 |
Author |
Topic: PERMISSIONS in Java (runs local but not exported) (Read 712 times) |
|
Martin
    
 
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #1 on: Dec 15th, 2003, 3:44pm » |
|
hi, um, i'm not too clear about what you want to do but did you mean you wanted to run the applet from a browser? or, did you mean you wanted to export p5 code into an applet and run it off appletviewer? or, did you mean you'd want to run your sketch as an application? thanks.
|
|
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #2 on: Dec 15th, 2003, 5:44pm » |
|
What is Appletviewer?
But to clarify, I export to web and get a permissions error with the net in the Java console.
Hope this helps.. getting this working would be fantabulous.
|
|
|
|
|
madmerv
Guest
|
Re: direct from Sun
« Reply #3 on: Dec 16th, 2003, 3:06am » |
|
RMI
The following are important changes to RMI (Remote Method Invocation) functionality in this release.
"accept" java.net.SocketPermission requirement for receiving remote calls
Due to a bug in previous J2SDK implementations, it was possible to export a remote object in a given access control context and then receive a remote call to that object over a given socket connection even if the access control context did not have "accept" java.netSocketPermission for the remote java.net.InetAddress and port of the socket connection.
This bug has been fixed; therefore, in some cases, code that exports remote objects might need to be granted more permissions that it did with previous implementations in order to function correctly.
As an example of how to grant such permissions using the default security policy file syntax, permission to accept socket connections from a host named terrier.east.sun.com can be expressed by the following permission entry (in the grant entry for the appropriate code source):
permission java.net.SocketPermission "terrier.east.sun.com", "accept";
As described in the documentation for java.netSocketPermission, the host specification may begin with a wildcard "*"; therefore, permission to accept socket connections for any host can be expressed by the following permission entry in a given grant entry:
permission java.net.SocketPermission "*", "accept";
This is from Java 2 SDK 1.3 Release notes
http://java.sun.com/j2se/1.3/relnotes.html
But may not fix our problem
|
|
|
|
|
madmerv
Guest
|
re: Security fix for net
« Reply #4 on: Dec 16th, 2003, 3:26am » |
|
1. Quick Fix
Security for Jini is based on the JDK 1.2 security model. This makes use of a SecurityManager to grant or deny access to resources. Some of the examples may work fine without a security manager Others may require an appropriate security manager in place. Installing a suitable manager may be done by
System.setSecurityManager(new RMISecurityManager());
This should be done before any network-related calls.
The security manager will need to make use of a security policy. This is typically given in policy files which are in default locations or are specified to the Java runtime. If policy.all is a policy file in the current directory, then invoking the runtime by
java -Djava.security.policy="policy.all" ...
will load the contents of the policy file.
A totally permissive policy file can contain
grant {
permission java.security.AllPermission "", "";
};
This will allow all permissions, and should never be used outside of a test and development environment - and moreover, one that is insulated from other potentially untrusted machines. (Standalone is good here!) The big advantage of this is that it gets you going on the rest of Jini, without worrying about security issues while you are grappling with other problems!
from http://jan.netcomp.monash.edu.au/java/jini/tutorial.1.03/Security.xml
|
|
|
|
|
madmerv
Guest
|
Re: networking in java
« Reply #5 on: Dec 16th, 2003, 3:28am » |
|
http://www.io.com/~maus/jnetfaq.html
---Exerpt:
Security
Why won't my networked applet work, I get a security error?
In both Netscape and Microsoft Internet Explorer version 3, the security manager is both very restrictive and not subject to configuration. Applets are only allowed to create sockets back to the same server that they came from. While this is probably overkill for the home user, there is a very good reason for this policy: Firewalls. In the corporate world, most Internet security is established through the use of firewalls, which restrict incoming connection requests. A Java applet that could connect anywhere could establish a link that allowed hacker.org to telnet in to payroll.largecomp.com. Since even HTTP-GET connections can pass along sensitive information (http://www.hacker.org/dummy.cgi?Bob+has+no+password), all connections have to be restricted. The security manager is apparently configurable in Netscape 4.0, but I've had little luck in getting it to work. [Note: I should really have a better answer here for version 4 browsers!] For a good discussion of applet security issues, see http://www.innovation.ch/java/HTTPClient/security.html
|
|
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #7 on: Dec 16th, 2003, 9:56pm » |
|
This lesson illustrates the use of the security-related tools ( keytool, jarsigner, and Policy Tool). It also shows use of the jar tool to place files in JAR (Java ARchive) files for subsequent signing by the jarsigner tool.
