Applet Security Problem Connecting to Jaguar

I've been racking my brain for a while now trying to get a signed applet
conneting to a CORBA object on a Jaguar server, without success.  I have
signed all the JAR files associated with my applet, including the Sybase
deployment libraries, using the Netscape 1.3 Object Signing kit.  This works
fine.

When I open the web page, the applet loads, I get the security warning from
the Java 1.3 Plugin, tell it to give the applet permissions and continue.  I
even have a piece of code that confirms the Applet has
java.security.AllPermission privilege, which it does.  However, on the
InitialContext.lookup function, I get a "No Session" InitialContext
Exception.  It seems the InitialContext object is unable to connect.

If, however, I create a manual entry in the java.policy file in the JRE
directory (using a text editor) giving java.security.AllPermissions to all
Java applets, it works fine.

Obviously, this is not an ideal solution, since it does not allow seemless
downloading of the applet.

Does anyone know of any special security requirements when using signed
applets connecting to Jaguar CORBA objects?



-- -------------------------------------------------------------------------
------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd. 1430
Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E: marc.lennox@mxi.com T:
613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com


0
Marc
8/7/2000 4:43:38 AM
sybase.easerver 11371 articles. 0 followers. Follow

8 Replies
192 Views

Similar Articles

[PageSpeed] 48

Welcome to Java Plugin 1.3.  :-)

The Java Plugin requires that all security be set using the java.policy file
before the applet loads.  This is to prevent an applet from granting itself
permissions while inside the browser (which it could then use to break into
your computer).

The only way to solve this problem is to edit the java.policy file to allow
the socket to connect.


Jonathan Baker
Internet Applications Division




Marc Lennox wrote
> 
> I've been racking my brain for a while now trying to get a signed applet
> conneting to a CORBA object on a Jaguar server, without success.  I have
> signed all the JAR files associated with my applet, including the Sybase
> deployment libraries, using the Netscape 1.3 Object Signing kit.  This works
> fine.
> 
> When I open the web page, the applet loads, I get the security warning from
> the Java 1.3 Plugin, tell it to give the applet permissions and continue.  I
> even have a piece of code that confirms the Applet has
> java.security.AllPermission privilege, which it does.  However, on the
> InitialContext.lookup function, I get a "No Session" InitialContext
> Exception.  It seems the InitialContext object is unable to connect.
> 
> If, however, I create a manual entry in the java.policy file in the JRE
> directory (using a text editor) giving java.security.AllPermissions to all
> Java applets, it works fine.
> 
> Obviously, this is not an ideal solution, since it does not allow seemless
> downloading of the applet.
> 
> Does anyone know of any special security requirements when using signed
> applets connecting to Jaguar CORBA objects?
> 
> -- -------------------------------------------------------------------------
> ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd. 1430
> Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E: marc.lennox@mxi.com T:
> 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
0
Jonathan
8/7/2000 9:30:35 PM
I don't buy that.  As I said in my first post, I have code that checks the
run-time permissions.  When the prompt comes up asking if I trust the
applet, I can either choose Yes, No or Always.  If I choose "No", I get the
security exception.  If I choose "Yes" or "Always", it passes the security
check, but the Jaguar connection still fails.

The whole point of Object Signing is to allow seemless permission granting
to Applets.

"Jonathan Baker" <bakerj@sybase.com> wrote in message
news:398F2A7B.DED61E25@sybase.com...
> Welcome to Java Plugin 1.3.  :-)
>
> The Java Plugin requires that all security be set using the java.policy
file
> before the applet loads.  This is to prevent an applet from granting
itself
> permissions while inside the browser (which it could then use to break
into
> your computer).
>
> The only way to solve this problem is to edit the java.policy file to
allow
> the socket to connect.
>
>
> Jonathan Baker
> Internet Applications Division
>
>
>
>
> Marc Lennox wrote
> >
> > I've been racking my brain for a while now trying to get a signed applet
> > conneting to a CORBA object on a Jaguar server, without success.  I have
> > signed all the JAR files associated with my applet, including the Sybase
> > deployment libraries, using the Netscape 1.3 Object Signing kit.  This
works
> > fine.
> >
> > When I open the web page, the applet loads, I get the security warning
from
> > the Java 1.3 Plugin, tell it to give the applet permissions and
continue.  I
> > even have a piece of code that confirms the Applet has
> > java.security.AllPermission privilege, which it does.  However, on the
> > InitialContext.lookup function, I get a "No Session" InitialContext
> > Exception.  It seems the InitialContext object is unable to connect.
> >
> > If, however, I create a manual entry in the java.policy file in the JRE
> > directory (using a text editor) giving java.security.AllPermissions to
all
> > Java applets, it works fine.
> >
> > Obviously, this is not an ideal solution, since it does not allow
seemless
> > downloading of the applet.
> >
> > Does anyone know of any special security requirements when using signed
> > applets connecting to Jaguar CORBA objects?
> >
>
> -- -----------------------------------------------------------------------
--
> > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd.
1430
> > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E: marc.lennox@mxi.com
T:
> > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com


