从 javascript 调用时,签名的小程序给出 AccessControlException: 访问被拒绝

发布于 2024-07-25 11:05:23 字数 2277 浏览 10 评论 0原文

我有一个简单的自签名小程序(使用 keytool 和 jarsigner 完成):

public class NetAppletLauncher extends JApplet {

    private static final long serialVersionUID = 1L;

    public void init() {
        exec("notepad c:/hello.txt");
    }

    public void exec(String command) {

        try {

            // launch EXE and grab stdin/stdout and stderr
            Process process = Runtime.getRuntime().exec(command);
            //      OutputStream stdin = process.getOutputStream();
            InputStream stderr = process.getErrorStream();
            InputStream stdout = process.getInputStream();

            // "write" the parms into stdin
//          stdin.write(arguments.getBytes());
//          stdin.flush();
//          stdin.close();

            // clean up if any output in stdout
            String line = "";
            BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stdout] " + line);
            }
            brCleanUp.close();

            // clean up if any output in stderr
            brCleanUp = new BufferedReader(new InputStreamReader(stderr));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stderr] " + line);
            }
            brCleanUp.close();

        } catch (Exception exception) {
            exception.printStackTrace();
        }

    }

}

基本上,它的作用是执行“notepad c:/hello.txt”。

然后我将小程序嵌入到 html 中:

<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>

当我访问该页面时,JRE 启动并询问我是否要启动此小程序以及我是否信任它。 我按确定。 然后记事本启动 - 正如它应该的那样。 这里没问题。

但是然后我将其添加到 HTML 页面中:

<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>

现在,当我按下此文本时,计算应该开始 - 对吗? 但这给了我:

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
  • 这是怎么回事? 为什么它现在给我一个安全异常,但它之前可以启动记事本?

I have an easy self-signed an applet (done with keytool and the jarsigner):

public class NetAppletLauncher extends JApplet {

    private static final long serialVersionUID = 1L;

    public void init() {
        exec("notepad c:/hello.txt");
    }

    public void exec(String command) {

        try {

            // launch EXE and grab stdin/stdout and stderr
            Process process = Runtime.getRuntime().exec(command);
            //      OutputStream stdin = process.getOutputStream();
            InputStream stderr = process.getErrorStream();
            InputStream stdout = process.getInputStream();

            // "write" the parms into stdin
//          stdin.write(arguments.getBytes());
//          stdin.flush();
//          stdin.close();

            // clean up if any output in stdout
            String line = "";
            BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stdout] " + line);
            }
            brCleanUp.close();

            // clean up if any output in stderr
            brCleanUp = new BufferedReader(new InputStreamReader(stderr));
            while ((line = brCleanUp.readLine()) != null) {
                //System.out.println ("[Stderr] " + line);
            }
            brCleanUp.close();

        } catch (Exception exception) {
            exception.printStackTrace();
        }

    }

}

Basically, what it does, is that it executes 'notepad c:/hello.txt'.

Then i embed the applet in html:

<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>

When i visit the page, JRE starts and asks me if i want to start this applet and if i trust it. I press ok. Then notepad starts - as it should. No problem here.

But then i add this into the HTML-page:

<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>

Now when i press on this text, calc should start - right? But this gives me:

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
  • whats up with this? Why does it give me a security exception now, but it could start notepad before?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

[浮城] 2024-08-01 11:05:23

Java 2 安全模型(大致)要求堆栈上的每个帧都必须被授予访问控制上下文 (acc) 的权限,才能拥有该权限。 JavaScript 位于堆栈上,没有文件访问权限。

The Java 2 security model requires (roughly) that every frame on the stack must be granted a permission for the access control context (acc) to have that permission. JavaScript is on the stack and does not have file access permissions.

樱花坊 2024-08-01 11:05:23

解决了这个问题,在 Java 中:

exec(getParameter("command"));

然后在 JavaScript 中:

<script type="text/javascript">

function exec( command ) {

    var applet = "<applet id='applet' style='visibility: hidden' name='applet' archive='NetAppletLauncher4.jar' code='src.NetsetAppletLauncher' width='20' height='20' MAYSCRIPT ><param name='command' value='" + command + "' />Sorry, you need a Java-enabled browser.</applet>";

    var body = document.getElementsByTagName("body")[0];
    var div = document.createElement("div");
    div.innerHTML = applet;
    body.appendChild(div);

}

</script>

Solved the problem with, in Java:

exec(getParameter("command"));

and then in JavaScript:

<script type="text/javascript">

function exec( command ) {

    var applet = "<applet id='applet' style='visibility: hidden' name='applet' archive='NetAppletLauncher4.jar' code='src.NetsetAppletLauncher' width='20' height='20' MAYSCRIPT ><param name='command' value='" + command + "' />Sorry, you need a Java-enabled browser.</applet>";

    var body = document.getElementsByTagName("body")[0];
    var div = document.createElement("div");
    div.innerHTML = applet;
    body.appendChild(div);

}

</script>
最美的太阳 2024-08-01 11:05:23

我同意:禁止从 javascript 操作签名的小程序,解决方法是在页面文档中用 javascript 重写小程序标签。

我发现这个来源有一些理论证明我们是对的
http://docs.oracle.com/javase/tutorial/deployment /applet/security.html#jsNote

I agree : it is prohibited to manipulate a signed applet from javascript, and the workaround is to rewrite the applet tag in javascript in the page document.

I found this source with a bit of theory proving we are right
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote

温柔女人霸气范 2024-08-01 11:05:23

实际上,从 javascript 调用 applet 的行为与调用未签名的 applet 相同(如 jsnote 中所指定: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote
这很好,并且当您使用不允许更改的类时是有效的,但由于您是 java 类的作者,因此您始终可以包装需要从 javascript 调用以在特权中执行的特定方法。模式,像这样:

AccessController.doPrivileged(new PrivilegedAction<String>() {
    @Override
    public String run() {
        exec(command);
        return null;
    }
});

它应该可以正常工作。 (这是 @Jean-Philippe Jodoin 的赞同评论中建议的内容,但那里提供的链接已损坏)

Actually, calling applet from javascript behaves as calling unsigned applet (as specified in the jsnote: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote.
That is fine and is valid when you're using a class you are not allowed to change, but since you're the author of the java class you can always wrap that specific method you need to call from javascript to be executed in the privileged mode, like this:

AccessController.doPrivileged(new PrivilegedAction<String>() {
    @Override
    public String run() {
        exec(command);
        return null;
    }
});

And it should work ok. (This is what is suggested in the upvoted comment by @Jean-Philippe Jodoin but the link provided there is broken)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文