In this lesson you first execute steps to create an application, put it in a JAR file, sign the JAR file, and export the public key certificate corresponding to the private key used to sign the JAR file. For convenience, you pretend to be Susan Jones, and you supply information about her when you generate the keys.
Then you act as the recipient of the signed JAR file and the certificate. For convenience, you pretend to be Ray. You see how the signed application cannot normally read a file when it is run under a security manager. Then you use keytool to import the certificate into Ray's keystore in an entry aliased by susan, and the Policy Tool to create an entry in Ray's policy file to permit code signed by susan to read the specified file. Finally, you see how the application running under a security manager can now read the file, since it has been granted permission to do so.
For further information about digital signatures, certificates, keystores, and the tools, see the API and Tools Use for Secure Code and File Exchanges lesson.
------------------------------------------------------------------------ --------
Important Note: You need to do everything in this lesson while working in the directory in which you store the sample application, but you should store the data file needed by the application in a different directory. All of the examples assume that you are working in the C:\Test directory, and that the data file is in the C:\TestData directory. If you are working on a UNIX system, substitute your own directory names.
Source: http://www.ictp.trieste.it/~manuals/programming/Java/tutorial/security1. 2/toolsign/
This should fix any network permissions issues or other wierd problems with exported apps not working in a browser.
My note to Ben is that he should work on exporting signed jar files, containing a proce55ing certificate, which can be written over with the user's own certificate. ( a suggestion for a great piece of software =) fixes the common problem
jikes:
http://oss.software.ibm.com/developerworks/opensource/jikes/
|
| « Last Edit: Dec 16th, 2003, 11:16pm by madmerv » |
|
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #9 on: Dec 16th, 2003, 10:49pm » |
|
There is also the Java Web Developers Pack 1.3, which includes xml resources for building the xml pages that surround java applets on the web.
http://www.madmerv.com/banghead2.gif
|
| « Last Edit: Dec 17th, 2003, 12:18am by madmerv » |
|
|
|
|
pollux
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #10 on: Dec 17th, 2003, 7:27am » |
|
i wonder if you made it work and how.
i had to sign mines to work online as applications (stand alone) and a script (php) to get data from another server while inside a browser.
all the information you have posted is great, maybe with a little of order it can be edited into a very good connection and network services tech-note. since i've runned into almost the same problems (for very different reasons and with different outputs), if you want we can get (online) together and add up know-hows to build it.
|
pollux | www.frwrd.net
|
|
|
pollux
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #11 on: Dec 17th, 2003, 7:46am » |
|
btw, here's an excerpt i found somewhere that tells how to (simply) sign a JAR file. fwiw.
----------------
For signing, the keytool/jarsigner combination of tools that come withe SDK is sufficient.
1. First, create a key in the keystore (or use one you already have). You'll be prompted for information like first name and last. You should at least fill in that information. > keytool -genkey -alias myalias -keypass password-for-alias -keystore myKeyStoreFile
2. Second, sign the JAR. Be sure to remember your password from the previous step. > jarsigner -keystore myKeyStoreFile c:/path-to-my-jar/myJAR.jar myalias
|
pollux | www.frwrd.net
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #12 on: Dec 18th, 2003, 4:03pm » |
|
hey thanks for that last tip; will be trying that today -- it's best to do the signing on the server after uploading I think, though I'm not sure.. that is basically how it is done, will try to do it in Windows and then upload the signed file (should work) -- harder to do if you are uploading -- will see if it works. Thanks Pollux!
Plz stay in touch!
-mm
|
| « Last Edit: Dec 19th, 2003, 8:51pm by madmerv » |
|
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #13 on: Dec 23rd, 2003, 4:12pm » |
|
hmm jarsigner doesnt seem to come with jre sdk 1.4.2 for windows
|
|
|
|
|
madmerv
Guest
|
Re: PERMISSIONS in Java (runs local but not export
« Reply #14 on: Dec 27th, 2003, 2:42pm » |
|
well i was able to solve this problem using jarsigner as the keyword search with www.filesearch.ru
so, good luck to you and happy holidays from madmerv@madmerv.com
|
| « Last Edit: Dec 27th, 2003, 3:24pm by madmerv » |
|
|
|
|
|
