最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

How can I get a signed Java Applet to perform privileged operations when called from unsigned Javascript? - Stack Overflow

programmeradmin0浏览0评论

Signed Java Applets have the same security clearance as a normal Java application running on the client. For a particular project, I need these permissions, and I need to perform privileged operations as a result of a JavaScript call.

Now, the problem is that, at least for Firefox 3 in Ubuntu (target browser and platform), when an applet method is invoked through unsigned JavaScript it loses its special permissions. As signing the JavaScript is not an option, I need a way to work around this restriction.

One way to achieve this is to create a thread when the applet starts, and call methods on that thread whenever the main thread receives the JavaScript calls. I have implemented a working prototype of that idea, but I have found it a bit clumsy, because it uses too much reflection and isn't as easily reusable as I would have wanted.

Is there a mon, standard way of doing what I'm trying to do? And, if my idea is the right way to go, how would you go about implementing it in a reusable way? What I'm trying to achieve is a framework that allows this "running-methods-in-a-privileg-thread" thing to be used for a variety of objects. The ideal, utopic solution would be something like:

// when the applet starts-up
PrivilegedExecuter priv = new PrivilegedExecuter(myObject); //or MyClass.class
// ...
// inside a JavaScript-called method (myObject has myMethod)
priv.myMethod(); // myMethod is run synchronously in a privileged thread

Signed Java Applets have the same security clearance as a normal Java application running on the client. For a particular project, I need these permissions, and I need to perform privileged operations as a result of a JavaScript call.

Now, the problem is that, at least for Firefox 3 in Ubuntu (target browser and platform), when an applet method is invoked through unsigned JavaScript it loses its special permissions. As signing the JavaScript is not an option, I need a way to work around this restriction.

One way to achieve this is to create a thread when the applet starts, and call methods on that thread whenever the main thread receives the JavaScript calls. I have implemented a working prototype of that idea, but I have found it a bit clumsy, because it uses too much reflection and isn't as easily reusable as I would have wanted.

Is there a mon, standard way of doing what I'm trying to do? And, if my idea is the right way to go, how would you go about implementing it in a reusable way? What I'm trying to achieve is a framework that allows this "running-methods-in-a-privileg-thread" thing to be used for a variety of objects. The ideal, utopic solution would be something like:

// when the applet starts-up
PrivilegedExecuter priv = new PrivilegedExecuter(myObject); //or MyClass.class
// ...
// inside a JavaScript-called method (myObject has myMethod)
priv.myMethod(); // myMethod is run synchronously in a privileged thread
Share Improve this question asked Jun 17, 2009 at 12:25 Pedro d'AquinoPedro d'Aquino 5,2306 gold badges37 silver badges46 bronze badges
Add a ment  | 

2 Answers 2

Reset to default 8

Use the java.security.AccessController class.

There is a doPrivilegedAction and doPrivilegedExceptionAction that do exactly what you need.

For example:

AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
               .. do something that only works with signed applets ..
            }
        });

It's worth adding: make your privaction'd run() method as small and self-contained as possible. Obviously you could just have your signed applet's init() method call a privileged run() which in turn does the actual applet, but that's just begging to be abused, misused accidentally, or outright exploited.

Also, the fact that signed applets lose their special permissions when called by JavaScript is not specific to a particular browser or platform. That's just how it is, everywhere, all the time.

与本文相关的文章

发布评论

评论列表(0)

  1. 暂无评论