garyz31
asked on
Need help with policytool, permissions.
I am developing an applet which needs to send data to another computer over UDP. I am having trouble giving myself permission to send data from a UDP socket.
I thought that I had granted myself permission to do anything by using the policytool to modify the file c:\winnt\profiles\administ rator\.jav a.policy, but the applet is still causing a security exception.
I don't know if the problem is with my use of the policytool or in my applet. Does my applet need to request permission to perform the operation?
Help will be much appreciated.
I thought that I had granted myself permission to do anything by using the policytool to modify the file c:\winnt\profiles\administ
I don't know if the problem is with my use of the policytool or in my applet. Does my applet need to request permission to perform the operation?
Help will be much appreciated.
ASKER
OK, I've included the policy file below. I can put my classes in a jar file and sign it, but I was hoping to avoid that during development.
-------------------------- ---------- ---------- -
/* AUTOMATICALLY GENERATED ON Sun Apr 21 18:41:40 EDT 2002*/
/* DO NOT EDIT */
grant codeBase "http://127.0.0.1",
principal com.sun.security.auth.NTUs erPrincipa l * {
permission java.security.AllPermissio n;
};
--------------------------
/* AUTOMATICALLY GENERATED ON Sun Apr 21 18:41:40 EDT 2002*/
/* DO NOT EDIT */
grant codeBase "http://127.0.0.1",
principal com.sun.security.auth.NTUs
permission java.security.AllPermissio
};
Try:
grant codeBase "http://127.0.0.1/-"
{
permission java.security.AllPermissio n;
};
Though I'd be wary granting all permissions :)
grant codeBase "http://127.0.0.1/-"
{
permission java.security.AllPermissio
};
Though I'd be wary granting all permissions :)
ASKER
No luck. I even tried
grant codeBase "http://-"
{
permission java.security.AllPermissio n;
};
but I still get the socketpermission exception.
grant codeBase "http://-"
{
permission java.security.AllPermissio
};
but I still get the socketpermission exception.
jic it's not picking up the user policy settings, try changing the system java.policy file (make sure you change the right one).
What version of the plugin are you using?
What version of the plugin are you using?
ASKER
I have 2 .java.policy files on my machine, but navigator may be using neither of them. I have edited both of them to be what I posted earlier. The two files are in
c:\Program Files\java\2re1.4.0\bin
and c:\winnt\Profiles\Administ rator
How do I determine which version of the plugin Navigator is using?
c:\Program Files\java\2re1.4.0\bin
and c:\winnt\Profiles\Administ
How do I determine which version of the plugin Navigator is using?
Not .java.policy, the system policy files are named java.policy
You can find out the version from the Java console.
You can find out the version from the Java console.
ASKER
Still not there. I've changed every java.policy file on my machine to be
grant codeBase "http://*"
{
permission java.security.AllPermissio n;
};
byt I still get this stack trace:
java.security.AccessContro lException : access denied (java.net.SocketPermission localhost:1024- listen,resolve)
at java.security.AccessContro lContext.c heckPermis sion(Acces sControlCo ntext.java :270)
at java.security.AccessContro ller.check Permission (AccessCon troller.ja va:401)
at java.lang.SecurityManager. checkPermi ssion(Secu rityManage r.java:542 )
at java.lang.SecurityManager. checkListe n(Security Manager.ja va:1128)
at java.net.DatagramSocket.bi nd(Datagra mSocket.ja va:326)
at java.net.DatagramSocket.<i nit>(Datag ramSocket. java:129)
at AppTest$UDPSendThread.run( AppTest.ja va:132)
grant codeBase "http://*"
{
permission java.security.AllPermissio
};
byt I still get this stack trace:
java.security.AccessContro
at java.security.AccessContro
at java.security.AccessContro
at java.lang.SecurityManager.
at java.lang.SecurityManager.
at java.net.DatagramSocket.bi
at java.net.DatagramSocket.<i
at AppTest$UDPSendThread.run(
ASKER
Sorry, it was and is "http://-"
How do I know that I am using the plugin rather than the default JVM?
the URL of my test page is
http://coherentconcept/misc/AppTest.htm
and my class files are in the same folder.
How do I know that I am using the plugin rather than the default JVM?
the URL of my test page is
http://coherentconcept/misc/AppTest.htm
and my class files are in the same folder.
> How do I know that I am using the plugin rather than the
> default JVM?
check which console is being used.
> default JVM?
check which console is being used.
ASKER
It appears that the plugin is being used. This is at the top of the console.
Java(TM) Plug-in: Version 1.4.0
Using JRE version 1.4.0 Java HotSpot(TM) Client VM
User home directory = C:\WINNT\Profiles\Administ rator
Proxy Configuration: Browser Proxy Configuration
Another thing that is a little odd:
I put the class files in a jar file and signed the jar file with my test certificate. I specified the jar file in the archive attribute of the <Applet> tah. I was a little surprised when Internet Explorer popped up information about the test certificate and gave me a chance to grant permission. I granted it, and the applet ran fine. Unfortunately, it doesn't seem to make any difference for Navigator 6, still the same stack trace.
