当前位置：文江博客话题详情

无法为 Intranet 小程序配置 AllPermission。有人可以帮忙吗？

发布于 2024-08-11 17:14:45 字数 601 浏览 3 评论 0原文

经过大量阅读和测试后，我无法通过 codeBase 授予选项向 Intranet 小程序授予所有权限。该小程序需要完全权限，因为它必须访问 OCR 读取器（也将图像文件写入 HDD）和其他此类外部设备的驱动程序库。

我已经配置了 java.policy 文件并添加了以下内容：

授予代码库“http://myIntranetServer/-”{ 权限 java.security.AllPermission; };

在控制台中重新加载策略文件，甚至重新启动浏览器后，我的许多操作都收到 java.security.AccessControlException：访问被拒绝，包括读取未授予的“user.name”系统属性默认情况下。

为了调试，我还尝试了默认授予所有权限并且它有效，所以我的问题基本上与 de codeBase 选项有关。我正在使用 JRE1.6-u17 运行 Windows 7 和 Linux 客户端，并且两者都有相同的行为。

有人可以帮忙吗？

提前致谢，

马德拉A

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

帥小哥 2024-08-18 17:14:45

我不确定我是否正确理解了你最后的评论。当你陈述两个（对我来说）不同的事情时：

你使用plugin.jar（这对我来说意味着你的java调用javascript函数）
“我从Javascript调用相同的函数”（这对我来说意味着你的javascript 调用 java 函数）

我认为后一种解释是正确的。

如果你只是调用java方法（通过liveconnect），它不做任何与安全相关的事情，那么一切都可以。您可以直接在 JavaScript 代码中执行（假设小程序带有 id="myapplet"）myapplet.safeMethod(); 。

从 javascript 调用 java 方法（通常只对小程序执行某些操作）的主要问题是，这些调用似乎在 JVM 中与小程序本身不同的上下文中运行。因此，它们被视为非特权代码，并且您会收到 AccessControlException。虽然例如像我的其他答案一样，由小程序本身执行的方法会获得正确的权限并被执行。

现在，如果您阅读新 Java™ 插件技术中的 LiveConnect 支持部分 2.8 JavaScript-to 的安全模型-Java 调用 SUN 状态

当 JavaScript 到 Java 调用时
制作完成后，JavaScript 代码已建模
就好像它来自一个
不受信任的小程序，其代码来源是
文档库（即 URL
包含的目录
文档）。

我将其理解为：如果小程序和 javascript 来自同一站点，则 javascript 到 java 调用应以与小程序本身相同的权限运行。在我们的例子中，这意味着我们在授权中设置的任何权利。

但这只对我来说在 Opera 中有效。 FF 和 IE6 都会抛出AccessControlException。但它可能仍然适用于所有浏览器。

以下代码有两个方法 userName2() 和 userName()。 userName2() 所有浏览器中的 WFM。 userName() 仅适用于 Opera。通过按 html 页面上的按钮进行检查。

正如您所看到的，userName2() 对于真正的用例来说是不可用的（只能调用一次）。但是您可以研究其他人在遇到类似问题时提出的解决方案，并相应地扩展 userName2()

使用 LiveConnect 的 Java Applet

另外，您可能会考虑一些我没有尝试过的东西。从 javascript 到 java 的所有调用都不执行任何与安全相关的操作，只是（如果需要）传递数据并立即返回。然后小程序执行实际工作（如上面显示的链接所示）。向 html 页面触发回调

然后，完成后，小程序可以通过 JSObject (plugin.jar) TestApp.java

import java.applet.Applet;
import java.awt.*;
import java.security.AccessControlException;

public class TestApp extends Applet {
  Label output = new Label("What is the value of user.name?");
  String userName;
  Thread access = new Thread() {
    @Override
    public void run() {
      try {
        userName = System.getProperty("user.name");
      } catch (AccessControlException e) {
        userName = "Oops, failed in thread. No read permissions!";
      }
    }
  };
  public void init() {
    setLayout(new BorderLayout());
    add(BorderLayout.CENTER, output);
  }
  public String userName2() throws InterruptedException {
    access.start();
    access.join();
    output.setText(userName);
    return userName;
  }
  public String userName() {
    String userName = "Oops, failed in liveconnect-context. No read permissions!";
    try {
      userName = System.getProperty("user.name");
    } catch (AccessControlException e) {
      e.printStackTrace();
    }
    output.setText(userName);
    return userName;
  }
}

test.html

<html><head><title>test</title></head><body>
  <applet id="myapplet" code="TestApp" width="350px" height="80px"></applet><br>
  <input type="button" value="liveconnect version" onclick="javascript:alert(myapplet.userName());"><br>
  <input type="button" value="hacky thread version" onclick="javascript:alert(myapplet.userName2());">
</body></html>

