Solved

Need help with policytool, permissions.

Posted on 2002-04-21
28
285 Views
Last Modified: 2008-02-01
I am developing an applet which needs to send data to another computer over UDP.  I am having trouble giving myself permission to send data from a UDP socket.

I thought that I had granted myself permission to do anything by using the policytool to modify the file c:\winnt\profiles\administrator\.java.policy, but the applet is still causing a security exception.

I don't know if the problem is with my use of the policytool or in my applet.  Does my applet need to request permission to perform the operation?

Help will be much appreciated.
0
Comment
Question by:garyz31
  • 14
  • 14
28 Comments
 
LVL 92

Expert Comment

by:objects
ID: 6958392
> Does my applet need to
> request permission to perform the operation?

Nope.

Can we see your policy file?
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958450
OK, I've included the policy file below.  I can put my classes in a jar file and sign it, but I was hoping to avoid that during development.
-----------------------------------------------

/* AUTOMATICALLY GENERATED ON Sun Apr 21 18:41:40 EDT 2002*/
/* DO NOT EDIT */

grant codeBase "http://127.0.0.1",
      principal com.sun.security.auth.NTUserPrincipal * {
  permission java.security.AllPermission;
};

0
 
LVL 92

Expert Comment

by:objects
ID: 6958474
Try:

grant codeBase "http://127.0.0.1/-"
{
 permission java.security.AllPermission;
};

Though I'd be wary granting all permissions :)
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958534
No luck.  I even tried

grant codeBase "http://-"
{
permission java.security.AllPermission;
};

but I still get the socketpermission exception.
0
 
LVL 92

Expert Comment

by:objects
ID: 6958558
jic it's not picking up the user policy settings, try changing the system java.policy file (make sure you change the right one).

What version of the plugin are you using?
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958629
I have 2 .java.policy files on my machine, but navigator may be using neither of them.  I have edited both of them to be what I posted earlier.  The two files are in
     c:\Program Files\java\2re1.4.0\bin
and     c:\winnt\Profiles\Administrator

How do I determine which version of the plugin Navigator is using?
0
 
LVL 92

Expert Comment

by:objects
ID: 6958645
Not .java.policy, the system policy files are named java.policy

You can find out the version from the Java console.
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958692
Still not there.  I've changed every java.policy file on my machine to be

grant codeBase "http://*"
{
permission java.security.AllPermission;
};

byt I still get this stack trace:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost:1024- listen,resolve)

     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)

     at java.security.AccessController.checkPermission(AccessController.java:401)

     at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)

     at java.lang.SecurityManager.checkListen(SecurityManager.java:1128)

     at java.net.DatagramSocket.bind(DatagramSocket.java:326)

     at java.net.DatagramSocket.<init>(DatagramSocket.java:129)

     at AppTest$UDPSendThread.run(AppTest.java:132)

0
 
LVL 92

Expert Comment

by:objects
ID: 6958707
Are you sure you're running the plugin, and not the default JVM?

Don't think your codebase is right: "http://*"
Should be  "http://-" If you want rights to all http url's.

What is the codebase of your applet?


0
 
LVL 1

Author Comment

by:garyz31
ID: 6958746
Sorry, it was and is "http://-"

How do I know that I am using the plugin rather than the default JVM?

the URL of my test page is

http://coherentconcept/misc/AppTest.htm

and my class files are in the same folder.
0
 
LVL 92

Expert Comment

by:objects
ID: 6958752
> How do I know that I am using the plugin rather than the
> default JVM?

check which console is being used.
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958779
It appears that the plugin is being used.  This is at the top of the console.

