stackoom
  简体   繁体   中英

How can I get a signed Java Applet to perform privileged operations when called from unsigned Javascript?

 原文  2009-06-17 12:25:54       java/ javascript/ security/ applet

Question

Signed Java Applets have the same security clearance as a normal Java application running on the client. For a particular project, I need these permissions, and I need to perform privileged operations as a result of a JavaScript call.

Now, the problem is that, at least for Firefox 3 in Ubuntu (target browser and platform), when an applet method is invoked through unsigned JavaScript it loses its special permissions. As signing the JavaScript is not an option, I need a way to work around this restriction.

One way to achieve this is to create a thread when the applet starts, and call methods on that thread whenever the main thread receives the JavaScript calls. I have implemented a working prototype of that idea, but I have found it a bit clumsy, because it uses too much reflection and isn't as easily reusable as I would have wanted.

Is there a common, standard way of doing what I'm trying to do? And, if my idea is the right way to go, how would you go about implementing it in a reusable way? What I'm trying to achieve is a framework that allows this "running-methods-in-a-privileg-thread" thing to be used for a variety of objects. The ideal, utopic solution would be something like:

// when the applet starts-up
PrivilegedExecuter priv = new PrivilegedExecuter(myObject); //or MyClass.class
// ...
// inside a JavaScript-called method (myObject has myMethod)
priv.myMethod(); // myMethod is run synchronously in a privileged thread

2 answers

solution1
 8 ACCPTED  2009-06-17 12:35:54

Use the java.security.AccessController class.

There is a doPrivilegedAction and doPrivilegedExceptionAction that do exactly what you need.

For example:

AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
               .. do something that only works with signed applets ..
            }
        });

solution2
 0  2012-12-17 19:47:25

It's worth adding: make your privaction'd run() method as small and self-contained as possible. Obviously you could just have your signed applet's init() method call a privileged run() which in turn does the actual applet, but that's just begging to be abused, misused accidentally, or outright exploited.

Also, the fact that signed applets lose their special permissions when called by JavaScript is not specific to a particular browser or platform. That's just how it is, everywhere, all the time.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I get a java applet signed? How to perform unsigned to signed conversion in Java? Signed Java Applet gives AccessControlException when calling from JavaScript How can I perform operations in JavaScript just like we do pipeline of operations in Java streams? Javascript call java applet signed PrivilegedActionException trying to invoke a signed Java applet from JavaScript signed applet gives AccessControlException: access denied, when calling from javascript How to run a Java applet that is not signed Applet signed throw: java.security.AccessControlException. How can I make it run? How can I test that a java applet is loaded using javascript?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM