无法为Intranet小程序配置AllPermission。有人可以帮忙吗? [英] Can't get AllPermission configured for intranet applet. Can anyone help?
问题描述
经过大量阅读和测试后,我无法通过codeBase grant选项授予Intranet applet所有权限。
这个applet需要完全权限,因为它必须为OCR阅读器(也可以将图像文件写入HDD)和其他此类外部设备的访问驱动程序库。
我已经配置了我的java.policy文件并添加了以下内容:
grant codebase http:// myIntranetServer / - {
permission java.security.AllPermission;
};
在控制台中重新加载策略文件后,甚至重新启动浏览器,我得到一个java.security.AccessControlException:我的许多操作都被拒绝访问,包括读取默认情况下未授予的user.name系统属性。
为了进行调试,我也试过了所有权限默认情况下都有效,所以我的问题基本上与de codeBase选项有关。
我运行Windows 7和Linux客户端,使用JRE1.6-u17,两者都有相同的行为。
任何人都可以帮忙吗?
提前致谢,
MadeiraA
我不确定我是否理解你的上一条评论。当你说两个(对我来说)不同的东西:
- 你使用plugin.jar(这意味着你的java调用javascript函数)
- 我从Javascript调用相同的函数(这意味着我的javascript调用java函数)
我假设后一个是正确的解释。
如果你只是调用java方法(通过liveconnect)而不是做任何与安全有关的事情都可以。你可以直接在你的(假设applet与 id =myapplet) myapplet.safeMethod(); javascript代码。
调用java方法的主要问题是,这些调用似乎在JVM中的不同上下文中运行然后小程序本身。因此被视为无特权代码,您将获得 AccessControlException 。例如,就像在我的另一个答案中一样,由applet本身执行的方法,获得正确的权限并被执行。
现在,如果你读到这个新Java™插件技术中的LiveConnect支持,部分 2.8 JavaScript到Java调用的安全模型 SUN状态
当JavaScript-to-Java调用是
时,JavaScript代码被建模为
,好像它是来自一个
不可信的小程序,其代码来源是
文档库(即
的URL包含
文档的目录)。
我将其读作:如果applet和javascript来自同一个站点,那么javascript-to-java调用应该以与applet本身相同的权限运行。在我们的情况下,这意味着我们在 grant 中设置的任何权利。
但这只适用于我的Opera 。 FF和IE6都抛出 AccessControlException 。但它可能仍适用于所有浏览器。
以下代码有两种方法 userName2()和用户名()。所有浏览器中的 userName2() WFM。 userName()仅适用于Opera。通过按html页面上的按钮进行检查。
正如您所见, userName2()不能像这样使用对于一个真正的用例(只能被调用一次)。但是,当遇到类似的问题时,你可以查看别人提出的解决方案,并相应地扩展 userName2()
<另外你可能会考虑我没试过的东西。来自javascript-to-java的所有调用都不执行任何与安全性相关的操作(如果需要)传入数据并立即返回。然后applet完成实际工作(如上面显示的链接)。然后完成后,applet可以通过
JSObject ( plugin.jar ) $向html页面发出回调。 b $ b
TestApp.java
import java.applet.Applet;
import java.awt。*;
import java.security.AccessControlException;
公共类TestApp扩展Applet {
标签输出=新标签(user.name的值是多少?);
String userName;
线程访问=新线程(){
@Override
public void run(){
try {
userName = System.getProperty(user.name) ;
} catch(AccessControlException e){
userName =糟糕,线程失败。没有读取权限!;
}
}
};
public void init(){
setLayout(new BorderLayout());
add(BorderLayout.CENTER,输出);
}
public String userName2()抛出InterruptedException {
access.start();
access.join();
output.setText(userName);
返回userName;
}
public String userName(){
String userName =糟糕,在liveconnect-context中失败。没有读取权限!;
try {
userName = System.getProperty(user.name);
} catch(AccessControlException e){
e.printStackTrace();
}
output.setText(userName);
返回userName;
}
}
test.html
< html>< head>< title> test< / title>< / head>< body>
< applet id =myappletcode =TestAppwidth =350pxheight =80px>< / applet>< br>
< input type =buttonvalue =liveconnect versiononclick =javascript:alert(myapplet.userName());>< br>
< input type =buttonvalue =hacky thread versiononclick =javascript:alert(myapplet.userName2());>
< / body>< / html>
政策: .java.policy (在C:/ Documents中手动创建)和设置/ [USERNAME] /注意领先的。)
grant codeBasehttp:// [domain] .xxx / - {
permission java.util.PropertyPermissionuser.name,read;
};
After doing a lot of reading and testing I've been unable to give all permissions to an intranet applet through the codeBase grant option. This applet need full permissions because it will have to acess driver libs for OCR readers (which also write image files to HDD) and other such external devices.
