Java applet is not supporting the Authenticator.setDefault

Question

I want to do simple HTTP authentication in a Java applet, which I am trying this way:

static class MyAuthenticator extends Authenticator
        {
            public PasswordAuthentication getPasswordAuthentication()
                {
            // I haven't checked getRequestingScheme() here, since for NTLM
            // and Negotiate, the usrname and password are all the same.
            System.err.println("Feeding username and password for " + getRequestingScheme());
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));
            }
        }
    public void paint(Graphics g) {
        try
        {
        //  String authenticate=Authenticator.getPasswordAuthentication();
             Authenticator.setDefault(new MyAuthenticator());
             URL url = new URL("http://Ip_address/jpg/image.jpg");
             InputStream ins = url.openConnection().getInputStream();
             BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
             String str;
               while((str = reader.readLine()) != null)
                  System.out.println(str);

          //int s=2+2;

            g.drawString("hello world", 50, 60 );
        }
        catch (Exception e)
        {
            System.out.println("Exception : "+ e);
        }
    }

But I am getting error at this line

Authenticator.setDefault(new MyAuthenticator());

The exception is:

Exception : java.security.AccessControlException: access denied 
    (java.net.NetPermission setDefaultAuthenticator)

Can anyone tell me that what to do now, or how to authenticate a website inside from Java applet?

Stephen C · Answer 1 · 2012-06-07T15:37:28.450

1

You've run into a security sandbox restriction. Apparently, it is a security concern for an untrusted applet to be changing the default authenticator. (I imagine it is because a nasty applet could use this to steal authentication details supplied by the user.)

Whatever the reason for the restriction, one solution is to sign the JAR file for your applet. See this page of the Oracle Tutorials for details.

edited Jun 07 '12 at 15:37

answered Jun 07 '12 at 14:14

Stephen C

698,415
94
811
1,216

Is not there any command/method/class that can change the security parameters for the specific applet? – Azeem Akram Jun 08 '12 at 05:59
Not from within the applet. That would defeat the purpose of security sandboxes. (Q: what would be the first thing that nasty applet do? A: turn off the security checks that prevent it from doing nasty things!) – Stephen C Jun 08 '12 at 07:38
So is there any other method that can do the basic Http Authentication in java applet? – Azeem Akram Jun 08 '12 at 07:41
I'm sure you can do Basic Authentication by setting the appropriate Headers (as per the RFC) using a hard-wired username and password. The point of the `Authenticator` API is (typically) to ask the user to supply the information. But it is an obvious security failure if an untrusted applet is allowed to ask the user to tell it that information via a UI that looks like it should be trusted. – Stephen C Jun 08 '12 at 10:49
Modifying global state in a shared environment is a really bad idea (not a great idea in other code either). – Tom Hawtin - tackline Jun 09 '12 at 17:23
Yes, there is that too. (OP - Tom is refering to the fact that there may be other (unrelated) applets running in the JVM. Changing the default authenticator in one applet will change it for others.) – Stephen C Jun 10 '12 at 03:39

Java applet is not supporting the Authenticator.setDefault

1 Answers1