难道签署Java小程序在浏览器沙箱中运行时，有机会获得USB外设？ [英] Do signed java applets have access to USB peripherals when run in the browser sandbox?

问题描述

我实现了一个Java包的功能操作通过USB连接到工作站POS打印机，钱箱。我还实现了一个小程序与后者由一个POS网站援引希望利用这个包的功能。

在该小程序在Eclipse中运行，一切顺利。当小程序在浏览器中运行它看来，我的包是无法访问通过USB连接的外设。我从第三方（JavaPOS的）code指出的错误：

  

jpos.JposException：该设备
  通信信道不能
  打开，检查设备，然后重试。

小程序与自签署证书。我会发布一些code，但抛出的错误从某处埋藏在使用POS打印机制造商专用的驱动程序。

我假定的问题是，从浏览器沙箱中，小程序不具有访问通过USB连接的外设。结果
可能是这样的情况？如果是这样，反正是有从签名的Applet中访问USB外设？结果
如果一个小程序不能访问USB外设，怎么可能一个网站调用code，可以？

解决方案

  

请在浏览器沙箱中运行时签署的Java小程序访问的USB外设？

要解决这个具体问题（并避免涉及以下意见的具体技术），是签名Java小程序访问USB外设。在沙箱，也就是你有能力打出来的当您运行一个签名的小程序。

但出于安全考虑，只需签署小应用程序不会自动给沙箱之外访问项目。

PrivelegedAction 似乎是用于访问特权的系统组件，如打印机的preferred方法。更多关于这些特权操作由Oracle这里提供： HTTP： //docs.oracle.com/javase/7/docs/api/java/security/AccessController.html

此外，还有从Web浏览器做这样的事情时，如Java关心那里的行动从起源有几种考虑。

 公共职能WriteFile的（）{
    ...
    FileWriter的FW =新的FileWriter（...）;
    ...
}
公共无效的init（）{
    WriteFile的（）;
}
 

例如，如果你写一个文件到文件系统（即 $ HOME /桌面/的text.txt ）使用的FileWriter 在applet的init（）方法类，签名Applet会的一般的允许。包装成这样的的PrivilegedAction 会更好，并使用 AccessController.checkPermission（...）先检查权限会理想的。

然而，的FileWriter 时，它从JavaScript直接调用被阻塞（而不是由init（））：

  VAR myapplet =的document.getElementById（'myapplet'）;
myapplet.writeFile（）; //通过安全框架阻止
 

要绕过这个问题，有些人选择使用 PrivelegedAction ，但是如果操作需要很长的时间，你会发现它会阻止用户界面，这是非常不好的做法在网页中（并且可以死锁浏览器）。

 公共无效的init（）{
   ...
   在AccessController.doPrivileged（新的PrivilegedAction（）{
      公共对象的run（）{
         WriteFile的（）;
         返回null;
      }
   }）;
   ...
}
 

此外，你的问题专门询问有关访问的USB外围设备，通常通过人机接口设备迭代完成。 HID是不是Java的直接原生支持（然而，当写这篇/ JRE7的）。所以，是的，签名Applet可以跟您的USB外设，但你需要使用某种形式的Java本地接口技术的（JNI）正确的访问他们。 JNI可以是一个烂摊子，支持跨平台（即分配的DLL和SOS与JAR）所以...

然而，大多数Java小程序做的是访问本地安装的打印机，并使用标准的Java打印库。这是我们如何做到过来的QZ-打印项目，你可以自由地在这里回顾我们的源代码code：的 https://github.com/qzindustries/qz-print/tree/master/qz-print/src/qz 它使用线程由init解雇（）和布尔标志解雇所有特权功能。

I've implemented a Java package with functionality to operate a POS printer and cash drawer connected to the workstation via USB. I've also implemented an applet to utilize the functionality of this package with the hopes of having it invoked by a POS website.

When the applet is run from within Eclipse, all goes well. When the applet is run from within a browser it seems that my package is unable to access the peripherals connected via USB. I get an error from the third party (JavaPOS) code stating:

jpos.JposException: The device communications channel could not be opened, check the device and retry.

The applet is signed with a self-cert. I'd post some code but the error is thrown from somewhere buried in manufacturer-specific drivers for the POS printer in use.

I'm assuming the issue is that, from within the browser sandbox, the applet does not have access to the peripherals connected via USB.
Could this be the case? If so, is there anyway to access USB peripherals from within a signed Applet?
If an applet can't access USB peripherals, how could a web site invoke code that can?

解决方案

Do signed java applets have access to USB peripherals when run in the browser sandbox?

To address this specific question (and avoid the specific technologies involved in the comments following), yes Signed Java Applets have access to USB Peripherals. The "sandbox" is what you have capability to "break out of" when you run a signed applet.

But for security reasons, simply signing the applet does not automatically give access to items outside of the sandbox.

PrivelegedAction seems to be the preferred method for accessing privileged system components, such as the printer. More about these privileged actions is provided by Oracle here: http://docs.oracle.com/javase/7/docs/api/java/security/AccessController.html

In addition, there are several consideration when doing something like this from a web browser as Java cares where the action originates from.

public function writeFile() {
    ...
    FileWriter fw = new FileWriter(...);
    ...
}


public void init() {
    writeFile();
}

For example, if you were to write a file to the filesystem (i.e. $HOME/Desktop/text.txt) using the FileWriter class in the applet init() method, a Signed Applet would generally allow it. Wrapping this into a PrivilegedAction would be better, and checking permission first using AccessController.checkPermission(...) would be ideal.

However, FileWriter gets blocked when it's called directly from JavaScript (instead of from init()):

var myapplet = document.getElementById('myapplet');
myapplet.writeFile(); // Blocked by Security Framework

To circumvent this issue, some chose to use PrivelegedAction, however if the action takes a long time, you'll notice it blocks the UI, which is very bad practice in a web page (and can deadlock the browser).

public void init() {
   ...
   AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
         writeFile();
         return null;
      }
   });
   ...
}

Furthermore, your question asks specifically about accessing a USB peripheral, which is generally done by iterating through the Human Interface Devices. HID is not something Java directly supports natively (yet, as of writing this/JRE7). So yes, a signed applet CAN talk to your USB peripherals, but you would need to use some form of Java Native Interfacing (JNI) to properly "access" them. JNI can be a mess to support cross-platform (i.e. distributing DLLs and SOs with your JAR) so...

What most Java Applets do is access the locally installed printers and use the standard Java Printing libraries. This is how we do it over at the qz-print project and you're free to review our source code here: https://github.com/qzindustries/qz-print/tree/master/qz-print/src/qz which uses threads fired by init() and boolean flags to fire all privileged functions.

这篇关于难道签署Java小程序在浏览器沙箱中运行时，有机会获得USB外设？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！