Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Giving Applet Full Permission Without Policy File

Reply
Thread Tools

Giving Applet Full Permission Without Policy File

 
 
Darol
Guest
Posts: n/a
 
      08-24-2005
I have a signed applet that needs the Java Plug-in to grant it full
permission to use system resources (files, sockets). I know that I can
do this by adding certificate info to the policy file, but I don't want
my users to have to modify their policy files. In short, how can my
applet get full permission without making any changes to the users'
policy file?

 
Reply With Quote
 
 
 
 
Roedy Green
Guest
Posts: n/a
 
      08-25-2005
On 24 Aug 2005 14:57:22 -0700, "Darol" <(E-Mail Removed)>
wrote or quoted :

>I have a signed applet that needs the Java Plug-in to grant it full
>permission to use system resources (files, sockets). I know that I can
>do this by adding certificate info to the policy file, but I don't want
>my users to have to modify their policy files. In short, how can my
>applet get full permission without making any changes to the users'
>policy file?


That is like asking how can I pick the policy file lock.

The whole point of the policy file is to stop signed applets from
running without permission or manual grant.

Imagine if there were an answer to your question. Pirates could use
it to hack every machine that ran an Applet. The loophole would have
to be quickly closed.

However, what you might do, is use a signed Applet to modify the
policy file. But that Applet has to be given a manual one-time grant.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com
 
Reply With Quote
 
 
 
 
Andrew Thompson
Guest
Posts: n/a
 
      08-25-2005
On 24 Aug 2005 14:57:22 -0700, Darol wrote:

> I have a signed applet that needs the Java Plug-in to grant it full
> permission to use system resources (files, sockets).


If your applet is signed, the user should be asked if they
will accept the signature. If they do, the applet will be
granted full privileges.

>...I know that I can
> do this by adding certificate info to the policy file, but I don't want
> my users to have to modify their policy files.


In other words, AFAIU, you should not need to adjust any
policy files even now.

Report back if that is correct. There is one more step you
can take to make sure the code is accepted as priviliged,
but I think it should not be necesary.

HTH

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Her voice was soft and cool, her eyes were clear and bright, ..but she's
not there"
The Zombies 'She's Not There'
 
Reply With Quote
 
Darol
Guest
Posts: n/a
 
      08-26-2005
Full permission is not given simply if the user accepts the signed
applet if the applet has not been RSA-signed. I don't want to get an
official certificate and I don't want to create a test certificate,
which requires that the client user import this certificate. Ideally, I
would like the user to just accept a self-signed applet, which would
then be given full permission.

 
Reply With Quote
 
Darol
Guest
Posts: n/a
 
      08-26-2005
I'm not asking for a lock pick. My intent is to have the user accept a
self-signed applet, which is a permission grant.

 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      08-27-2005
On 26 Aug 2005 15:08:36 -0700, Darol wrote:

> Full permission is not given simply if the user accepts the signed
> applet if the applet has not been RSA-signed.


What does 'not been RSA-signed' mean? Self-signed?

Got an URL that suppports that self-signed certificates
(that are accepted by the user) get anything less than
full access/full privileges?

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Ain't it dark, wrapped up in that tarp.."
Dixie Chicks 'Goodbye Earl'
 
Reply With Quote
 
Kenneth P. Turvey
Guest
Posts: n/a
 
      08-27-2005
Darol wrote:

> I'm not asking for a lock pick. My intent is to have the user accept a
> self-signed applet, which is a permission grant.


The problem is that anyone could self sign their own applet. If the client
were to accept such a thing it would be completely open to anybody who
wanted to write malicious code.

--
Kenneth P. Turvey <(E-Mail Removed)>

Currently seeking employment as a Java developer in the St. Louis area.
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-29-2005
On 26 Aug 2005 15:10:23 -0700, "Darol" <(E-Mail Removed)>
wrote or quoted :

>I'm not asking for a lock pick. My intent is to have the user accept a
>self-signed applet, which is a permission grant.


In that case, there is nothing to do to the policy file.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Again taking new Java programming contracts.
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-29-2005
On 26 Aug 2005 15:08:36 -0700, "Darol" <(E-Mail Removed)>
wrote or quoted :

> Ideally, I
>would like the user to just accept a self-signed applet, which would
>then be given full permission.


The way it works if you don't want to buy a certificate, is you create
a phony certificate (self signed) and sign your jar with it. When the
user gets it, he is asked if he is willing to accept your phony cert.
If he says "yes" then the Applet has full permission. If he says no,
you have only the unsigned Applet privileged. You can see the process
in action by going to http://mindprod.com/applets/wassup.html
where I have a self-signed Applet.

Anything else without a real certificate would require either
modifying the policy files of all the users or importing the
certificate as trusted in all the users' machines.

See http://mindprod.com/jgloss/certificate.html
http://mindprod.com/jgloss/keytool.html
http://mindprod.com/jgloss/signedapplets.html
http://mindprod.com/jgloss/jarsigner.html
for the gory details.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Again taking new Java programming contracts.
 
Reply With Quote
 
Darol
Guest
Posts: n/a
 
      08-29-2005
True, but that's the power I want to give my applet users. I understand
that this is a dangerous capability to give the user.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Running signed applet without creating policy file in client side abcd Software 0 02-17-2009 06:37 AM
Giving security permission error when importing dll into the controlhosted on web page Gouri.Mahajan7@gmail.com ASP .Net 0 05-31-2008 06:54 AM
The giving that keeps on giving sixteenmillion C Programming 0 11-19-2007 10:59 PM
InputFile.PostedFile.FileName not giving full file path =?Utf-8?B?U3JpZGhhcg==?= ASP .Net 2 05-24-2006 04:53 PM
Options for generic full-text search without using database-specific full-text engine? Samuel R. Neff ASP .Net 2 06-10-2005 06:53 PM



Advertisments