Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.programmer > #11585
| From | Novice <novice@example..com> |
|---|---|
| Newsgroups | comp.lang.java.programmer |
| Subject | Re: Java Web Start Permissions |
| Date | 2012-01-23 19:04 +0000 |
| Organization | Your Company |
| Message-ID | <Xns9FE38F38EA53Bjpnasty@46.4.102.18> (permalink) |
| References | <Xns9FE2D3AAA51CFjpnasty@94.75.214.39> <jfiikv$qcd$1@dont-email.me> |
Knute Johnson <nospam@knutejohnson.com> wrote in
news:jfiikv$qcd$1@dont-email.me:
> On 1/22/2012 5:48 PM, Novice wrote:
>> Does anyone here know about permissions in Java Web Start?
>>
>> I'm starting to learn how to use Java Web Start. After a bumpy start,
>> I finally succeeded in getting some Hello World applets and
>> applications to work perfectly via Java Web Start.
>>
>> Now I'm working on a considerably more sophisticated application and
>> bumping into issues involving permissions. For example, the first
>> error I am getting is:
>>
>> access denied ("java.util.PropertyPermission" "user.name" "read")
>>
>> I'm also expecting to need permission to write logs, although I
>> haven't gotten that far into executing my code yet. It's possible
>> that there will be other things that need permission too.
>>
>> Can anyone explain how I give the application the permissions it
>> needs? I've done some googling on this issue and know that policy
>> files are part (or all?) of the solution. I see that I that there is
>> a master permissions file as well as individual permission files for
>> individual users, situated in their home directories. Is the user's
>> home directory always My Documents in Windows? (I'm only worried
>> about serving Windows users for the moment but I have no idea which
>> version of Windows they'll have: XP, Vista, 7 or whatever.)
>>
>> I'm assuming the JNLP file for the Java Web Start also needs to have
>> something in it to point to the necessary permission. Unfortunately,
>> the documentation I've found so far is NOT very clear and examples
>> are scarce so I'm not sure what needs to happen in the JNLP file.
>>
>> I'm also interested in knowing how the user of the application gives
>> his consent to any permissions I need. For instance, if I create a
>> policy file that gives me permission to do what I need to do, how
>> does the user of the Java Web Start application keep me from doing
>> bad things, like deleting every file on his hard drive? It seems to
>> me that I should only be able to request what I need but that the
>> user of the program needs to be able to look over that request,
>> realize how dangerous or harmless that request is, and then give
>> consent if he is satisfied that it is safe. But how/when does that
>> happen? Do I send him the policy file and then let him eyeball it in
>> a text editor to make sure it's not doing something inappropriate?
>> Then wait for him to put the policy file in the appropriate place?
>
> The usual method is to sign the .jar file. The problem with that is
> having to get a certificate that is recognizable by all the browsers.
> They are not cheap and you have to renew them.
>
That might be a viable solution under other circumstances but it isn't
suitable for my purposes....
> I think it is possible for the user to change a policy file and permit
> things such as file access but I've never done it.
>
That's what I'd like to do, if I can figure out the details. The
documentation I've found so far only gives intriguing bits and pieces but
provides no obvious way to get clarification.
For instance, I understand that the "sandbox" architecture means that no
user properties are accessible. But other documentation suggests that is
only the default situation and additional permissions can be provided -
how is not clear yet - which may or may not help me get past the
restriction on user properties. (I need to access "user.home" so that I
can store preferences for my program under an appropriate node of a
preferences tree.)
I've also seen information about various services in JNLP that will let
you read and write files from the file system, which would help with
those aspects of my program, but I'm reluctant to rewrite my applications
to use JNLP services unless I can be sure they are definitely not going
to be blocked by Java security.
> You can self sign your certificate but the browser will pop up a
> dialog to tell the user that the application's digital signature
> cannot be verified. The user may still allow it to run but that
> really is a big security risk.
>
> If you want to see an example of that, go to my aviation page and
> click on the VFR Flight Log link.
>
> http://rabbitbrush.frazmtn.com/aviation
>
I'm not wild about that solution either. _I_ know that my program is
harmless but I don't want people using it to have to wonder what kind of
nastiness my program might commit.
I really prefer some kind of plain English policy file that a user can
read and be satisfied that nothing bad is going to happen when he runs
the program.
Unfortunately, I'm having trouble getting that to work. I've created a
simple policy file that gives the program permission to read the
"user.name" property. I've determined the value of the "user.home"
property on my system and supplied the VM arguments "-Djava.security.main
-Djava.security.policy=Foo_Security_Policy.txt" in the JNLP file. When I
run the program with Java Web Start, it either doesn't see or doesn't
like the policy file because I still get the error about not being able
to read "user.name".
Maybe I need to ping Roedy Green; he's had a lot more to do with Java Web
Start than I have but from his website, he mostly handles security by
signing jars, not policy files....
--
Novice
Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Java Web Start Permissions Novice <novice@example..com> - 2012-01-23 01:48 +0000
Re: Java Web Start Permissions Knute Johnson <nospam@knutejohnson.com> - 2012-01-22 19:02 -0800
Re: Java Web Start Permissions Novice <novice@example..com> - 2012-01-23 19:04 +0000
Re: Java Web Start Permissions Knute Johnson <nospam@knutejohnson.com> - 2012-01-23 13:41 -0800
Re: Java Web Start Permissions "John B. Matthews" <nospam@nospam.invalid> - 2012-01-23 21:32 -0500
Re: Java Web Start Permissions Knute Johnson <nospam@knutejohnson.com> - 2012-01-23 21:22 -0800
Re: Java Web Start Permissions "John B. Matthews" <nospam@nospam.invalid> - 2012-01-24 01:40 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 09:21 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 04:23 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 04:40 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 05:20 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 06:08 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 07:22 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 05:42 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 07:43 -0500
Re: Java Web Start Permissions Gunter Herrmann <notformail0106@earthlink.net> - 2012-01-24 16:48 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-24 18:13 -0500
Re: Java Web Start Permissions Gunter Herrmann <notformail0106@earthlink.net> - 2012-01-25 10:28 -0500
Re: Java Web Start Permissions Jeff Higgins <jeff@invalid.invalid> - 2012-01-25 12:06 -0500
Re: Java Web Start Permissions Roedy Green <see_website@mindprod.com.invalid> - 2012-01-24 09:48 -0800
csiph-web