: n/a
 
      08-20-2003
On 20 Aug 2003 07:28:53 -0700, (E-Mail Removed) (Terri I.) wrote or
quoted :

>How can I tell what file the browser's JRE is trying to write to when I
>say to grant access to a signed applet??


Usually you build that into the policy file. That is where you can
give fine grained permission to some Applets and not others about
exactly where they are allowed to write.


--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-20-2003
On 20 Aug 2003 13:50:00 -0700, (E-Mail Removed) (Terri I.) wrote or
quoted :

>Update: I got temporary administrator access to my machine and the problem
>definitely seems related to my inability to write to my C:. I tried a sample
>signed applet from the Sun site - it worked fine while I was logged on as
>administrator, but failed while logged on as a regular user (i.e. no write
>access to C.
>
>Sooo, how can I tell the plug-in to access the cacerts file from some other
>location?? In our environment, asking users to modify their policy files is
>not a viable option.


Why do you think this is a problem with getting the wrong cacerts
file?

cacerts is supposed to be system wide, not a private administrator
file. Granted, you may have a dozen of them, one per JDK, JRE, JWS....

Do you have Sun's standard policy file in place? Are there any other
policy files that may be getting used instead?

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Terri I.
Guest
Posts: n/a
 
      08-21-2003
Roedy Green <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> On 20 Aug 2003 13:50:00 -0700, (E-Mail Removed) (Terri I.) wrote or
> quoted :
>
> >Update: I got temporary administrator access to my machine and the problem
> >definitely seems related to my inability to write to my C:. I tried a sample
> >signed applet from the Sun site - it worked fine while I was logged on as
> >administrator, but failed while logged on as a regular user (i.e. no write
> >access to C.
> >
> >Sooo, how can I tell the plug-in to access the cacerts file from some other
> >location?? In our environment, asking users to modify their policy files is
> >not a viable option.

>
> Why do you think this is a problem with getting the wrong cacerts
> file?
>
> cacerts is supposed to be system wide, not a private administrator
> file. Granted, you may have a dozen of them, one per JDK, JRE, JWS....
>
> Do you have Sun's standard policy file in place? Are there any other
> policy files that may be getting used instead?



I thought it might be a problem with the cert being added to the cacerts
file since it works for me when I'm logged on as a user that has write
access to the C: (where the JRE's cacerts file is located). The standard
policy file is also there, and without changing anything related to it,
again, signed code seems to work when I can write to the C: drive. It's not
that cacerts is not accessible to everyone, but it cannot be written to by
everyone if it is sitting on the C:.
 
Reply With Quote
 
Terri I.
Guest
Posts: n/a
 
      08-21-2003
Roedy Green <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> On 20 Aug 2003 13:50:00 -0700, (E-Mail Removed) (Terri I.) wrote or
> quoted :
>
> >Update: I got temporary administrator access to my machine and the problem
> >definitely seems related to my inability to write to my C:. I tried a sample
> >signed applet from the Sun site - it worked fine while I was logged on as
> >administrator, but failed while logged on as a regular user (i.e. no write
> >access to C.
> >
> >Sooo, how can I tell the plug-in to access the cacerts file from some other
> >location?? In our environment, asking users to modify their policy files is
> >not a viable option.

>
> Why do you think this is a problem with getting the wrong cacerts
> file?
>
> cacerts is supposed to be system wide, not a private administrator
> file. Granted, you may have a dozen of them, one per JDK, JRE, JWS....
>
> Do you have Sun's standard policy file in place? Are there any other
> policy files that may be getting used instead?



One other thing. I did try to run the keytool -import command against the
cacerts file to see if I could directly import my self-generated cert in there,
and as expected, I got an access denied message on the file since it is on
the C: drive. So while the plug-in seems to recognize the cert for my signed
applet, it does not recognize the CA cert. I have seen threads where people
talk about using self-signed certs in this way - I'm wondering if none of them
had to deal with users who could not write to their C: drives (or whatever
drive the JRE is located on).
 
Reply With Quote
 
Terri I.
Guest
Posts: n/a
 
      08-22-2003
Roedy Green <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> There is another way of looking at this. The administrator does not
> want his users installing software on C: He thus blocked access to C:
>
> This block worked. The solution is to call in the admin, and let him
> supervise the install.
>
> I've had to do this just to install a SET parameter at one of my
> clients.



That's fine for a 1-user install. But I am working on an application that is
available to everyone in our organization, so I don't want the users to have
to do something special for the setup. I'm going to have to think of another
way to do this if I can't tell the plug-in to look elsewhere for the cacerts
file. My application worked fine with a self-signed cert in Netscape 4.75, this
just seems like a step backwards...
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Very annoying error: Access to the path is denied. ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity Jay ASP .Net 2 08-20-2007 07:38 PM
Access to local files with signed applet in Vista/IE7 Hansi Java 10 02-15-2007 04:13 PM
Granting Access Charles A. Lackman ASP .Net 0 10-31-2005 07:56 PM
granting temporary private access cbongior@stny.rr.com Java 1 08-03-2005 06:01 PM
Granting ASP.NET write access to a file =?Utf-8?B?VG9tIEMu?= ASP .Net 6 04-29-2004 09:29 PM



Advertisments