2

I have a Java Applet which is digitally signed.
I need to be able to call a function from javascript which writes an xml file into the user folder.

I have got code in the applets init function which creates a sub-folder, creates a file and appends to that file. This runs without error. When the same code is inside a function(below) which is called directly from javascript an Access Control Exception is thrown:

public boolean createLocalXMLFile(String XML) {
    String path = BaseDirectory.baseDirectory + "\\TestFolder";
    try {
        boolean status;
        status = new File(path).mkdir();

        UUID fName = UUID.randomUUID(); 

        FileWriter fstream = new FileWriter(path + "\\"+fName+".xml");
        BufferedWriter out = new BufferedWriter(fstream);
        out.write(XML);
        //Close the output stream
        out.close();

        return true;
    }catch (Exception ex) {
        System.out.println("createXMLError \n"+ex.toString());
        return false;
    }

}

*note base directory refers to the user home path

Java Console Error java.security.AccessControlException: access denied (java.io.FilePermission C:\Users\Richard\Hytec\AppStore\0d927ab7-74ba-449a-9db4-98e62cd0f53b.txt write)

Roman C
  • 49,761
  • 33
  • 66
  • 176
R Davies
  • 105
  • 1
  • 11

2 Answers2

2

If you call your applet's methods from JavaScript, the resulting permissions are the intersection of your applet's permissions and the JavaScript bridge's permissions - which means in your case, no permissions to access the local file.

To run the code with your applet's permissions, wrap the critical code in AccessController.doPrivileged(...). Of course, first check that this can't do anything malicious, even if called by malicious code.

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
0

First ensure that your policy file is set with the appropriate permissions. You can set it to all-permissions to debug and make sure that this isn't your problem.

What operating system do you experience this problem on? Do you get the same issue with XP? The reason I ask is because even signed applets with full permissions granted by a policy file do not have full file access on a workstation running Windows Vista or Windows 7.

This is because of the concept of folder integrity levels even when UAC is turned off, http://msdn.microsoft.com/en-us/library/bb625962.aspx

The local applet store by default has an integrity level set to Low which means it is inherently untrusted and processes running from these directorys can only have full permissions on files and processes running in other Low integrity directorys. System folders have a High integrity and other folders have Medium integrity by default.

These can all be changed fortunately and there is a free command line tool that can help you change a folders integrity level without using the Control Panel Administrative Tools. http://www.minasi.com/apps/

Hope this all helps.

maple_shaft
  • 10,435
  • 6
  • 46
  • 74
  • Thanks for the response, although the signed applet is able to do the same operations from within the init function. I am using win 7, ie9 and have tried chrome and xp with the same response. Updating the policy file is not an option for the environments that the app will be used – R Davies Jul 12 '11 at 11:50
  • I find it odd that you have the rights in the `init()` function but nowhere else. This thread about sums up your dire situation regarding the policy file and Java Applets, http://www.velocityreviews.com/forums/t542064-distributing-java-policy-with-applet-jar.html – maple_shaft Jul 12 '11 at 12:08
  • Assuming what you say is correct, could you create a thread that wakes up every 5 seconds in the init method and checks for a global boolean variable to perform some kind of file IO operation? I know it sounds like a hack but it might work. – maple_shaft Jul 12 '11 at 12:09
  • 1
    Thanks I've thought of that hack and may unfortunately be my only option. I am confused as to why the same code works in the init() function, the only thing I can think of is that the code being executed by another process (JavaScript) is what's causing the security violation – R Davies Jul 12 '11 at 12:25