Dealing with Security Issues with Applets and JavaScript

This tech tip was originally a posting to the Imaging Experts blog site written by Alex Harm, Senior Software Engineer at Snowbound Software.

When dealing with JavaScript, applets and security issues, you must understand the Java Applet Sandbox. The sandbox refers to a set of security restrictions imposed on an applet. The three basic restrictions imposed by the sandbox are:

No access to the client's local file system
No network access to a remote system other than the applet's host machine
No access to the client's printer
To break out of the sandbox, a company can establish itself as a trusted vendor by purchasing certificates from a company like VeriSign. This certificate allows you to sign your applet to give you the ability to read local files and connect to an arbitrary URL.

Since applets are meant to be embedded in web pages, it would be nice to have your web page interact with your applet. You can do this via JavaScript. Here is a basic example using one method, changeColor:

public class ColorApplet extends Applet

{

public void changeColor (String color)

{

if (color.equals("red"))

{

setBackground(Color.red);

}

else if (color.equals("blue"))

{

setBackground(Color.blue);

}

}

}

Since there is no user interface to this applet (no controls), we need some form of external access into the changeColor method. Here is the HTML to call into the method:

Red

Blue

This allows the user to click on the “Red” and “Blue” links in the HTML page to change the background color accordingly.

A more useful applet could open up images from a file name or URL. JavaScript hyperlinks can be used to open different files and URLs in the applet. The following public method is an example:

public void openFile (String filename)

This method opens a local file or URL and displays the image in the applet. This works fine with any file name or URL since our applet is signed. However, if you try to call this method from an HTML page with JavaScript, you will get the following error:

java.security.AccessControlException: access denied

(java.io.FilePermission C:\images\img1.tif read)

at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)

at java.lang.SecurityManager.checkWrite(Unknown Source)

This error is caused by an additional security layer that prevents JavaScript from calling into the sandbox-restricted methods, even if the applet is signed. To deal with the error, use the JavaScript method to set some properties in the applet. Then, create a separate thread that is responsible for listening to changes in these fields and calling the openFile method on behalf of the JavaScript. Here is an example using the method, jsOpenFile:

/**

* @param name

*/

public void jsOpenFile(String name)

{

gJavascriptFilename = name;

gJavascriptCalled = true;

}

Here is an example to define a thread in the init() method of an applet:

Thread javascriptListener = new Thread()

{

public void run()

{

while (true)

{

if (gJavascriptCalled)

{

gJavascriptCalled = false;

openFile(gJavascriptFilename);

}

try

{

sleep(JAVA_SCRIPT_POLL_INTERVAL);

}

catch (Throwable t)

{

t.printStackTrace();

}

}

}

};

if (activateJavasciptThread)

{

javascriptListener.start();

}

Category:

Online Demo