Using Digital Signatures exceeds Java Applet security restrictions

This article can be achieved by combining these technologies. The following is the target code of this article, which is an applet that can read local file systems:

Code 1

/-------------------------------------
package jcomponent;
import java.awt.*;
import java.awt.event.*;
import java.applet.*;
import java.io.*;
public class FileReaderApplet extends Applet {
boolean isStandalone = false;
TextField fileNameField;
TextArea fileArea;
file://Get a parameter value
public String getParameter(String key, String def) {
　return isStandalone ? System.getProperty(key, def) :
　(getParameter(key) != null ? getParameter(key) : def);
}
file://Construct the applet
public FileReaderApplet() {
}
file://Initialize the applet
public void init() {
try {
jbInit();
}
catch(Exception e) {
e.printStackTrace();
}
}
file://Component initialization
private void jbInit() throws Exception {
this.setSize(new Dimension(400,300));
this.setLayout(new BorderLayout());
Panel panel=new Panel();
Label label=new Label("File Name");
panel.add(label);
fileNameField=new TextField(25);
panel.add(fileNameField);
Button b=new Button("Open File");
b.addActionListener(new ActionListener(){
public void actionPerformed(ActionEvent e){
loadFile(fileNameField.getText());
}
});
panel.add(b);
this.add(panel,BorderLayout.NORTH);
fileArea=new TextArea();
this.add(fileArea,BorderLayout.CENTER);
}
public void loadFile(String fileName){
try{
BufferedReader reader=new BufferedReader(new FileReader(fileName));
String context=new String();
while((context=reader.readLine())!=null){
fileArea.append(context+"/n");
}
reader.close();
}catch(IOException ie){
fileArea.append(ie.getMessage());
}catch(SecurityException se){
fileArea.append("because of security constraint ,it can not do that!");
}
}
file://Get Applet information
public String getAppletInfo() {
return "This is an applet can read and write the local file system";
}
}

If you embed the code into a webpage and execute it, securityexception occurs when you try to open a local file. You can follow the steps below to ultimately have the permission to read and write files. Before that, you need the following tools: jdk1.1 and above, JRE and htmlconvert. These tools are available on Sun's Java site and are free of charge. Install them separately. We will store all the files involved in C:/admin.

The name of the package must be the same as that of the packeg class.

Step 1: (package the class file)

Execute the following statement in the command line: jar-CVF myapplet. Jar class

Note that all. class files are stored in a class directory. After this step is completed, a file named myapplet. jar will be generated in C:/admin.

Step 2: (embed an applet in a webpage)

The name of this webpage is filereaderapplet.html. The following is the method used to embed the Applet:

＜APPLET
CODEBASE = "."
CODE = "jcomponent.FileReaderApplet.class"
ARCHIVE ="MyClass.jar"
NAME = "TestApplet"
WIDTH = 400
HEIGHT = 300
HSPACE = 0
VSPACE = 0
ALIGN = middle
＞
＜/APPLET＞

After this step is completed, the applet can be displayed. However, the local file system cannot be read or written.

Step 3: (generate the certificate and signature)

Run the following command in the command line environment:

1. keytool-genkey-keystore pepper. Store-alias pepper

This command is used to generate a key library. After execution, a pepper should be generated in C:/admin. store files. Pepper is my own name. You can modify it. In addition, you are prompted to enter the password of the key library when executing the command. You must remember it here; otherwise, you cannot enter the password when using it later.

2. keytool-export-keystore pepper. Store-alias pepper-file pepper. Cert

This command is used to generate the certificate used for signature. Here, Pepper can also be replaced with the name you need. After this command is executed, a pepper. cert file is generated in C:/admin.

4. jarsigner-keystore pepper. Store myapplet. Jar pepper

This command uses the certificate generated above to sign our JAR file.

Step 4: (modify files)

1. Generate a file named applet. Policy in C:/admin. Its content is as follows:

keystore "file:c: /admin/pepper.store", "JKS";
grant signedBy "pepper"
{ permission java.io.FilePermission "＜＜ALL FILES＞＞", "read";
};

This file allows the applet signed by pepper to have the read permission for all local files.

2. Modify java. Security in the $ {java. Home}/JRE/lib/security directory and find the following two lines:

policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

Add the third line below

policy.url.3=file:c: /admin/applet.policy

After this modification is completed, the applet. Policy file created earlier is valid.

Step 5: (convert HTML files)

To convert the original filereaderapplet.html file into the following format:

＜!--"CONVERTED_APPLET"--＞
＜!-- CONVERTER VERSION 1.3 --＞
＜OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
WIDTH = 400 HEIGHT = 300 NAME = "TestApplet" ALIGN = middle VSPACE = 0 HSPACE = 0 codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,0,0"＞
＜PARAM NAME = CODE VALUE = "jcomponent.FileReaderApplet.class" ＞
＜PARAM NAME = CODEBASE VALUE = "." ＞
＜PARAM NAME = ARCHIVE VALUE = "MyApplet.jar" ＞
＜PARAM NAME = NAME VALUE = "TestApplet" ＞
＜PARAM NAME="type" VALUE="application/x-java-applet;version=1.3"＞
＜PARAM NAME="scriptable" VALUE="false"＞
＜COMMENT＞
＜EMBED type="application/x-java-applet;version=1.3" CODE = "jcomponent.FileReaderApplet.class" CODEBASE = "." ARCHIVE = "MyApplet.jar" NAME = "TestApplet" WIDTH = 400 HEIGHT = 300 ALIGN = middle VSPACE = 0 HSPACE = 0 scriptable=false pluginspage="http://java.sun.com/products/plugin/1.3/plugin-install.html"＞＜NOEMBED＞＜/COMMENT＞
＜/NOEMBED＞＜/EMBED＞
＜/OBJECT＞
＜!--
＜APPLET CODE = "jcomponent.FileReaderApplet.class" CODEBASE = "." ARCHIVE = "MyApplet.jar" WIDTH = 400 HEIGHT = 300 NAME = "TestApplet" ALIGN = middle VSPACE = 0 HSPACE = 0＞
＜/APPLET＞
--＞
＜!--"END_CONVERTED_APPLET"--＞

We don't want to see that the writing method here is complicated, but these are automatically implemented by the htmlconvert tool. This tool can be run in two ways: Command Line and graphical interface.

Now, this applet can run the function of reading and writing files. If you want to implement this applet on the internet, you do not need to perform the above steps on all clients. You only need to create a directory on your server, such as C: /admin, map this directory to www.testapplet.com/admin. Here, www.testapplet.comis a hypothetical Web site that stores pepper.cert?pepper.store=filereaderapplet.html, myapplet. jar, and Applet. Policy in this directory, and then modifies the applet. Policy file as follows:

keystore "http:// www.testApplet.com/admin/pepper.store", "JKS";
grant signedBy "pepper"
{ permission java.io.FilePermission "＜＜ALL FILES＞＞", "read";
};

3. Each client only needs to modify the java. Security File in their $ {java. Home}/JRE/lib/security directory as follows:

policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
policy.url.3= http:// www.testApplet.com/admin/applet.policy

Of course, JRE needs to be installed on each client, but the current browser has been installed automatically.