Java(TM) Plug-in: Version 1.4.0
Using JRE version 1.4.0 Java HotSpot(TM) Client VM
User home directory = C:\WINNT\Profiles\Administrator

Proxy Configuration: Browser Proxy Configuration

Another thing that is a little odd:

I put the class files in a jar file and signed the jar file with my test certificate.  I specified the jar file in the archive attribute of the <Applet> tah.  I was a little surprised when Internet Explorer popped up information about the test certificate and gave me a chance to grant permission.  I granted it, and the applet ran fine.  Unfortunately, it doesn't seem to make any difference for Navigator 6, still the same stack trace.
0
 
LVL 92

Expert Comment

by:objects
ID: 6958788
> attribute of the <Applet> tag.

I could be wrong but I didn't think that NS supported using the plugin with the <applet> tag. I thought the only way was to use the <embed> tag.
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958800
I think we've almost got it.  I clicked refresh in Navigator, got the cert pop-up, granted permission, and the applet ran fine.

I double-checked the IE thing, and sure enough, the cert pop-window is really there.  Verisign has told me that I will have to buy separate certs for the two browsers.  I am using IE 6, so maybe that has something to do with it.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:garyz31
ID: 6958802
If I remove the "archive" attribute, neither browser runs the applet properly.  I was hoping that I wouldn't have to sign during testing.
0
 
LVL 92

Expert Comment

by:objects
ID: 6958806
Changing the policy file should work.
In fact I just completed a project where we did exactly that.
0
 
LVL 92

Expert Comment

by:objects
ID: 6958861
From what you've told me the permission entry you need is:

grant codeBase "http://coherentconcept/misc/-"
{
   permission java.net.SocketPermission "localhost:1024", "listen,resolve";
};
0
 
LVL 1

Author Comment

by:garyz31
ID: 6958917
I wish that I could report that it worked, but it didn't.

I'm wondering if my policy file is in the right place.  I have 4 on my machine, but perhaps none of them is in the right place.  I don't mind so much having extra ones, but I would like to have one that is in the right place.  Wher should the policy file be located?
0
 
LVL 92

Expert Comment

by:objects
ID: 6958926
My two are in:

<jdk>/jre/lib/security
<jre>/1.3.1_01/lib/security

Might also be worth getting rid of all you user policy files. (Maybe an error in these is stopping anything else getting picked up).
0
 
LVL 1

Author Comment

by:garyz31
ID: 6959550
Which version of Navigator are you using?  
0
 
LVL 1

Author Comment

by:garyz31
ID: 6960747
I looked at the URL below, and it seems to imply that the policy file is in the directory with the applet.

http://java.sun.com/docs/books/tutorial/security1.2/toolsign/wstep4.html
0
 
LVL 92

Expert Comment

by:objects
ID: 6961142
> Which version of Navigator are you using?  

I'm using IE6.
But the browser has nothing to do with the policy file, it is used by the plugin.
0
 
LVL 92

Expert Comment

by:objects
ID: 6961150
> it seems to imply that the policy file is in the
> directory with the applet.

That doesn't make any sense, if you wre loading the applet from a web server (as is the norm) then were would you put it?

No the system policy files are stored in the directory mentioned above. And user policy files I believe are stored in the users home directory.

0
 
LVL 1

Author Comment

by:garyz31
ID: 6961171
Is there any environment variable involved?
0
 
LVL 92

Accepted Solution

by:
objects earned 75 total points
ID: 6961180
> Is there any environment variable involved?

no
0
 
LVL 1

Author Comment

by:garyz31
ID: 6961515
Finally, success!!!

This file did the job.
------------------------------------------------
grant {

permission java.security.AllPermission;

};
-----------------------------------------------
saved in c:\winnt\profiles\Administrator\.java.policy

I will certainly need to tighten it up, but the applet does work now.  I do almost no web surfing, so there's not too much danger.
0
 
LVL 1

Author Comment

by:garyz31
ID: 6961519
Thanks for keeping me pointed in the right direction.
0
 
LVL 92

Expert Comment

by:objects
ID: 6961527
Happy to help :-)

http://www.objects.com.au
Brainbench MVP for Java 1
http://www.brainbench.com
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
This video teaches viewers about errors in exception handling.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now