0
Marc
8/7/2000 10:57:07 PM
Marc,

We only encounter a problem in Netscape JVM (could  be 1.1.5 to 1.1.8) that
you have to explicitly call the privilege (we don't have a complete solution
yet) right beside the iiop connect statement  (you can't even write the call
privilege at the beginning or in another method) and you can connect to a
different host.

However, in IE, once you call it privilege at the beginning of your applet,
you can bypass sandbox restriction anywhere.

We would like to know the proper handling as well.  Please suggest.

Regards,
Victor

Marc Lennox <marc.lennox@mxi.com> wrote in message
news:bB5E#QMAAHA.270@forums.sybase.com...
> I don't buy that.  As I said in my first post, I have code that checks the
> run-time permissions.  When the prompt comes up asking if I trust the
> applet, I can either choose Yes, No or Always.  If I choose "No", I get
the
> security exception.  If I choose "Yes" or "Always", it passes the security
> check, but the Jaguar connection still fails.
>
> The whole point of Object Signing is to allow seemless permission granting
> to Applets.
>
> "Jonathan Baker" <bakerj@sybase.com> wrote in message
> news:398F2A7B.DED61E25@sybase.com...
> > Welcome to Java Plugin 1.3.  :-)
> >
> > The Java Plugin requires that all security be set using the java.policy
> file
> > before the applet loads.  This is to prevent an applet from granting
> itself
> > permissions while inside the browser (which it could then use to break
> into
> > your computer).
> >
> > The only way to solve this problem is to edit the java.policy file to
> allow
> > the socket to connect.
> >
> >
> > Jonathan Baker
> > Internet Applications Division
> >
> >
> >
> >
> > Marc Lennox wrote
> > >
> > > I've been racking my brain for a while now trying to get a signed
applet
> > > conneting to a CORBA object on a Jaguar server, without success.  I
have
> > > signed all the JAR files associated with my applet, including the
Sybase
> > > deployment libraries, using the Netscape 1.3 Object Signing kit.  This
> works
> > > fine.
> > >
> > > When I open the web page, the applet loads, I get the security warning
> from
> > > the Java 1.3 Plugin, tell it to give the applet permissions and
> continue.  I
> > > even have a piece of code that confirms the Applet has
> > > java.security.AllPermission privilege, which it does.  However, on the
> > > InitialContext.lookup function, I get a "No Session" InitialContext
> > > Exception.  It seems the InitialContext object is unable to connect.
> > >
> > > If, however, I create a manual entry in the java.policy file in the
JRE
> > > directory (using a text editor) giving java.security.AllPermissions to
> all
> > > Java applets, it works fine.
> > >
> > > Obviously, this is not an ideal solution, since it does not allow
> seemless
> > > downloading of the applet.
> > >
> > > Does anyone know of any special security requirements when using
signed
> > > applets connecting to Jaguar CORBA objects?
> > >
> >
>
> -- -----------------------------------------------------------------------
> --
> > > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd.
> 1430
> > > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E:
marc.lennox@mxi.com
> T:
> > > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
>
>


0
Victor
8/8/2000 8:53:24 AM
I experienced the same problem as you but I left the Plugin 1.3 solution
behind feeling it was inferior to Servlets acting as a proxy to Jaguar.  I
don't know if the Jaguar connection issue is a bug but I signed the heck out
of everything and had no success until I used the Policy Tool from Sun.  The
Policy Tool created a file that indicates the applet is coming from a
trusted site.  A file called java.security needs to be modified, a line
added in that file: policy.url.3=file:YourPolicyFile  (see similar lines in
the file) where YourPolicyFile is the fully qualified filename to the policy
file created by the policy tool.  Then the Jaguar connection suceeded.  The
rights we granted to the site was full permission which seemed fine as long
as we were not disabling the sandbox for all sites.

But as I said, we went the servlet route because: A.The Plugin is not
supported on MacIntosh   B.Distribution becomes more complicated. The client
will already have a JVM. The sercurity file needs to be modified on the
client.  C. Servlets are seamless to the client.

