HTML中嵌入一个Applet设置策略 [英] Setting up policies for an Applet embedded in HTML

问题描述

我已经设计了一个小程序，以采取截图，并使用java.awt.Robot中的类保存用户的计算机上。我需要这个小程序使嵌入到HTML页面（使用对象标记），这样当用户点击网页上的一个按钮，在拍摄的截图。

I have designed an Applet to take a screenshot and save it on the users computer using the java.awt.Robot class. I need to embedd this applet into an html page (using the object tag) so that when the user clicks a button on the webpage the screenshot is taken.

小程序本身工​​作正常，我已经加入了临时的主要方法，它并运行它在我的本地机器上作为一个普通的Java应用程序进行了测试。

The applet itself works fine, i've tested it by adding a temporary main method to it and running it on my local machine as a regular java app.

在哪里我有难度设置权限，允许它从它的嵌入位置运行。显然，机器人类是有点危险所以使用AWTPermission需要建立，需要签署的小应用程序本身。

Where I'm having difficulty is setting up permissions to allow it to run from its embedded location. Obviously the robot class is somewhat hazardous so an AWTPermission needs to be established and the applet itself needs to be signed.

我也跟着通过在 http://download.oracle教程。 COM / JavaSE的/教程/安全/ toolsign / index.html的，并成功创造了一个签名的.jar文件，然后，允许该教程演示应用程序运行的政策文件。凡我现在遇到了问题，就是如何调和一下我和我的小程序将被用于了解到的情况。

I followed through the tutorial at http://download.oracle.com/javase/tutorial/security/toolsign/index.html and succeeded in creating a signed .jar file and then a policy file that allowed the demo application in that tutorial to run. Where I am now running into issues is how to reconcile what I've learned with the situation my applet will be used in.

我的目标受众包括大约100台机器，我需要它是可执行对所有的人。我已经收拾好java的.class文件到一个.jar和使用密钥工具及的jarsigner签了字。然后我上传.jar和.CER文件，其中有问题的网页托管的服务器目录。

My target audience comprises around 100 machines and I need it to be executable on all of them. I have packed my java .class file into a .jar and signed it using keytool and jarsigner. I then uploaded the .jar and .cer files to the server directory where the pages in question are hosted.

不过：当我然后用于用policytool对其中一台计算机创建一个新的策略文件来测试设置我仍然无法从HTML执行小程序。我得到Java.Security.AccessControlException接取拒绝java.awt.AWTPermission createRobot错误。

However: When I then used policytool to create a new policy file on one of the machines to test the setup I am still unable to execute the applet from the HTML. I get Java.Security.AccessControlException Acess Denied java.awt.AWTPermission createRobot errors.

我有些怀疑它是会出错的政策一步，所以我将概述我采取的步骤：
我下载证书到本地计算机，并从其生成密钥库，我推出'用policytool从这个目录通过命令行
我想补充从哪里产生的密钥库和我的证书位于本地计算机上的目录。
然后我打的添加策略按钮，并输入SignedBy别名
然后添加权限，选择的AWTPermission
目标的名字，我选择createRobot
功能字段我已经离开的空白，因为我想不出什么会在这里申请
在此窗口中签署也留空
然后我点击OK和完成，并得到一个警告，指出是我在第一步输入的别名没有公钥。我做了另存为，我的policyfile保存到同一目录作为我把证书，并从它产生的密钥库。

I rather suspect its the policy step that is going awry, so I'll outline the steps I took: I download the certificate to the local machine and generate a keystore from it, I launch 'policytool' from this directory through the commandline I add the directory on the local machine where the keystore generated from and my certificate is located. I then hit the add policy button and enter the SignedBy alias Then Add Permissions and select AWTPermission Targets name I select createRobot The function field I have been leaving blank as I cant think what would apply here Signed By in this window is also left blank I then hit 'OK' and 'Done' and get a warning that there is no public key for the alias I've entered in the first step. I do a 'save as' and save my policyfile to the same directory as I put the certificate and the keystore generated from it.

这是不允许不过我跑从网页小程序，然后我的编程这方面的了解有限没有提供任何线索，出了什么问题。

This is not allowing me to run the applet from the webpage however and my limited understanding of this aspect of programming offers no clues as to what has gone wrong.

的观念，思想，意见？如果我还没有明确提到的东西，然后我还没有做过。我最大的怀疑是我收到的警告，但我似乎找到为什么它的出现

Ideas, thoughts, observations? If I havent explicitly mentioned something then I havent done it. My biggest suspect is the warning I recieve but I cant seem to find why its appearing

编辑：忘了提了一步。我手动添加到我的jre \\ lib \\ security中\\ java.security文件行'policy.url.3 =文件：/ C：/测试/ debugpolicy'，因为这就是我创建的路径和文件名政策在上述步骤。我刚才也成功消除我刚才提到的警告，我一直在我的别名混淆了，并给了专用的密钥库，而不是创建policyfile在公众一个别名，但是我仍然遇到同样的问题。

Forgot to mention a step. I manually added to my jre\lib\security\java.security file the line 'policy.url.3=file:/C:/Testing/debugpolicy' since thats the path and policy filename I created during the above steps. I also just now managed to remove the warning I mentioned earlier, I'd been mixing up my alias' and gave the alias for the private keystore rather than the public one during policyfile creation, however I still encounter the same problems

推荐答案

如果一个applet正确签名，没有政策文件是必需的，也不是单独上传任何证书，它要求。一个正确签名的小程序会提示用户权限访问该小程序时，它加载之前。是否提示出现？

If an applet is correctly signed, no policy file is required, nor is it required to separately upload any certificate. A correctly signed applet will prompt the user for permission when the applet is visited, before it loads. Does the prompt appear?

