Some context : Use a library of encryption and decryption of messages (not developed by me). The encryption/decryption must happen on the client and not on the server.
Solution : It was decided to use a non visual applet to make use of the library. The library uses a Bouncy Castle provided.
As soon as the Bouncy Castle provider is added you'll get an error message like this :
java.security.AccessControlException: access denied (java.security.SecurityPermission insertProvider.BC)
As you can read the applet can't make use of
Security.addProvider(new BouncyCastleProvider());
The developer has several possibilities.
1. Make use of a policy file
The computer where the applet is executed can decide to grant permissions to the applet Java using a file named .java.policy in the user home directory.
example :
grant {
permission java.security.SecurityPermission "insertProvider.*";
permission java.util.logging.LoggingPermission "control";
};
grant {
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "user.dir", "write";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
This will solve the problem but it is rather not convenient because you have to ask every user that uses the applet to copy the .java.policy file into his home directory and there are chances that your customer will not accept this solution.
2a. Signing the applet and run in unrestricted mode
If the applet is signed then the code will run unrestricted. Totally unrestricted ? You'll see. :-)
The procedure to sign the applet using a test certificate can be found here (a good example).
==>TestingWithRSA
As you can read into the title you have to sign using a RSA key.
keytool -genkey -keyalg RSA -keystore test_store -alias rsatest
But in the case of Bouncy Castle, it is NOT enough !
You have to embed your code into a special bloc of code.
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
Security.addProvider(new BouncyCastleProvider());
return null; // nothing to return
}
});
This time it will be successful and you are in unrestricted mode.
Hope it helps.
-Rudy-
Pointers :
==>applet security basics
==>Can distribution of a .java.policy file be eliminated
==>How RSA Signed Applet Verification Works in Java Plug-in
==>How to Sign Applets Using RSA-Signed Certificates
==>Deploying RSA Signed Applets in Java Plug-in
==>How to Deploy RSA-Signed Applets in Java Plug-in
==>Signed applet getting access denied
==>How Can An Applet Read Files On The Local File System
==>Self Signed Applet Can it access Local File Systems