Java Applet With Quicksilver - Help to configure appropriate security privileges
Most detailed and secure version
Creating the necessary policies with "policytool"
- start "policytool". (included in j2se, sdk, jre)
- by default this tries to load the user-policies. In UNIX this is the file "$HOME/.java.policy", in WindowsXP something like "C:\Documents and Settings\<your login name>\.java.policy". If this file doesn't exist an error message appears. Create that file as an empty file with the name as given in the error message.
- click "add policy entry"
- click "add permission"
- for granting access to a property do:
- select "Property Permission" in the Drop-Down List titled "Permission:"
- For "Target Name:" enter "java.protocol.handler.pkgs"
- select "read, write" as allowed actions
- optionally set the codebase to the one the Quicksilver-Applet is from. This could be for example "http://www.usf.uos.de/projects/quicksilver/applets/quicksilver.jar". The exact location depends on the actual webpage. Also look into the page source under the APPLET-Tag. Append the value of "codebase" and then the value of the quicksilver archive (usually "quicksilver.jar") to the base URL the webpage is from.
This restricts the access-permission to code originating from the given codebase. This should be preferred if maximum security is desired.
Repeat this for the properties
- java.class.path (read-only)
- user.home (read-only)
- user.dir (read-only)
- quicksilver.applet.archives (read/write)
- quicksilver.applet.codebase (read/write)
At least now the Quicksilver-Applet should load if you added the codebase "http://www.usf.uos.de/projects/quicksilver/applets/quicksilver.jar". That means, you see something like this in your browser window:
|
Snapshot image
|
Real applet
|
|---|
|
|
If above You see the same image twice, the Quicksilver applet already loads correctly.
Next would be to load a model-file by klicking on 
. But since loading a file requires access to the file-system, some more security-permissions are required. Quicksilver also has a configuration file which it wants to save and therefore read and write access is required. Undoubtedly it is not a good idea to grant this privilege to each and every applet and so the codebase for the policy-entry should also be set. Which codebase depends on where you're loading the applet from. Set the codebase for example to
- "file://your/local/webpage-path/applets/quicksilver.jar" if you have the page on your local harddisk
- "http://www.usf.uos.de/projects/quicksilver/tutorial/applets/quicksilver.jar" if you read the quicksilver tutorial online from the institutes web-server
If you have more than one location from where you want to load the Quicksilver applet from, repeat all the steps described on this page for each one of them. Or open the policy-file in an editor and copy the entries by hand. If unsure view an explanation on how to copy such an entry.
For granting acces to the file-system and setting the code-base of the appropriate policy, open policytool again.
- load the user-policies. This should already be done by default.
- select the entry You've created before. It should be named like "CodeBase <ALL>"
- click "edit policy entry"
- click "add permission"
- select "FilePermission" in the Drop-Down List titled "Permission:"
- For "Target Name:" select "<<ALL FILES>>"
- insert "read, write" as allowed actions
- insert a value for codebase as discussed above.
The other permissions required are:
- RuntimePermission: modifyThread, accessDeclaredMembers, accessClassInPackage.sun.misc
- ReflectPermission: suppressAccessChecks
Unfortunately, future versions of Quicksilver might require additional security privileges. The policy file has to be edited again then. If you don't want this (and if you've set the codebase carefully), you also can grant all privileges by just adding the "allPermission".
If you have any comments or corrections to this explanation please send an email to jaetzold@usf.uos.de.