HTH,

Tim




"Marc Lennox" <marc.lennox@mxi.com> wrote in message
news:bB5E#QMAAHA.270@forums.sybase.com...
> I don't buy that.  As I said in my first post, I have code that checks the
> run-time permissions.  When the prompt comes up asking if I trust the
> applet, I can either choose Yes, No or Always.  If I choose "No", I get
the
> security exception.  If I choose "Yes" or "Always", it passes the security
> check, but the Jaguar connection still fails.
>
> The whole point of Object Signing is to allow seemless permission granting
> to Applets.
>
> "Jonathan Baker" <bakerj@sybase.com> wrote in message
> news:398F2A7B.DED61E25@sybase.com...
> > Welcome to Java Plugin 1.3.  :-)
> >
> > The Java Plugin requires that all security be set using the java.policy
> file
> > before the applet loads.  This is to prevent an applet from granting
> itself
> > permissions while inside the browser (which it could then use to break
> into
> > your computer).
> >
> > The only way to solve this problem is to edit the java.policy file to
> allow
> > the socket to connect.
> >
> >
> > Jonathan Baker
> > Internet Applications Division
> >
> >
> >
> >
> > Marc Lennox wrote
> > >
> > > I've been racking my brain for a while now trying to get a signed
applet
> > > conneting to a CORBA object on a Jaguar server, without success.  I
have
> > > signed all the JAR files associated with my applet, including the
Sybase
> > > deployment libraries, using the Netscape 1.3 Object Signing kit.  This
> works
> > > fine.
> > >
> > > When I open the web page, the applet loads, I get the security warning
> from
> > > the Java 1.3 Plugin, tell it to give the applet permissions and
> continue.  I
> > > even have a piece of code that confirms the Applet has
> > > java.security.AllPermission privilege, which it does.  However, on the
> > > InitialContext.lookup function, I get a "No Session" InitialContext
> > > Exception.  It seems the InitialContext object is unable to connect.
> > >
> > > If, however, I create a manual entry in the java.policy file in the
JRE
> > > directory (using a text editor) giving java.security.AllPermissions to
> all
> > > Java applets, it works fine.
> > >
> > > Obviously, this is not an ideal solution, since it does not allow
> seemless
> > > downloading of the applet.
> > >
> > > Does anyone know of any special security requirements when using
signed
> > > applets connecting to Jaguar CORBA objects?
> > >
> >
>
> -- -----------------------------------------------------------------------
> --
> > > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd.
> 1430
> > > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E:
marc.lennox@mxi.com
> T:
> > > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
>
>


0
Tim
8/8/2000 7:23:43 PM
Marc,

I post it in newsgroup to let other people know.

In the import statment  (you need 2 versions for source codes for IE and
Netscape)
// import com.ms.security.*;
import netscape.security.PrivilegeManager;   // netscape version



In the connection statment  [Keep in mind that I can't move
PrivilegeManager.enablePrivilege("30Capabilities");
   to other rountine or function or class]

public boolean init(Applet arg_applet)
 {
  boolean loc_bReturn = false;

  // ask for privilege
  try {
   // if Netscape
   int nBrowser = InfoMgr.getBrowserType();

   if (nBrowser == InfoMgr.NETSCAPE)
   {
    PrivilegeManager.enablePrivilege("30Capabilities");
   }
  } catch (Exception e) {
   System.err.println(
    "Get Privilege Exception:\n"
    + e.toString() );
   e.printStackTrace();
   return false;
  }

        try {
   // init ORB
            debugLogging("Creating Jaguar session.");

   java.util.Properties props = new java.util.Properties
   ORB orb = ORB.init(arg_applet, props);


   org.omg.CORBA.Object objRef = null;
   objRef = orb.resolve_initial_references("NameService");
   m_nc = NamingContextHelper.narrow(objRef);

   // call naming server
   if (init_server_connection())
   {
    // call get_queue to create queue
    if (get_queue())
    {
     loc_bReturn = true;
    }
   }

        } catch (org.omg.CORBA.UserException ue) {
            // Check for other CosNaming exceptions
            System.err.println("CORBA CosNaming Exception:\n"
              + ue.toString());
            ue.printStackTrace();
  } catch ( org.omg.CORBA.INV_OBJREF ue )

   System.err.println("Server not started Exception:\n"
              + ue.toString());
   ue.printStackTrace();
  } catch ( org.omg.CORBA.COMM_FAILURE ue )

   System.err.println("Cannot reach server.  Server went down or
communication failure.\n"
              + ue.toString());
   ue.printStackTrace();
  } catch (org.omg.CORBA.SystemException se) {
   System.err.println(
    "Received CORBA system exception "
    +"while instantiating component:\n"
    + se.toString() );
   se.printStackTrace();
        }

  if (loc_bReturn)
  {
   m_bContinue = true;
  }

  return loc_bReturn;
 }


Also, whenever your need to talk (such as making a call) to Jaguar (in
different host other than the original host), you need to call the privilege
enabling block first (see sample below)

 // give privilege
  try {
   // if Netscape
   int nBrowser = InfoMgr.getBrowserType();

   if (nBrowser == InfoMgr.NETSCAPE)
   {
    PrivilegeManager.enablePrivilege("30Capabilities");
   }
  } catch (Exception e) {
   System.err.println(
    "Get Privilege Exception:\n"
    + e.toString() );
   e.printStackTrace();
   return false;
  }

  // get a new queue and register the topics in vector
  try
  {
   m_is_queue = m_MsgService.getUniqueName (MESSAGE_QUEUE.value);
   debugLogging("QUEUE=====> " + m_is_queue);

   m_Queue = m_MsgService.getMessageQueue
    (m_is_queue, "", REQUIRES_ACKNOWLEDGE.value);

   Enumeration  loc_e = m_topic_vector.elements ();
   while ( loc_e.hasMoreElements ())
   {
    String loc_listen_topic = (String)loc_e.nextElement ();
    this.addTopic (loc_listen_topic, false);
   }

   loc_bReturn = true;
  }



I'm not sure this is proper handling but it works so far.  If there is any
better suggestion, please advise.

Regards,
Victor Chiu


Victor Chiu <chiuvictor@yahoo.com> wrote in message
news:E3SeGhRAAHA.203@forums.sybase.com...
> Marc,
>
> We only encounter a problem in Netscape JVM (could  be 1.1.5 to 1.1.8)
that
> you have to explicitly call the privilege (we don't have a complete
solution
> yet) right beside the iiop connect statement  (you can't even write the
call
> privilege at the beginning or in another method) and you can connect to a
> different host.
>
> However, in IE, once you call it privilege at the beginning of your
applet,
> you can bypass sandbox restriction anywhere.
>
> We would like to know the proper handling as well.  Please suggest.
>
> Regards,
> Victor
>
> Marc Lennox <marc.lennox@mxi.com> wrote in message
> news:bB5E#QMAAHA.270@forums.sybase.com...
> > I don't buy that.  As I said in my first post, I have code that checks
the
> > run-time permissions.  When the prompt comes up asking if I trust the
> > applet, I can either choose Yes, No or Always.  If I choose "No", I get
> the
> > security exception.  If I choose "Yes" or "Always", it passes the
security
> > check, but the Jaguar connection still fails.
> >
> > The whole point of Object Signing is to allow seemless permission
granting
> > to Applets.
> >
> > "Jonathan Baker" <bakerj@sybase.com> wrote in message
> > news:398F2A7B.DED61E25@sybase.com...
> > > Welcome to Java Plugin 1.3.  :-)
> > >
> > > The Java Plugin requires that all security be set using the
java.policy
> > file
> > > before the applet loads.  This is to prevent an applet from granting
> > itself
> > > permissions while inside the browser (which it could then use to break
> > into
> > > your computer).
> > >
> > > The only way to solve this problem is to edit the java.policy file to
> > allow
> > > the socket to connect.
> > >
> > >
> > > Jonathan Baker
> > > Internet Applications Division
> > >
> > >
> > >
> > >
> > > Marc Lennox wrote
> > > >
> > > > I've been racking my brain for a while now trying to get a signed
> applet
> > > > conneting to a CORBA object on a Jaguar server, without success.  I
> have
> > > > signed all the JAR files associated with my applet, including the
> Sybase
> > > > deployment libraries, using the Netscape 1.3 Object Signing kit.
This
> > works
> > > > fine.
> > > >
> > > > When I open the web page, the applet loads, I get the security
warning
> > from
> > > > the Java 1.3 Plugin, tell it to give the applet permissions and
> > continue.  I
> > > > even have a piece of code that confirms the Applet has
> > > > java.security.AllPermission privilege, which it does.  However, on
the
> > > > InitialContext.lookup function, I get a "No Session" InitialContext
> > > > Exception.  It seems the InitialContext object is unable to connect.
> > > >
> > > > If, however, I create a manual entry in the java.policy file in the
> JRE
> > > > directory (using a text editor) giving java.security.AllPermissions
to
> > all
> > > > Java applets, it works fine.
> > > >
> > > > Obviously, this is not an ideal solution, since it does not allow
> > seemless
> > > > downloading of the applet.
> > > >
> > > > Does anyone know of any special security requirements when using
> signed
> > > > applets connecting to Jaguar CORBA objects?
> > > >
> > >
> >
>
> -- -----------------------------------------------------------------------
> > --
> > > > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies Ltd.
> > 1430
> > > > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E:
> marc.lennox@mxi.com
> > T:
> > > > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
> >
> >
>
>


0
Victor
8/9/2000 2:38:09 AM
Very interesting, thanks.  Where did you get the code:
m_is_queue = m_MsgService.getUniqueName() ?