Java(TM) Plug-in: Version 1.4.0
Using JRE version 1.4.0 Java HotSpot(TM) Client VM
User home directory = C:\WINNT\Profiles\Administ
Proxy Configuration: Browser Proxy Configuration
Another thing that is a little odd:
I put the class files in a jar file and signed the jar file with my test certificate. I specified the jar file in the archive attribute of the <Applet> tah. I was a little surprised when Internet Explorer popped up information about the test certificate and gave me a chance to grant permission. I granted it, and the applet ran fine. Unfortunately, it doesn't seem to make any difference for Navigator 6, still the same stack trace.
> attribute of the <Applet> tag.
I could be wrong but I didn't think that NS supported using the plugin with the <applet> tag. I thought the only way was to use the <embed> tag.
I could be wrong but I didn't think that NS supported using the plugin with the <applet> tag. I thought the only way was to use the <embed> tag.
ASKER
I think we've almost got it. I clicked refresh in Navigator, got the cert pop-up, granted permission, and the applet ran fine.
I double-checked the IE thing, and sure enough, the cert pop-window is really there. Verisign has told me that I will have to buy separate certs for the two browsers. I am using IE 6, so maybe that has something to do with it.
I double-checked the IE thing, and sure enough, the cert pop-window is really there. Verisign has told me that I will have to buy separate certs for the two browsers. I am using IE 6, so maybe that has something to do with it.
ASKER
If I remove the "archive" attribute, neither browser runs the applet properly. I was hoping that I wouldn't have to sign during testing.
Changing the policy file should work.
In fact I just completed a project where we did exactly that.
In fact I just completed a project where we did exactly that.
From what you've told me the permission entry you need is:
grant codeBase "http://coherentconcept/misc/-"
{
permission java.net.SocketPermission "localhost:1024", "listen,resolve";
};
grant codeBase "http://coherentconcept/misc/-"
{
permission java.net.SocketPermission "localhost:1024", "listen,resolve";
};
ASKER
I wish that I could report that it worked, but it didn't.
I'm wondering if my policy file is in the right place. I have 4 on my machine, but perhaps none of them is in the right place. I don't mind so much having extra ones, but I would like to have one that is in the right place. Wher should the policy file be located?
I'm wondering if my policy file is in the right place. I have 4 on my machine, but perhaps none of them is in the right place. I don't mind so much having extra ones, but I would like to have one that is in the right place. Wher should the policy file be located?
My two are in:
<jdk>/jre/lib/security
<jre>/1.3.1_01/lib/securit y
Might also be worth getting rid of all you user policy files. (Maybe an error in these is stopping anything else getting picked up).
<jdk>/jre/lib/security
<jre>/1.3.1_01/lib/securit
Might also be worth getting rid of all you user policy files. (Maybe an error in these is stopping anything else getting picked up).
ASKER
Which version of Navigator are you using?
ASKER
I looked at the URL below, and it seems to imply that the policy file is in the directory with the applet.
http://java.sun.com/docs/books/tutorial/security1.2/toolsign/wstep4.html
http://java.sun.com/docs/books/tutorial/security1.2/toolsign/wstep4.html
> Which version of Navigator are you using?
I'm using IE6.
But the browser has nothing to do with the policy file, it is used by the plugin.
I'm using IE6.
But the browser has nothing to do with the policy file, it is used by the plugin.
> it seems to imply that the policy file is in the
> directory with the applet.
That doesn't make any sense, if you wre loading the applet from a web server (as is the norm) then were would you put it?
No the system policy files are stored in the directory mentioned above. And user policy files I believe are stored in the users home directory.
> directory with the applet.
That doesn't make any sense, if you wre loading the applet from a web server (as is the norm) then were would you put it?
No the system policy files are stored in the directory mentioned above. And user policy files I believe are stored in the users home directory.
ASKER
Is there any environment variable involved?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Finally, success!!!
This file did the job.
-------------------------- ---------- ---------- --
grant {
permission java.security.AllPermissio n;
};
-------------------------- ---------- ---------- -
saved in c:\winnt\profiles\Administ rator\.jav a.policy
I will certainly need to tighten it up, but the applet does work now. I do almost no web surfing, so there's not too much danger.
This file did the job.
--------------------------
grant {
permission java.security.AllPermissio
};
--------------------------
saved in c:\winnt\profiles\Administ
I will certainly need to tighten it up, but the applet does work now. I do almost no web surfing, so there's not too much danger.
ASKER
Thanks for keeping me pointed in the right direction.
> request permission to perform the operation?
Nope.
Can we see your policy file?