LWJGL Forum

Programming => OpenGL => Topic started by: Mickelukas on May 18, 2009, 18:33:25

Title: [SOLVED] Security error with Applet
Post by: Mickelukas on May 18, 2009, 18:33:25
This post is also at javagaming.org. Wherever I recieve an answer I'll copy it over to the other place as well. That is the forum I mostly spend my time at so I posted it there first but I guessed it might be smart to post it here as well.

I have an applet that works fine in eclipse and worked fine with the JOGL applet loader but when running it with the LWJGL one I run into a security problem.

All I do is:
new URL(getCodeBase(), "pictures/" + name)
(I tried it with one parameter as well as without a subfolder but it always gives the same error, doing .toString() on the URL gives me the correct URL so it isn't a problem with a slash)

The error I get is:
SecurityException: denied access outside a permitted URL subpath

Do I need to sign my applet when using LWJGL even though I create a connection to the same server as where the applet is located?

I am running on JRE 6u13 with Windows XP.
Title: Re: Security error with Applet
Post by: kappa on May 18, 2009, 19:05:12
really odd issue that, not sure what it could be, only thing relevant on google appears to be http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6766037
Title: Re: Security error with Applet
Post by: Mickelukas on May 18, 2009, 19:13:47
Ya, I saw that one too and was like "huh?".

To clarify:
The html code looks like this:
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <title>AppletLoader</title>
  </head>
  <body>

  <applet code="org.lwjgl.util.applet.AppletLoader" archive="lwjgl_util_applet.jar, lzma.jar" codebase="." width="900" height="500">
 
    <!-- The following tags are mandatory -->
   
    <!-- Name of Applet, will be used as name of directory it is saved in, and will uniquely identify it in cache -->
    <param name="al_title" value="Dreamlandz">
   
    <!-- Main Applet Class -->
    <param name="al_main" value="lwtest.Main">
   
    <!-- logo to paint while loading, will be centered -->
    <param name="al_logo" value="appletlogo.png">
   
    <!-- progressbar to paint while loading. Will be painted on top of logo, width clipped to percentage done -->
    <param name="al_progressbar" value="appletprogress.gif">
   
    <!-- List of Jars to add to classpath -->
    <param name="al_jars" value="dreamlandz2.jar, lwjgl.jar.pack.lzma, jinput.jar.pack.lzma, lwjgl_util.jar.pack.lzma">
   
    <!-- signed windows natives jar in a jar -->
    <param name="al_windows" value="windows_natives.jar.lzma">
   
    <!-- signed linux natives jar in a jar -->
    <param name="al_linux" value="linux_natives.jar.lzma">
   
    <!-- signed mac osx natives jar in a jar -->
    <param name="al_mac" value="macosx_natives.jar.lzma">

    <!-- signed solaris natives jar in a jar -->
    <param name="al_solaris" value="solaris_natives.jar.lzma">
   
    <!-- Tags under here are optional -->
   
    <!-- Version of Applet, important otherwise applet won't be cached, version change will update applet, must be int or float -->
    <!-- <param name="al_version" value="0.1"> -->
   
    <!-- background color to paint with, defaults to white -->
    <!-- <param name="al_bgcolor" value="000000"> -->
   
    <!-- foreground color to paint with, defaults to black -->
    <!-- <param name="al_fgcolor" value="ffffff"> -->
   
    <!-- error color to paint with, defaults to red -->
    <!-- <param name="al_errorcolor" value="ff0000"> -->
   
    <!-- whether to run in debug mode -->
    <!-- <param name="al_debug" value="true"> -->
   
    <!-- whether to prepend host to cache path - defaults to true -->
    <param name="al_prepend_host" value="false">
   
    <!-- main applet specific params -->
    <!-- <param name="test" value="org.lwjgl.test.opengl.awt.AWTGearsCanvas"> -->
 
  </applet>

  <p>
    if <code>al_debug</code> is true the applet will load and extract resources with a delay, to be able to see the loader process.
  </p>

  </body>
</html>

And the java code looks like this:
Code: [Select]
package lwtest;

import java.applet.Applet;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;

import javax.imageio.ImageIO;

public class Main extends Applet{

public void init(){
try {
System.out.println(ImageIO.read(new URL(getCodeBase(), "pictures/infra.png")).getWidth());
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}
Title: Re: Security error with Applet
Post by: kappa on May 18, 2009, 19:36:19
just a question to clarify, this picture your trying to load is it on the server? or in the dreamlandz2.jar?
Title: Re: Security error with Applet
Post by: Mickelukas on May 18, 2009, 19:38:01
Sure, no problem. It's on the server, otherwise my code wouldn't have worked until I loaded it through the applet loader ;)