Is this part of EAS messaging service?

"Victor Chiu" <chiuvictor@yahoo.com> wrote in message
news:BAxiF0aAAHA.270@forums.sybase.com...
> Marc,
>
> I post it in newsgroup to let other people know.
>
> In the import statment  (you need 2 versions for source codes for IE and
> Netscape)
> // import com.ms.security.*;
> import netscape.security.PrivilegeManager;   // netscape version
>
>
>
> In the connection statment  [Keep in mind that I can't move
> PrivilegeManager.enablePrivilege("30Capabilities");
>    to other rountine or function or class]
>
> public boolean init(Applet arg_applet)
>  {
>   boolean loc_bReturn = false;
>
>   // ask for privilege
>   try {
>    // if Netscape
>    int nBrowser = InfoMgr.getBrowserType();
>
>    if (nBrowser == InfoMgr.NETSCAPE)
>    {
>     PrivilegeManager.enablePrivilege("30Capabilities");
>    }
>   } catch (Exception e) {
>    System.err.println(
>     "Get Privilege Exception:\n"
>     + e.toString() );
>    e.printStackTrace();
>    return false;
>   }
>
>         try {
>    // init ORB
>             debugLogging("Creating Jaguar session.");
>
>    java.util.Properties props = new java.util.Properties
>    ORB orb = ORB.init(arg_applet, props);
>
>
>    org.omg.CORBA.Object objRef = null;
>    objRef = orb.resolve_initial_references("NameService");
>    m_nc = NamingContextHelper.narrow(objRef);
>
>    // call naming server
>    if (init_server_connection())
>    {
>     // call get_queue to create queue
>     if (get_queue())
>     {
>      loc_bReturn = true;
>     }
>    }
>
>         } catch (org.omg.CORBA.UserException ue) {
>             // Check for other CosNaming exceptions
>             System.err.println("CORBA CosNaming Exception:\n"
>               + ue.toString());
>             ue.printStackTrace();
>   } catch ( org.omg.CORBA.INV_OBJREF ue )
>
>    System.err.println("Server not started Exception:\n"
>               + ue.toString());
>    ue.printStackTrace();
>   } catch ( org.omg.CORBA.COMM_FAILURE ue )
>
>    System.err.println("Cannot reach server.  Server went down or
> communication failure.\n"
>               + ue.toString());
>    ue.printStackTrace();
>   } catch (org.omg.CORBA.SystemException se) {
>    System.err.println(
>     "Received CORBA system exception "
>     +"while instantiating component:\n"
>     + se.toString() );
>    se.printStackTrace();
>         }
>
>   if (loc_bReturn)
>   {
>    m_bContinue = true;
>   }
>
>   return loc_bReturn;
>  }
>
>
> Also, whenever your need to talk (such as making a call) to Jaguar (in
> different host other than the original host), you need to call the
privilege
> enabling block first (see sample below)
>
>  // give privilege
>   try {
>    // if Netscape
>    int nBrowser = InfoMgr.getBrowserType();
>
>    if (nBrowser == InfoMgr.NETSCAPE)
>    {
>     PrivilegeManager.enablePrivilege("30Capabilities");
>    }
>   } catch (Exception e) {
>    System.err.println(
>     "Get Privilege Exception:\n"
>     + e.toString() );
>    e.printStackTrace();
>    return false;
>   }
>
>   // get a new queue and register the topics in vector
>   try
>   {
>    m_is_queue = m_MsgService.getUniqueName (MESSAGE_QUEUE.value);
>    debugLogging("QUEUE=====> " + m_is_queue);
>
>    m_Queue = m_MsgService.getMessageQueue
>     (m_is_queue, "", REQUIRES_ACKNOWLEDGE.value);
>
>    Enumeration  loc_e = m_topic_vector.elements ();
>    while ( loc_e.hasMoreElements ())
>    {
>     String loc_listen_topic = (String)loc_e.nextElement ();
>     this.addTopic (loc_listen_topic, false);
>    }
>
>    loc_bReturn = true;
>   }
>
>
>
> I'm not sure this is proper handling but it works so far.  If there is any
> better suggestion, please advise.
>
> Regards,
> Victor Chiu
>
>
> Victor Chiu <chiuvictor@yahoo.com> wrote in message
