Signed Java Applets have the same security clearance as a normal Java application running on the client. For a particular project, I need these permissions, and I need to perform privileged operations as a result of a JavaScript call.
Now, the problem is that, at least for Firefox 3 in Ubuntu (target browser and platform), when an applet method is invoked through unsigned JavaScript it loses its special permissions. As signing the JavaScript is not an option, I need a way to work around this restriction.
One way to achieve this is to create a thread when the applet starts, and call methods on that thread whenever the main thread receives the JavaScript calls. I have implemented a working prototype of that idea, but I have found it a bit clumsy, because it uses too much reflection and isn't as easily reusable as I would have wanted.
Is there a common, standard way of doing what I'm trying to do? And, if my idea is the right way to go, how would you go about implementing it in a reusable way? What I'm trying to achieve is a framework that allows this "running-methods-in-a-privileg-thread" thing to be used for a variety of objects. The ideal, utopic solution would be something like:
// when the applet starts-up
PrivilegedExecuter priv = new PrivilegedExecuter(myObject); //or MyClass.class
// ...
// inside a JavaScript-called method (myObject has myMethod)
priv.myMethod(); // myMethod is run synchronously in a privileged thread
Use the java.security.AccessController class.
There is a doPrivilegedAction and doPrivilegedExceptionAction that do exactly what you need.
For example:
AccessController.doPrivileged(new PrivilegedAction() { public Object run() { .. do something that only works with signed applets .. } });
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With