If I do a .toString() after the URL and copy and paste that URL into the browser it works fine so it exists.
Title: Re: Security error with Applet
Post by: kappa on May 18, 2009, 19:40:48
hmm you could just include resources you need for your applet inside the applet jars instead of on the server, that way you'd avoid this error, is there a specific reason it must be done this way?
Title: Re: Security error with Applet
Post by: Mickelukas on May 18, 2009, 19:44:09
That would work for the pictures but I'm also loading in php pages that needs to be done on the fly.
Title: Re: Security error with Applet
Post by: kappa on May 18, 2009, 20:34:45
hmm, is "getCodeBase()" returning the correct value?
Title: Re: Security error with Applet
Post by: Mickelukas on May 18, 2009, 21:00:15
It works fine when not loading it through the LWJGL applet loader and .toString() retuirns the correct value.
Title: Re: Security error with Applet
Post by: kappa on May 18, 2009, 21:41:59
yes, just trying to establish where the applet loader is going wrong, if you try a System.out.println(getCodeBase()); what is the result?
Title: Re: Security error with Applet
Post by: Mickelukas on May 19, 2009, 05:58:23
The correct one, http://localhost/ if I start it up on localhost, http://127.0.0.1/ if I start it up there.

As I said, the problem is not in the applet itself (as you can see from the code I posted) but how the applet loader treats the applet.

Is no one else than me using URL() in an applet? I thought LWJGL was used by several packages.
Title: Re: Security error with Applet
Post by: Mickelukas on May 19, 2009, 12:17:43
After reading around I believe that I need to sign my own jar even if all I want to do is something that a jar could do without being signed. It has to do with how it's loaded. That is kind of a deal breaker for me so I guess I'm going back to JOGL.

Could someone with more knowledge of LWJGL confirm or decline the above statement?

In the wiki it says:
Quote
As long as your application doesn't use any features that require signed access, then you should have no problems (If you do need signed access, then you should resign it all with your own valid certificate).

But I guess that is wrong then?
Title: Re: Security error with Applet
Post by: kappa on May 19, 2009, 12:22:35
I've been able to reproduce this issue locally and it seems that it is a bug in the LWJGL AppletLoader, I'll investigate this some more tonight and see if i can come up with a fix.
Title: Re: Security error with Applet
Post by: Mickelukas on May 19, 2009, 12:48:55
Thank you SO much! If you could incorporate this as well:
http://www.javagaming.org/index.php/topic,20435.msg166308.html#msg166308

Quote from: Ken Russell
As an added, though arguably dubious, benefit, if you are running Java SE 6 Update 10 or later you will not even need to accept a security dialog.

I'll never look away from LWJGL ever! :)
Title: Re: Security error with Applet
Post by: kappa on May 19, 2009, 13:21:40
just a quick update, I've managed to get the current LWJGL AppletLoader to work when using a crossdomain.xml file such as crossdomain.xml (http://kappa.javaunlimited.net/temp/crossdomain.xml) just put that on the base of your domain where the applet is hosted, its not a proper fix but should get you going for now, will update you once a proper fix is found.
Title: Re: Security error with Applet
Post by: Mickelukas on May 19, 2009, 14:13:36
That works indeed, weird stuff.

I added permission java.security.AllPermission; in my java.security file and that also worked around the problem.

A senior Java developer that just walked past my desk and looked at the code of the AppletLoader thought that it might be because of the usage of:
Class.forName(getParameter("al_main"));
he recommended to instead use:
Thread.currentThread().getContextClassLoader().loadClass(getParameter("al_main"));

Don't ask me though because I am not that familiar with the inner workings of Java but it might be an idea :)
Title: Re: Security error with Applet
Post by: kappa on May 22, 2009, 09:20:05
The bug has now been fixed (was a damn ugly issue :)), you should be able to connect to your host as normal.

This should be available in LWJGL 2.2.0 (or whatever the next release is called), should be out soon.

Alternatively if you need updated AppletLoader urgently, you can checkout the code from svn or if you or pop into the #LWJGL irc channel on freenode.net someone will point you to the nightly builds.
Title: Re: Security error with Applet
Post by: Mickelukas on May 22, 2009, 09:40:09
Perfect, thanks :) I see in the SVN that my friend was on the right track but he missed the PermissionCollection.

I'll await 2.2 seeing as the workaround works fine for now.