> news:E3SeGhRAAHA.203@forums.sybase.com...
> > Marc,
> >
> > We only encounter a problem in Netscape JVM (could  be 1.1.5 to 1.1.8)
> that
> > you have to explicitly call the privilege (we don't have a complete
> solution
> > yet) right beside the iiop connect statement  (you can't even write the
> call
> > privilege at the beginning or in another method) and you can connect to
a
> > different host.
> >
> > However, in IE, once you call it privilege at the beginning of your
> applet,
> > you can bypass sandbox restriction anywhere.
> >
> > We would like to know the proper handling as well.  Please suggest.
> >
> > Regards,
> > Victor
> >
> > Marc Lennox <marc.lennox@mxi.com> wrote in message
> > news:bB5E#QMAAHA.270@forums.sybase.com...
> > > I don't buy that.  As I said in my first post, I have code that checks
> the
> > > run-time permissions.  When the prompt comes up asking if I trust the
> > > applet, I can either choose Yes, No or Always.  If I choose "No", I
get
> > the
> > > security exception.  If I choose "Yes" or "Always", it passes the
> security
> > > check, but the Jaguar connection still fails.
> > >
> > > The whole point of Object Signing is to allow seemless permission
> granting
> > > to Applets.
> > >
> > > "Jonathan Baker" <bakerj@sybase.com> wrote in message
> > > news:398F2A7B.DED61E25@sybase.com...
> > > > Welcome to Java Plugin 1.3.  :-)
> > > >
> > > > The Java Plugin requires that all security be set using the
> java.policy
> > > file
> > > > before the applet loads.  This is to prevent an applet from granting
> > > itself
> > > > permissions while inside the browser (which it could then use to
break
> > > into
> > > > your computer).
> > > >
> > > > The only way to solve this problem is to edit the java.policy file
to
> > > allow
> > > > the socket to connect.
> > > >
> > > >
> > > > Jonathan Baker
> > > > Internet Applications Division
> > > >
> > > >
> > > >
> > > >
> > > > Marc Lennox wrote
> > > > >
> > > > > I've been racking my brain for a while now trying to get a signed
> > applet
> > > > > conneting to a CORBA object on a Jaguar server, without success.
I
> > have
> > > > > signed all the JAR files associated with my applet, including the
> > Sybase
> > > > > deployment libraries, using the Netscape 1.3 Object Signing kit.
> This
> > > works
> > > > > fine.
> > > > >
> > > > > When I open the web page, the applet loads, I get the security
> warning
> > > from
> > > > > the Java 1.3 Plugin, tell it to give the applet permissions and
> > > continue.  I
> > > > > even have a piece of code that confirms the Applet has
> > > > > java.security.AllPermission privilege, which it does.  However, on
> the
> > > > > InitialContext.lookup function, I get a "No Session"
InitialContext
> > > > > Exception.  It seems the InitialContext object is unable to
connect.
> > > > >
> > > > > If, however, I create a manual entry in the java.policy file in
the
> > JRE
> > > > > directory (using a text editor) giving
java.security.AllPermissions
> to
> > > all
> > > > > Java applets, it works fine.
> > > > >
> > > > > Obviously, this is not an ideal solution, since it does not allow
> > > seemless
> > > > > downloading of the applet.
> > > > >
> > > > > Does anyone know of any special security requirements when using
> > signed
> > > > > applets connecting to Jaguar CORBA objects?
> > > > >
> > > >
> > >
> >
>
> -- -----------------------------------------------------------------------
> > > --
> > > > > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies
Ltd.
> > > 1430
> > > > > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E:
> > marc.lennox@mxi.com
> > > T:
> > > > > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
> > >
> > >
> >
> >
>
>