：.java.policy （在 C:/Documents and Settings/[USERNAME]/ 中手动创建，请注意前导 。）

grant codeBase "http://[domain].xxx/-" {
  permission java.util.PropertyPermission "user.name", "read";
};

I'm not sure if I understood your last comment correctly. As you state two (for me) different things:

You use plugin.jar (which means to me your java calls javascript functions)
"I call the same functions from the Javascript" (which means to me your javascript calls java functions)

I assume the later one is the right interpretation.

If you just call java methods (via liveconnect) which don't do anything security related all is ok. And you can just do (assuming applet with id="myapplet") myapplet.safeMethod(); directly in your javascript code.

The main problem with calling java methods, which do something normally restricted for applets, from javascript is that the calls seem to run in a different context in the JVM then the applet itself. Thus are treated as unprivileged code and you get the AccessControlException. While e.g. like in my other answer, methods which are executed by the applet itself, get the right permissions and are executed.

Now if you read this LiveConnect Support in the New Java™ Plug-In Technology in section 2.8 Security Model of JavaScript-to-Java Calls SUN states

When a JavaScript-to-Java call is
made, the JavaScript code is modeled
as though it were coming from an
untrusted applet whose code origin is
the document base (i.e., the URL of
the directory containing the
document).

I read this as: If applet and javascript come from the same site than the javascript-to-java calls should run with the same permissions as the applet itself. Which in our case means with whatever rights we set in our grant.

But this only works in Opera for me. FF and IE6 both throw AccessControlException. But it might still work out for you in all browsers.

The following code has two methods userName2() and userName(). userName2() WFM in all browsers. userName() only works in Opera. Check by pushing the buttons on the html page.

As you can see userName2() is not usable like this for a real usecase (can only be called once). But you can look into a solution someone else came up with when having a similar problem, and accordingly extend userName2()

Java Applet using LiveConnect

Additionally you might consider something I didn't try out. All calls from javascript-to-java do nothing security related just (if needed) pass in data and return immediately. Then the applet does the actual work (like in the link shown above). Then when finished the applet could fire a callback into the html page via the JSObject (plugin.jar)

TestApp.java

import java.applet.Applet;
import java.awt.*;
import java.security.AccessControlException;

public class TestApp extends Applet {
  Label output = new Label("What is the value of user.name?");
  String userName;
  Thread access = new Thread() {
    @Override
    public void run() {
      try {
        userName = System.getProperty("user.name");
      } catch (AccessControlException e) {
        userName = "Oops, failed in thread. No read permissions!";
      }
    }
  };
  public void init() {
    setLayout(new BorderLayout());
    add(BorderLayout.CENTER, output);
  }
  public String userName2() throws InterruptedException {
    access.start();
    access.join();
    output.setText(userName);
    return userName;
  }
  public String userName() {
    String userName = "Oops, failed in liveconnect-context. No read permissions!";
    try {
      userName = System.getProperty("user.name");
    } catch (AccessControlException e) {
      e.printStackTrace();
    }
    output.setText(userName);
    return userName;
  }
}

test.html

<html><head><title>test</title></head><body>
  <applet id="myapplet" code="TestApp" width="350px" height="80px"></applet><br>
  <input type="button" value="liveconnect version" onclick="javascript:alert(myapplet.userName());"><br>
  <input type="button" value="hacky thread version" onclick="javascript:alert(myapplet.userName2());">
</body></html>

Policy: .java.policy (created manually in C:/Documents and Settings/[USERNAME]/ Note the leading .)

grant codeBase "http://[domain].xxx/-" {
  permission java.util.PropertyPermission "user.name", "read";
};