I've configured my java.policy file and added the following:
grant codebase "http://myIntranetServer/-" {
permission java.security.AllPermission;
};
After reloading the policy file in the console, and even restarting the browser, I get an java.security.AccessControlException:access denied for many of my operations, including reading the "user.name" system property which is not granted by default.
For debugging I've also tried the giving the all permission by default and it works, so my problem is basically related to de codeBase option. I am runnig Windows 7 and linux clients, with JRE1.6-u17, and both have the same behavior.
Can anyone help?
Thanks in advance,
MadeiraA
I'm not sure if I understood your last comment correctly. As you state two (for me) different things:
- You use plugin.jar (which means to me your java calls javascript functions)
- "I call the same functions from the Javascript" (which means to me your javascript calls java functions)
I assume the later one is the right interpretation.
If you just call java methods (via liveconnect) which don't do anything security related all is ok. And you can just do (assuming applet with id="myapplet") myapplet.safeMethod(); directly in your javascript code.
The main problem with calling java methods, which do something normally restricted for applets, from javascript is that the calls seem to run in a different context in the JVM then the applet itself. Thus are treated as unprivileged code and you get the AccessControlException. While e.g. like in my other answer, methods which are executed by the applet itself, get the right permissions and are executed.
Now if you read this LiveConnect Support in the New Java™ Plug-In Technology in section 2.8 Security Model of JavaScript-to-Java Calls SUN states
When a JavaScript-to-Java call is made, the JavaScript code is modeled as though it were coming from an untrusted applet whose code origin is the document base (i.e., the URL of the directory containing the document).
I read this as: If applet and javascript come from the same site than the javascript-to-java calls should run with the same permissions as the applet itself. Which in our case means with whatever rights we set in our grant.
But this only works in Opera for me. FF and IE6 both throw AccessControlException. But it might still work out for you in all browsers.
The following code has two methods userName2() and userName(). userName2() WFM in all browsers. userName() only works in Opera. Check by pushing the buttons on the html page.
As you can see userName2() is not usable like this for a real usecase (can only be called once). But you can look into a solution someone else came up with when having a similar problem, and accordingly extend userName2()
Additionally you might consider something I didn't try out. All calls from javascript-to-java do nothing security related just (if needed) pass in data and return immediately. Then the applet does the actual work (like in the link shown above). Then when finished the applet could fire a callback into the html page via the JSObject (plugin.jar)
TestApp.java
import java.applet.Applet;
import java.awt.*;
import java.security.AccessControlException;
public class TestApp extends Applet {
Label output = new Label("What is the value of user.name?");
String userName;
Thread access = new Thread() {
@Override
public void run() {
try {
userName = System.getProperty("user.name");
} catch (AccessControlException e) {
userName = "Oops, failed in thread. No read permissions!";
}
}
};
public void init() {
setLayout(new BorderLayout());
add(BorderLayout.CENTER, output);
}
public String userName2() throws InterruptedException {
access.start();
access.join();
output.setText(userName);
return userName;
}
public String userName() {
String userName = "Oops, failed in liveconnect-context. No read permissions!";
try {
userName = System.getProperty("user.name");
} catch (AccessControlException e) {
e.printStackTrace();
}
output.setText(userName);
return userName;
}
}
test.html
<html><head><title>test</title></head><body>
<applet id="myapplet" code="TestApp" width="350px" height="80px"></applet><br>
<input type="button" value="liveconnect version" onclick="javascript:alert(myapplet.userName());"><br>
<input type="button" value="hacky thread version" onclick="javascript:alert(myapplet.userName2());">
</body></html>
Policy: .java.policy (created manually in C:/Documents and Settings/[USERNAME]/ Note the leading .)
grant codeBase "http://[domain].xxx/-" {
permission java.util.PropertyPermission "user.name", "read";
};
这篇关于无法为Intranet小程序配置AllPermission。有人可以帮忙吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