0
Tim
8/9/2000 1:44:42 PM
You are correct.  We are implementing Message Service from EAS.  Is a pretty
good tool to use call-back like mechanism in Internet environment.  In EBF2,
there is a doucmentation in newfeatures.pdf.

 Regards,
Victor



Tim Nesham <tim.nesham@born.com> wrote in message
news:SZw7ulgAAHA.203@forums.sybase.com...
> Very interesting, thanks.  Where did you get the code:
> m_is_queue = m_MsgService.getUniqueName() ?
>
> Is this part of EAS messaging service?
>
> "Victor Chiu" <chiuvictor@yahoo.com> wrote in message
> news:BAxiF0aAAHA.270@forums.sybase.com...
> > Marc,
> >
> > I post it in newsgroup to let other people know.
> >
> > In the import statment  (you need 2 versions for source codes for IE and
> > Netscape)
> > // import com.ms.security.*;
> > import netscape.security.PrivilegeManager;   // netscape version
> >
> >
> >
> > In the connection statment  [Keep in mind that I can't move
> > PrivilegeManager.enablePrivilege("30Capabilities");
> >    to other rountine or function or class]
> >
> > public boolean init(Applet arg_applet)
> >  {
> >   boolean loc_bReturn = false;
> >
> >   // ask for privilege
> >   try {
> >    // if Netscape
> >    int nBrowser = InfoMgr.getBrowserType();
> >
> >    if (nBrowser == InfoMgr.NETSCAPE)
> >    {
> >     PrivilegeManager.enablePrivilege("30Capabilities");
> >    }
> >   } catch (Exception e) {
> >    System.err.println(
> >     "Get Privilege Exception:\n"
> >     + e.toString() );
> >    e.printStackTrace();
> >    return false;
> >   }
> >
> >         try {
> >    // init ORB
> >             debugLogging("Creating Jaguar session.");
> >
> >    java.util.Properties props = new java.util.Properties
> >    ORB orb = ORB.init(arg_applet, props);
> >
> >
> >    org.omg.CORBA.Object objRef = null;
> >    objRef = orb.resolve_initial_references("NameService");
> >    m_nc = NamingContextHelper.narrow(objRef);
> >
> >    // call naming server
> >    if (init_server_connection())
> >    {
> >     // call get_queue to create queue
> >     if (get_queue())
> >     {
> >      loc_bReturn = true;
> >     }
> >    }
> >
> >         } catch (org.omg.CORBA.UserException ue) {
> >             // Check for other CosNaming exceptions
> >             System.err.println("CORBA CosNaming Exception:\n"
> >               + ue.toString());
> >             ue.printStackTrace();
> >   } catch ( org.omg.CORBA.INV_OBJREF ue )
> >
> >    System.err.println("Server not started Exception:\n"
> >               + ue.toString());
> >    ue.printStackTrace();
> >   } catch ( org.omg.CORBA.COMM_FAILURE ue )
> >
> >    System.err.println("Cannot reach server.  Server went down or
> > communication failure.\n"
> >               + ue.toString());
> >    ue.printStackTrace();
> >   } catch (org.omg.CORBA.SystemException se) {
> >    System.err.println(
> >     "Received CORBA system exception "
> >     +"while instantiating component:\n"
> >     + se.toString() );
> >    se.printStackTrace();
> >         }
> >
> >   if (loc_bReturn)
> >   {
> >    m_bContinue = true;
> >   }
> >
> >   return loc_bReturn;
> >  }
> >
> >
> > Also, whenever your need to talk (such as making a call) to Jaguar (in
> > different host other than the original host), you need to call the
> privilege
> > enabling block first (see sample below)
> >
> >  // give privilege
> >   try {
> >    // if Netscape
> >    int nBrowser = InfoMgr.getBrowserType();
> >
> >    if (nBrowser == InfoMgr.NETSCAPE)
> >    {
> >     PrivilegeManager.enablePrivilege("30Capabilities");
> >    }
> >   } catch (Exception e) {
> >    System.err.println(
> >     "Get Privilege Exception:\n"
> >     + e.toString() );
> >    e.printStackTrace();
> >    return false;
> >   }
> >
> >   // get a new queue and register the topics in vector
> >   try
> >   {
> >    m_is_queue = m_MsgService.getUniqueName (MESSAGE_QUEUE.value);
> >    debugLogging("QUEUE=====> " + m_is_queue);
> >
> >    m_Queue = m_MsgService.getMessageQueue
> >     (m_is_queue, "", REQUIRES_ACKNOWLEDGE.value);
> >
> >    Enumeration  loc_e = m_topic_vector.elements ();
> >    while ( loc_e.hasMoreElements ())
> >    {
> >     String loc_listen_topic = (String)loc_e.nextElement ();
> >     this.addTopic (loc_listen_topic, false);
> >    }
> >
> >    loc_bReturn = true;
> >   }
> >
> >
> >
> > I'm not sure this is proper handling but it works so far.  If there is
any
> > better suggestion, please advise.
> >
> > Regards,
> > Victor Chiu
> >
> >
> > Victor Chiu <chiuvictor@yahoo.com> wrote in message
> > news:E3SeGhRAAHA.203@forums.sybase.com...
