3

I have a signed applet. To implement some plugin architecture I download and store to disk a JAR file with specific classes.

Then I load these classes with URLCLassLoader. So, now I try to invoke some method from loaded class and I have a security issue.

It seems to "sign-token" cannot be checked by SecurityManager when class loaded be URLClassLoaded. Anybody know how to solve this problem?

Thanks a lot!

Loading.

URLClassLoader loader = new URLClassLoader(new URL[] {libraryArchive.toURI().toURL()}, Compress.class.getClassLoader());

Invocation.

...
org.palettelabs.comm.desktopcapture.pim.Library lib = libraryClass.newInstance();
                final Compress compressingLibrary = (Compress) lib;
                File file = AccessController.doPrivileged(new PrivilegedExceptionAction<File>() {

                    @Override
                    public File run() {
                        try {
                            File file = compressingLibrary.compress(filesList);
                            return file;
                        } catch (Exception e) {
                            Logger.error("applet: compress: invocation external library error", e);
                            return null;
                        }
                    }

                });

Exception.

2011-09-16 16:00:08,550 [SwingWorker-pool-1-thread-4] ERROR - applet: compress: invocation external library error
java.security.AccessControlException: access denied (java.io.FilePermission /tmp/dca-palettelabs-storage/test/compress/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
comm/desktopcapture/libs/compress/linux32 read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        at java.io.File.exists(File.java:731)
        at java.io.File.mkdirs(File.java:1181)
        at org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
        at org.palettelabs.comm.desktopcapture.libs.compress.linux32.Linux32.compress(Linux32.java:17)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:77)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:1)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.compress(UploadingWorker.java:72)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
        at javax.swing.SwingWorker$1.call(SwingWorker.java:277)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
        at java.util.concurrent.FutureTask.run(FutureTask.java:138)
        at javax.swing.SwingWorker.run(SwingWorker.java:316)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)
Nikolay Antipov
  • 920
  • 2
  • 8
  • 17
  • Thanks for feedback. Applet works fine without security manager when it runs from applet-launcher under eclipse. – Nikolay Antipov Sep 16 '11 at 14:47
  • Thanks! But explain me how it can be implemented? Browser uses special plugin which invokes JVM to run applet. How can I change default SecurityManager to mine? – Nikolay Antipov Sep 19 '11 at 08:03
  • Thanks a lot! Works fine. I've extended `SecurityManager` class and declared proper rules for validation of my classes. Please post your answer as answer for my question, I'd like to mark it as a best solution. – Nikolay Antipov Sep 20 '11 at 06:20
  • Done! Glad you got it sorted. :-) – Andrew Thompson Sep 20 '11 at 06:37

2 Answers2

1

Install a custom security manager that allows code from the right code base (package, whatever..) to perform that action.

To do that, call System.setSecurityManager(myManager). (As you managed to figure) myManager is an extension of SecurityManager.

It requires a trusted applet to set a security manager.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
  • Set the `SecurityManager` in **an applet**?? – Tom Hawtin - tackline Oct 05 '11 at 16:22
  • @Tom I don't understand your question. – Andrew Thompson Oct 05 '11 at 19:56
  • So if you set a security manager in an applet, it affects all applets from everywhere within the same process. You don't want to do that. (Also, you don't want two different applets doing that.) – Tom Hawtin - tackline Oct 05 '11 at 21:49
  • Yes, you're right. But my own `SecurityManager` checks signature of loaded classes. So I can guarantee security of my "dynamic" code. What other applets can be loaded by this process? For each applet new instance of JVM will be created. – Nikolay Antipov Oct 07 '11 at 07:19
  • 2
    It has become more common for applets to have their own VM. OTOH if you can launch your applet at your site in a separate VM, someone else can launch *your* applet at *their* site so it shares a VM with other applets, one of which might be the 'Trojan horse' that uploads the user's sensitive information and then wipes the disks. You probably don't want your digital signature being the one that pops up for the user to approve in that circumstance. Security is not trivial, the stakes are high and the bad guys very clever. – Andrew Thompson Oct 09 '11 at 22:56
1

Use an appropriate subclass of java.security.SecureClassLoader to assign an appropriate ProtectionDomain to the loaded classes. Of course, making sure that these classes are to be trusted by some mechanism (e.g. signed with a certificate you trust for such purposes).

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305