access denied (java.net.SocketPermission demo resolve)

[mydavor]

You'll recognise my ignorance about

http://www applications,

but I need urgent help.
The java program below connects to oracle and retrievs the data. Yet, same piece of code within an applet cannot connect to the same db. Instead it receives the access denied (java.net.SocketPermission demo resolve) when calling getConnection. Do I need TOMCAT or something running for an applet to be able to connect to a db ?

System.out.println("Loading the driver");
Class.forName("oracle.jdbc.driver.OracleDriver");

System.out.println("Getting the connection");
conn = DriverManager.getConnection("jdbcracle:thindemo:1521:demo", "vuser1", "vuser1");

System.out.println("Creating the statement");
st = conn.createStatement();

System.out.println("Executing the query to find out number of projects");
rs = st.executeQuery("SELECT COUNT(rownum) FROM tr_request");
rs.next();
count = rs.getInt(1);
System.out.println("Entries = " + count);

If I need Tomcat or I am missing something can you please describe it in detail. Thanks

 

[stefanwagner]

I guess this belongs to the applet-sandbox - problem.
You have to sign your applet and all that stuff.
I did such a thing only once and it's long ago so I don't remember the details.

 

[mydavor]

Is it really signing the issue ?
How can I sign an applet ?
This is only a demo version for a customer, is it possible to do it quickly ?
I seem not to have that signtool they mention on the www.

 

[sedj]

Yes, you need to sign the applet, and then give permissions on the client machine for access to external ports. It'll be a nightmare.

But if you really want to do it :

http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html

 

[mydavor]

Please:

1. Does that mean that if I run applet on the same machine where the databse is, I would not need this signiture ?

2. How long does it take to get a signiture and use it ?

 

[sedj]

>>>> 1. Does that mean that if I run applet on the same machine where the databse is, I would not need this signiture ?

No, you still need to sign.

>>>> 2. How long does it take to get a signiture and use it ?

You can produce one yourself using the jarsigner tool - did you even read the link I gave earlier ???!!!

http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html

 

[mydavor]

I certainly have read the link, but even after second reading, the following is bit misleading:
"Signing applets
Once we have the RSA certificates, the signing tool and the applet's JAR files, we are ready to sign the applets. "

I figured that even with jarsigner, the RSA certificate is needed beforehand. Again from the link looks that the RSA certificate has to be purchased.

Are you saying that purchased RSA certificate is not a must, but jar and then jarsigner will do everything needed for me as written in paragraphs: "Signing applets using jarsigner" and "Deploying RSA signed applets" ?

 

[stefanwagner]

(cite
What I do, is first create a policy file named "all.policy". The contents of this file are:

grant {  permission java.security.AllPermission;};

Then I create a batch file to launch my applet in the appletviewer using this policy:

appletviewer -J"-Djava.security.policy=all.policy" "AppletExample.html"

"AppletExample.html" is a third file that contains the <applet> tag for my applet I'm testing . (AppletViewer only parses the <applet> tag)
code for AppletExample.html:

<applet >   code="com.myPackage.MyApplet.class"</applet>

All three files are in the same folder, btw. You can put your classes wherever you want, just make sure the <applet> paramaters reference the code in the right location.
Then when you double-click the batch file, you will be viewing your applet in appletviewer with all permissions enabled.

[ found in javaranch, September 05, 2003: Message edited by: Rob Ross ]

 

[sedj]

Create a RSA cert using keytool :

http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

Also maybe helpful :

http://java.sun.com/docs/books/tutorial/jar/sign/signing.html

 

[mydavor]

Thanks for the tips, using appletviewer, my applet was able to connect to db and retrieve data. This happened as soon as I run keytool !?
keytool -genkey -alias aintengration -keypass aintegration[\i]

Later on I ran jar and jarsigner:
jar cvf A2V.jar A2V1.class HandleBut.class
jar tvf A2V.jar
C:\ai_api>jarsigner -verify -verbose -storepass aintegration -keypass aintegrati
on C:\ai_api\A2V.jar aintegration

199 Wed Apr 28 14:56:24 EST 2004 META-INF/MANIFEST.MF
252 Wed Apr 28 14:57:10 EST 2004 META-INF/AINTEGRA.SF
1041 Wed Apr 28 14:57:10 EST 2004 META-INF/AINTEGRA.DSA
0 Wed Apr 28 14:50:22 EST 2004 META-INF/
smk 11588 Wed Apr 28 14:30:54 EST 2004 A2V1.class
smk 1754 Wed Apr 28 14:30:54 EST 2004 HandleBut.class

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.[\i]

This is supposed to create aintegration.SF and aintegration.DSA, but I cannot find them on any drive.
What should I do to be able to run these applets on another box and via browser, copy any od these files together with Stefan's bat and html? And the Plug-in that verifies the applet signiture did not pop up ?? [\b].keystore is in my home dir.

 

[mydavor]

Can you please answer on this one, especially because another problem occured:
the applet is able to connect to the local db via jdbc, but not to remote db over LAN.
I tried running again keytool and jarsigner, but to no avail.
What is the difference in treating the local as opposed to remote db ?
Thanks

 

[stefanwagner]

It's quite normal if an applet may perform some issues on the system it came from.
But to perform some things on other machines is a security risc - therefore the handling of security isn't that laxly.

The machine where the db is running has to agree to be modified from an remote applet.

More details I don't know.

 

[sedj]

>>>> What is the difference in treating the local as opposed to remote db ?

Firewalls, IP problems in DNS, security policy, JVM version , you name it - you've got it.

I would seriously think about some other method of performing your task. Configuring applets to run out of the sandbox on client machines is just a nightmare that you do not want to enter, and if you ever deployed your applet to a live system you are heading into nightmare territory - your customer support will be inundated with issues such as "my JVM won't accept your applet", "my firewall won't let through external TCP scoket connections", "my PC doesn't have the JRE", "my JRE is windows 98 microsoft version - why won't it run your applet", "my browser doesn't accept applets, how do I configure it", "where do I get a JRE from", "what's a JRE", "my firewall won;t allow me to automatically install a JRE", "AND SO ON !!!!!".

You'll be entering a world of *****. Forget it. Out-of-sandbox applets are no-go in my opinion. If you must run machine code on a client machine, learn C++ and write an activeX control - at least it'll be easier to run than an applet.

 

[mydavor]

OK, back to square 1.

1. java application can access any db
2. appletviewer "myapplet.html" can access any db, after running keytool only

BUT

even with keytool and jarsigner successfully run and verified running myapplet.html from a browser (with Open..)
failed to connect to local or remote db.

Where is the problem ? Signing ? What if Java Applet is more acceptable solution then Java or C++.