> > > Marc,
> > >
> > > We only encounter a problem in Netscape JVM (could  be 1.1.5 to 1.1.8)
> > that
> > > you have to explicitly call the privilege (we don't have a complete
> > solution
> > > yet) right beside the iiop connect statement  (you can't even write
the
> > call
> > > privilege at the beginning or in another method) and you can connect
to
> a
> > > different host.
> > >
> > > However, in IE, once you call it privilege at the beginning of your
> > applet,
> > > you can bypass sandbox restriction anywhere.
> > >
> > > We would like to know the proper handling as well.  Please suggest.
> > >
> > > Regards,
> > > Victor
> > >
> > > Marc Lennox <marc.lennox@mxi.com> wrote in message
> > > news:bB5E#QMAAHA.270@forums.sybase.com...
> > > > I don't buy that.  As I said in my first post, I have code that
checks
> > the
> > > > run-time permissions.  When the prompt comes up asking if I trust
the
> > > > applet, I can either choose Yes, No or Always.  If I choose "No", I
> get
> > > the
> > > > security exception.  If I choose "Yes" or "Always", it passes the
> > security
> > > > check, but the Jaguar connection still fails.
> > > >
> > > > The whole point of Object Signing is to allow seemless permission
> > granting
> > > > to Applets.
> > > >
> > > > "Jonathan Baker" <bakerj@sybase.com> wrote in message
> > > > news:398F2A7B.DED61E25@sybase.com...
> > > > > Welcome to Java Plugin 1.3.  :-)
> > > > >
> > > > > The Java Plugin requires that all security be set using the
> > java.policy
> > > > file
> > > > > before the applet loads.  This is to prevent an applet from
granting
> > > > itself
> > > > > permissions while inside the browser (which it could then use to
> break
> > > > into
> > > > > your computer).
> > > > >
> > > > > The only way to solve this problem is to edit the java.policy file
> to
> > > > allow
> > > > > the socket to connect.
> > > > >
> > > > >
> > > > > Jonathan Baker
> > > > > Internet Applications Division
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Marc Lennox wrote
> > > > > >
> > > > > > I've been racking my brain for a while now trying to get a
signed
> > > applet
> > > > > > conneting to a CORBA object on a Jaguar server, without success.
> I
> > > have
> > > > > > signed all the JAR files associated with my applet, including
the
> > > Sybase
> > > > > > deployment libraries, using the Netscape 1.3 Object Signing kit.
> > This
> > > > works
> > > > > > fine.
> > > > > >
> > > > > > When I open the web page, the applet loads, I get the security
> > warning
> > > > from
> > > > > > the Java 1.3 Plugin, tell it to give the applet permissions and
> > > > continue.  I
> > > > > > even have a piece of code that confirms the Applet has
> > > > > > java.security.AllPermission privilege, which it does.  However,
on
> > the
> > > > > > InitialContext.lookup function, I get a "No Session"
> InitialContext
> > > > > > Exception.  It seems the InitialContext object is unable to
> connect.
> > > > > >
> > > > > > If, however, I create a manual entry in the java.policy file in
> the
> > > JRE
> > > > > > directory (using a text editor) giving
> java.security.AllPermissions
> > to
> > > > all
> > > > > > Java applets, it works fine.
> > > > > >
> > > > > > Obviously, this is not an ideal solution, since it does not
allow
> > > > seemless
> > > > > > downloading of the applet.
> > > > > >
> > > > > > Does anyone know of any special security requirements when using
> > > signed
> > > > > > applets connecting to Jaguar CORBA objects?
> > > > > >
> > > > >
> > > >
> > >
> >
>
> -- -----------------------------------------------------------------------
> > > > --
> > > > > > ------- Marc D. Lennox, P. Eng. Project Leader Mxi Technologies
> Ltd.
> > > > 1430
> > > > > > Blair Place, Suite 800 Ottawa, ON, Canada K1J 9N2 E:
> > > marc.lennox@mxi.com
> > > > T:
> > > > > > 613. 747. 4698 ext 212 F: 613. 747. 1909 www.mxi.com
> > > >
> > > >
> > >
> > >
> >
> >
>
>


0
Victor
8/10/2000 6:30:42 AM
I don't think that is true.  My signed applet is able to connect to any 
other TCP/IP server through Java's own network classes (java.net.*).  Only 
the Jaguar's InitialContext class doesn't work.  I suspect it has to do 
with the implementation of the Jaguar's InitialContext class.  Java has 
already reached version 1.3.  For those implementors of the Jaguar classes, 
please don't use old legacy code in your implementation and simply ask us, 
the users, to modify the java.policy file.  That solution is not 
acceptable!
0
User_of_PowerJ_and_J
2/7/2001 2:40:56 AM
Reply: