从 javascript 调用时,签名的小程序给出 AccessControlException: 访问被拒绝
我有一个简单的自签名小程序(使用 keytool 和 jarsigner 完成):
public class NetAppletLauncher extends JApplet {
private static final long serialVersionUID = 1L;
public void init() {
exec("notepad c:/hello.txt");
}
public void exec(String command) {
try {
// launch EXE and grab stdin/stdout and stderr
Process process = Runtime.getRuntime().exec(command);
// OutputStream stdin = process.getOutputStream();
InputStream stderr = process.getErrorStream();
InputStream stdout = process.getInputStream();
// "write" the parms into stdin
// stdin.write(arguments.getBytes());
// stdin.flush();
// stdin.close();
// clean up if any output in stdout
String line = "";
BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stdout] " + line);
}
brCleanUp.close();
// clean up if any output in stderr
brCleanUp = new BufferedReader(new InputStreamReader(stderr));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stderr] " + line);
}
brCleanUp.close();
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
基本上,它的作用是执行“notepad c:/hello.txt”。
然后我将小程序嵌入到 html 中:
<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>
当我访问该页面时,JRE 启动并询问我是否要启动此小程序以及我是否信任它。 我按确定。 然后记事本启动 - 正如它应该的那样。 这里没问题。
但是然后我将其添加到 HTML 页面中:
<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>
现在,当我按下此文本时,计算应该开始 - 对吗? 但这给了我:
java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
at java.security.AccessControlContext.checkPermission(Unknown Source)
- 这是怎么回事? 为什么它现在给我一个安全异常,但它之前可以启动记事本?
I have an easy self-signed an applet (done with keytool and the jarsigner):
public class NetAppletLauncher extends JApplet {
private static final long serialVersionUID = 1L;
public void init() {
exec("notepad c:/hello.txt");
}
public void exec(String command) {
try {
// launch EXE and grab stdin/stdout and stderr
Process process = Runtime.getRuntime().exec(command);
// OutputStream stdin = process.getOutputStream();
InputStream stderr = process.getErrorStream();
InputStream stdout = process.getInputStream();
// "write" the parms into stdin
// stdin.write(arguments.getBytes());
// stdin.flush();
// stdin.close();
// clean up if any output in stdout
String line = "";
BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stdout] " + line);
}
brCleanUp.close();
// clean up if any output in stderr
brCleanUp = new BufferedReader(new InputStreamReader(stderr));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stderr] " + line);
}
brCleanUp.close();
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
Basically, what it does, is that it executes 'notepad c:/hello.txt'.
Then i embed the applet in html:
<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>
When i visit the page, JRE starts and asks me if i want to start this applet and if i trust it. I press ok. Then notepad starts - as it should. No problem here.
But then i add this into the HTML-page:
<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>
Now when i press on this text, calc should start - right? But this gives me:
java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
at java.security.AccessControlContext.checkPermission(Unknown Source)
- whats up with this? Why does it give me a security exception now, but it could start notepad before?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
Java 2 安全模型(大致)要求堆栈上的每个帧都必须被授予访问控制上下文 (acc) 的权限,才能拥有该权限。 JavaScript 位于堆栈上,没有文件访问权限。
The Java 2 security model requires (roughly) that every frame on the stack must be granted a permission for the access control context (acc) to have that permission. JavaScript is on the stack and does not have file access permissions.
解决了这个问题,在 Java 中:
然后在 JavaScript 中:
Solved the problem with, in Java:
and then in JavaScript:
我同意:禁止从 javascript 操作签名的小程序,解决方法是在页面文档中用 javascript 重写小程序标签。
我发现这个来源有一些理论证明我们是对的
http://docs.oracle.com/javase/tutorial/deployment /applet/security.html#jsNote
I agree : it is prohibited to manipulate a signed applet from javascript, and the workaround is to rewrite the applet tag in javascript in the page document.
I found this source with a bit of theory proving we are right
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote
实际上,从 javascript 调用 applet 的行为与调用未签名的 applet 相同(如 jsnote 中所指定: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote。
这很好,并且当您使用不允许更改的类时是有效的,但由于您是 java 类的作者,因此您始终可以包装需要从 javascript 调用以在特权中执行的特定方法。模式,像这样:
它应该可以正常工作。 (这是 @Jean-Philippe Jodoin 的赞同评论中建议的内容,但那里提供的链接已损坏)
Actually, calling applet from javascript behaves as calling unsigned applet (as specified in the jsnote: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote.
That is fine and is valid when you're using a class you are not allowed to change, but since you're the author of the java class you can always wrap that specific method you need to call from javascript to be executed in the privileged mode, like this:
And it should work ok. (This is what is suggested in the upvoted comment by @Jean-Philippe Jodoin but the link provided there is broken)