回复收藏 0 原文

⒈起吃苦の倖褔 2024-08-18 17:14:45

现在我自己尝试了一下。

类文件 + 位于服务器上的 html 文件 http://[domain].xxx/~someusername/somefolder/
类文件 + 位于本地文件系统上的 html 文件 C:/Documents and Settings /[USERNAME]/Desktop/somefolder

策略：.java.policy（位于 C:/Documents and Settings/[USERNAME]/。请注意前导 。)

当使用这些小程序工作并显示 [USERNAME]

grant codeBase "file:///-" {
  permission java.util.PropertyPermission "user.name", "read";
};
grant codeBase "http://[domain].xxx/-" {
  permission java.util.PropertyPermission "user.name", "read";
};

然后使用这些（在 java 控制台中重新加载策略文件）小程序无法显示 [USERNAME]

grant codeBase "file:///c/*" {
  permission java.util.PropertyPermission "user.name", "read";
};
grant codeBase "http://[domain].xxx/*" {
  permission java.util.PropertyPermission "user.name", "read";
};

Appelt: TestApp .java

import java.applet.Applet;
import java.awt.*;
import java.awt.event.*;
import java.security.*;

public class TestApp extends Applet {
  Label output = new Label("What is the value of user.name?");
  public void init() {
    Button button = new Button("Click me!");
    setLayout(new BorderLayout());
    add(BorderLayout.NORTH, button);
    add(BorderLayout.CENTER, output);
    button.addActionListener(
      new ActionListener() {
        @Override
        public void actionPerformed( ActionEvent ev ) {
          try {
            output.setText(System.getProperty("user.name"));
          } catch (AccessControlException e) {
            output.setText("Oops, failed. No read permissions");
          }
        }
      }
    );
  }
}

HTML: index.html

<html><body>
  <applet code="TestApp.class" width=350 height=80></applet>
</body></html>

我现在有点困惑。您声明上述 grant 语句不起作用，同时又声明“默认授予所有权限......有效”？

几个问题

你用的是什么浏览器？
您编辑了哪个 java.policy 文件/将其放置在何处
URL 的实际情况如何？ myIntranetServer 可以通过 DNS 解析吗？如果不是，也许java在应用规则时遇到一些问题

Tried it myself now.

class files + html file located on a server http://[domain].xxx/~someusername/somefolder/
class files + html file located on local file system C:/Documents and Settings/[USERNAME]/Desktop/somefolder

Policy: .java.policy (located in C:/Documents and Settings/[USERNAME]/. Note the leading .)

When using these applet works and displays [USERNAME]

grant codeBase "file:///-" {
  permission java.util.PropertyPermission "user.name", "read";
};
grant codeBase "http://[domain].xxx/-" {
  permission java.util.PropertyPermission "user.name", "read";
};

Then used these (reloaded policy file in java console) applet fails to display [USERNAME]

grant codeBase "file:///c/*" {
  permission java.util.PropertyPermission "user.name", "read";
};
grant codeBase "http://[domain].xxx/*" {
  permission java.util.PropertyPermission "user.name", "read";
};

Appelt: TestApp.java

import java.applet.Applet;
import java.awt.*;
import java.awt.event.*;
import java.security.*;

public class TestApp extends Applet {
  Label output = new Label("What is the value of user.name?");
  public void init() {
    Button button = new Button("Click me!");
    setLayout(new BorderLayout());
    add(BorderLayout.NORTH, button);
    add(BorderLayout.CENTER, output);
    button.addActionListener(
      new ActionListener() {
        @Override
        public void actionPerformed( ActionEvent ev ) {
          try {
            output.setText(System.getProperty("user.name"));
          } catch (AccessControlException e) {
            output.setText("Oops, failed. No read permissions");
          }
        }
      }
    );
  }
}

HTML: index.html

<html><body>
  <applet code="TestApp.class" width=350 height=80></applet>
</body></html>

I'm a little confused right now. You state that the above grant statement doesn't work and at the same moment state that "giving the all permission by default ... works"?

A few questions

What browser are you using?
Which java.policy file did you edit / Where did you place it
What does the URL really look like? Is myIntranetServer something that can be resolved via DNS? If not maybe java has some problem applying the rule

回复收藏 0 原文

~没有更多了~