[SOLVED] Security error with Applet

Started by Mickelukas, May 18, 2009, 18:33:25

Previous topic - Next topic

Mickelukas

This post is also at javagaming.org. Wherever I recieve an answer I'll copy it over to the other place as well. That is the forum I mostly spend my time at so I posted it there first but I guessed it might be smart to post it here as well.

I have an applet that works fine in eclipse and worked fine with the JOGL applet loader but when running it with the LWJGL one I run into a security problem.

All I do is:
new URL(getCodeBase(), "pictures/" + name)
(I tried it with one parameter as well as without a subfolder but it always gives the same error, doing .toString() on the URL gives me the correct URL so it isn't a problem with a slash)

The error I get is:
SecurityException: denied access outside a permitted URL subpath

Do I need to sign my applet when using LWJGL even though I create a connection to the same server as where the applet is located?

I am running on JRE 6u13 with Windows XP.

kappa

really odd issue that, not sure what it could be, only thing relevant on google appears to be http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6766037

Mickelukas

Ya, I saw that one too and was like "huh?".

To clarify:
The html code looks like this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <title>AppletLoader</title>
  </head>
  <body>

  <applet code="org.lwjgl.util.applet.AppletLoader" archive="lwjgl_util_applet.jar, lzma.jar" codebase="." width="900" height="500">
  
    <!-- The following tags are mandatory -->
    
    <!-- Name of Applet, will be used as name of directory it is saved in, and will uniquely identify it in cache -->
    <param name="al_title" value="Dreamlandz">
    
    <!-- Main Applet Class -->
    <param name="al_main" value="lwtest.Main">
    
    <!-- logo to paint while loading, will be centered -->
    <param name="al_logo" value="appletlogo.png">
    
    <!-- progressbar to paint while loading. Will be painted on top of logo, width clipped to percentage done -->
    <param name="al_progressbar" value="appletprogress.gif">
    
    <!-- List of Jars to add to classpath -->
    <param name="al_jars" value="dreamlandz2.jar, lwjgl.jar.pack.lzma, jinput.jar.pack.lzma, lwjgl_util.jar.pack.lzma">
    
    <!-- signed windows natives jar in a jar --> 
    <param name="al_windows" value="windows_natives.jar.lzma">
    
    <!-- signed linux natives jar in a jar --> 
    <param name="al_linux" value="linux_natives.jar.lzma">
    
    <!-- signed mac osx natives jar in a jar --> 
    <param name="al_mac" value="macosx_natives.jar.lzma">

    <!-- signed solaris natives jar in a jar --> 
    <param name="al_solaris" value="solaris_natives.jar.lzma">
    
    <!-- Tags under here are optional -->
    
    <!-- Version of Applet, important otherwise applet won't be cached, version change will update applet, must be int or float -->
    <!-- <param name="al_version" value="0.1"> -->
    
    <!-- background color to paint with, defaults to white -->
    <!-- <param name="al_bgcolor" value="000000"> -->
    
    <!-- foreground color to paint with, defaults to black -->
    <!-- <param name="al_fgcolor" value="ffffff"> -->
    
    <!-- error color to paint with, defaults to red -->
    <!-- <param name="al_errorcolor" value="ff0000"> -->
    
    <!-- whether to run in debug mode -->
    <!-- <param name="al_debug" value="true"> -->
    
    <!-- whether to prepend host to cache path - defaults to true -->
    <param name="al_prepend_host" value="false">
    
    <!-- main applet specific params -->
    <!-- <param name="test" value="org.lwjgl.test.opengl.awt.AWTGearsCanvas"> -->
  
  </applet>

  <p>
    if <code>al_debug</code> is true the applet will load and extract resources with a delay, to be able to see the loader process.
  </p>

  </body>
</html>


And the java code looks like this:
package lwtest;

import java.applet.Applet;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;

import javax.imageio.ImageIO;

public class Main extends Applet{

	public void init(){
		try {
			System.out.println(ImageIO.read(new URL(getCodeBase(), "pictures/infra.png")).getWidth());
		} catch (MalformedURLException e) {
			e.printStackTrace();
		} catch (IOException e) {
			e.printStackTrace();
		}
	}
}

kappa

just a question to clarify, this picture your trying to load is it on the server? or in the dreamlandz2.jar?

Mickelukas

Sure, no problem. It's on the server, otherwise my code wouldn't have worked until I loaded it through the applet loader ;)

If I do a .toString() after the URL and copy and paste that URL into the browser it works fine so it exists.

kappa

hmm you could just include resources you need for your applet inside the applet jars instead of on the server, that way you'd avoid this error, is there a specific reason it must be done this way?

Mickelukas

That would work for the pictures but I'm also loading in php pages that needs to be done on the fly.

kappa

hmm, is "getCodeBase()" returning the correct value?

Mickelukas

It works fine when not loading it through the LWJGL applet loader and .toString() retuirns the correct value.

kappa

yes, just trying to establish where the applet loader is going wrong, if you try a System.out.println(getCodeBase()); what is the result?

Mickelukas

The correct one, http://localhost/ if I start it up on localhost, http://127.0.0.1/ if I start it up there.

As I said, the problem is not in the applet itself (as you can see from the code I posted) but how the applet loader treats the applet.

Is no one else than me using URL() in an applet? I thought LWJGL was used by several packages.

Mickelukas

After reading around I believe that I need to sign my own jar even if all I want to do is something that a jar could do without being signed. It has to do with how it's loaded. That is kind of a deal breaker for me so I guess I'm going back to JOGL.

Could someone with more knowledge of LWJGL confirm or decline the above statement?

In the wiki it says:
QuoteAs long as your application doesn't use any features that require signed access, then you should have no problems (If you do need signed access, then you should resign it all with your own valid certificate).

But I guess that is wrong then?

kappa

I've been able to reproduce this issue locally and it seems that it is a bug in the LWJGL AppletLoader, I'll investigate this some more tonight and see if i can come up with a fix.

Mickelukas

Thank you SO much! If you could incorporate this as well:
http://www.javagaming.org/index.php/topic,20435.msg166308.html#msg166308

Quote from: Ken RussellAs an added, though arguably dubious, benefit, if you are running Java SE 6 Update 10 or later you will not even need to accept a security dialog.

I'll never look away from LWJGL ever! :)

kappa

just a quick update, I've managed to get the current LWJGL AppletLoader to work when using a crossdomain.xml file such as crossdomain.xml just put that on the base of your domain where the applet is hosted, its not a proper fix but should get you going for now, will update you once a proper fix is found.