下面是一个小的演示。我写了证明可信的applet 的防守加载。这就是我所指的安全提示。

Here is a small demo. I wrote that demonstrates Defensive loading of trusted applets. That is the security prompt I am referring to.

如果小程序是由开发商双方数字签名和最终用户信任的，它应该能够采取的屏幕截图。

If the applet is both digitally signed by the developer and trusted by the end user, it should be able to take a screen-shot.

有一个东西如果applet是可信任的，你可以尝试，只是作为一个实验（1）。早在小程序的init（），通话 System.setSecurityManager（空）。这将两者的测试如果applet有信任，擦去给小程序值得信赖的安全管理器的最后残余。

There is one other thing you might try if the applet is trusted, just as an experiment (1). Early in the applet init(), call System.setSecurityManager(null). That will both test if the applet has trust, and wipe away the last remnants of the 'trusted' security manager given to applets.

而在这样的作品，它使屏幕捕获成功的情况下，它表明无论是错误或Oracle改变了主意什么可信的小程序可以做的默认值。

And in the case that works, and it makes the screen capture successful, it suggests either a bug or Oracle changed their mind about the defaults of what a trusted applet could do.

1）在一个真实的世界或生产环境不要这样做引述汤姆Hawtin：

1) Don't do this in a real world or production environment. To quote Tom Hawtin:

似乎这个问题已经给一些IM pression，调用 System.setSecurityManager（NULL）; 是好的。 ......如果任何人有任何怀疑，在applet不断变化的全球状态会影响到所有小程序在同一个进程。清除安全管理器将允许任何未签名的小程序做它喜欢。请不要签收code与全局状态玩弄你希望任何人信任的证书。

This question appears to have given some the impression that calling System.setSecurityManager(null); is okay. ... In case anyone has any doubts, changing global state in an applet will affect all applets in the same process. Clearing the security manager will allow any unsigned applet to do what it likes. Please don't sign code that plays with global state with a certificate you expect anyone to trust.

编辑1：
这里是在演示中使用的简单的小程序的源。当我最初上传它某些原因，我决定来源是不相关的。现在OTOH 3人求见来源，或那样的原因。当我得到一个圆tuit我会上传源到我的网站。在此期间，我把它放在这里。

---

Edit 1: Here is the source of the simple applet used in that demo. For some reason when I originally uploaded it, I decided the source was not relevant. OTOH 3 people have now asked to see the source, for one reason or another. When I get a round tuit I'll upload the source to my site. In the mean time, I'll put it here.

package org.pscode.eg.docload;

import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.net.*;
import java.io.*;
import java.security.*;

/** An applet to display documents that are JEditorPane compatible. */
public class DocumentLoader extends JApplet {
    JEditorPane document;

    @Override
    public void init() {
        System.out.println("init()");

        JPanel main = new JPanel();
        main.setLayout( new BorderLayout() );
        getContentPane().add(main);
        try {
            // It might seem odd that a sandboxed applet can /instantiate/
            // a File object, but until it goes to do anything with it, the
            // JVM considers it 'OK'.  Until we go to do anything with a
            // 'File' object, it is really just a filename.
            File f = new File(".");

            // set up the green 'sandboxed page', as a precaution..
            URL sandboxed = new URL(getDocumentBase(), "sandbox.html");
            document = new JEditorPane(sandboxed);
            main.add( new JScrollPane(document), BorderLayout.CENTER );
            // Everything above here is possible for a sandboxed applet

            // *test* if this applet is sandboxed
            final JFileChooser jfc =
                new JFileChooser(f); // invokes security check
            jfc.setFileSelectionMode(JFileChooser.FILES_ONLY);
            jfc.setMultiSelectionEnabled(false);

            JButton button = new JButton("Load Document");
            button.addActionListener( new ActionListener(){
                    public void actionPerformed(ActionEvent ae) {
                        int result = jfc.showOpenDialog(
                            DocumentLoader.this);
                        if ( result==JFileChooser.APPROVE_OPTION ) {
                            File temp = jfc.getSelectedFile();
                            try {
                                URL page = temp.toURI().toURL();
                                document.setPage( page );
                            } catch(Exception e) {
                                e.printStackTrace();
                            }
                        }
                    }
                } );
            main.add( button, BorderLayout.SOUTH );

            // the applet is trusted, change to the red 'welcome page'
            URL trusted = new URL(getDocumentBase(), "trusted.html");
            document.setPage(trusted);
        } catch (MalformedURLException murle) {
            murle.printStackTrace();
        } catch (IOException ioe) {
            ioe.printStackTrace();
        } catch (AccessControlException ace) {
            ace.printStackTrace();
        }
    }

    @Override
    public void start() {
        System.out.println("start()");
    }

    @Override
    public void stop() {
        System.out.println("stop()");
    }

    @Override
    public void destroy() {
        System.out.println("destroy()");
    }
}

这篇关于HTML中嵌入一个Applet设置策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！