Continued from the previous article
http://1259988502.iteye.com/admin/blogs/2303384
Encountered another applet application error
java.security.AccessControlException : access denied (java.util.PropertyPermission createClassLoader)
mistake
This time, it doesn't work to modify the policy file and so on. Finally, I decided to add a digital signature to this applet.
found one online
JAVA's java.policy --- Applet digital signature
This problem gave me a headache. I found a lot of information about java security policy on the Internet, and they were mostly based on doctrine. I modified this file in java jre \lib\security\ java.policy as follows: //grant codeBase "file :${{java.ext.dirs}}-" { permission java.security.AllPermission; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.io.FilePermission "<<ALL FILES>>", "write"; permission java.util.PropertyPermission "*", "write,read"; permission java.util.PropertyPermission "user.dir", "read"; }; It still doesn't work after modification, Why! It's a headache. In the end, I still have to use the applet's digital signature . It's not good to generate a digital signature after a patch, and it's your big mistake to clear the ie cache once, otherwise it will keep reporting the same error . The following is Steps of digital signature Step 1: jar file 1. You can use eclipse to import the jar file 2. You can use commands such as: jar -cvf MyApplet. The following is written in the embedded Applet section: <APPLET CODEBASE = "." CODE = "jcomponent.FileReaderApplet.class" ARCHIVE = "MyClass.jar" NAME = "TestApplet" WIDTH = 400 HEIGHT = 300 HSPACE = 0 VSPACE = 0 ALIGN = middle > </APPLET> Step 3: (generate certificate and signature) 1. The command keytool -genkey -keystore pepper.store -alias pepper is used to generate a keystore. After execution, a keystore should be generated in c:/admin The file of pepper.store, where pepper is my own name, you can modify it. In addition, when executing the command, you will be prompted to enter the password of the keystore. You must remember it here, otherwise you will not be able to enter it when you use it later. 2. The command keytool -export -keystore pepper.store -alias pepper -file pepper.cert is used to generate the certificate to be used for the signature, and the pepper here can also be replaced with the name you need. After this command is executed, a pepper.cert file is generated in c:/admin. 3. jarsigner -keystore pepper.store MyApplet.jar pepper This command signs our jar file with the certificate generated above. Step 4: Create a new policy file and add these policy files (modify the file) 1. Create a file named applet.policy in c:/admin with the following contents: keystore "file:c: /admin/pepper .store", "JKS"; grant signedBy "pepper" { permission java.io.FilePermission "<<ALL FILES>>", "read";=; This file allows the applet signed by pepper to have read permission for all local files . 2. Modify java.security in the ${java.home}/jre/lib/security directory and find the following two lines: policy.url.1=file:${java.home}/lib/security/java.policy policy.url.2=file:${user.home}/.java.policy Add the third line below policy.url.3=file:c: /admin/applet.policy After completing this modification, we created it in the front The applet.policy file is valid. Step 5: (convert html file) 运行前面提到的HTMLConvert工具,将原有的FileReaderApplet.html转化成下面的形式: <!--"CONVERTED_APPLET"--> <!-- CONVERTER VERSION 1.3 --> <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" WIDTH = 400 HEIGHT = 300 NAME = "TestApplet" ALIGN = middle VSPACE = 0 HSPACE = 0 codebase="http://java.sun.com/products/plugin/1.3/jinstall-13- win32.cab#Version=1,3,0,0"> <PARAM NAME = CODE VALUE = "jcomponent.FileReaderApplet.class" > <PARAM NAME = CODEBASE VALUE = "." > <PARAM NAME = ARCHIVE VALUE = "MyApplet.jar" > <PARAM NAME = NAME VALUE = "TestApplet" > <PARAM NAME="type" VALUE="application/x-java-applet;version=1.3"> <PARAM NAME="scriptable"VALUE="false"> <COMMENT> <EMBED type="application/x-java-applet;version=1.3" CODE = "jcomponent.FileReaderApplet.class" CODEBASE = "." ARCHIVE = "MyApplet.jar" NAME = "TestApplet" WIDTH = 400 HEIGHT = 300 ALIGN = middle VSPACE = 0 HSPACE = 0 scriptable=false pluginspage="http://java.sun.com/products/plugin/1.3/plugin-install.html"><NOEMBED></COMMENT> </NOEMBED><// EMBED> </OBJECT> <!-- <APPLET CODE = "jcomponent.FileReaderApplet.class" CODEBASE = "." ARCHIVE = "MyApplet.jar" WIDTH = 400 HEIGHT = 300 NAME = "TestApplet" ALIGN = middle VSPACE = 0 HSPACE = 0> </APPLET> --> <!--"END_CONVERTED_APPLET"--> Don't see that the writing here is very complicated, but these are automatically implemented by the HTMLConvert tool. This tool has both command line and graphical interface modes of operation. Well, now this Applet can run the function of reading and writing files. If you want to consider implementing this Applet on the Internet, then you don't need to do the above steps on all clients, you just need to create a directory on your server, such as c:/admin, map this directory as www.testApplet.com/admin. Here www.testApplet.com is a hypothetical URL, put pepper.cert, pepper.store, FileReaderApplet.html, MyApplet.jar and applet.policy in this directory, and then modify the applet.policy file as follows: keystore "http ://www.testApplet.com/admin/pepper.store", "JKS";grant signedBy "pepper"{ permission java.io.FilePermission "<<ALL FILES>>", "read";}; 3. And Each client only needs to modify their java.security file in the ${java.home}/jre/lib/security directory as follows: policy.url.1=file:${java.home}/lib/security/ java.policypolicy.url.2= file:${user.home}/.java.policypolicy.url.3= http://www.testApplet.com/admin/applet. Of course, each client still needs to install JRE. If it is tomcat for domain name binding, it needs to be mapped in the tomcat\conf\server.xml file <context path=”” docBase=”Mapped directory” debug=”1” reloadable=”true”></context> |
grateful
http://blog.sina.com.cn/s/blog_888269b2010138i3.html
My own measurement: After completing step 3, restart the service and then call the applet method normally. Because my own APPLET method is embedded in a jsp page in a web system, I feel that after step 4, it is unnecessary.