Java applet can't open files under Safari 7 (Mac OS X 10.9)

Question

We have a web app that uses Java applet to manipulate files on local disk. We develop it for quite a while and we already know all types with issues an applet may have with modern OS'es and browsers and latest Java versions and new security restrictions.

Yesterday Apple rolled out its new Mac OS 10.9 Mavericks with new Safari browser (7.0). I tested our web app under Safari 7 / Mac OS X 10.9 just to find that Safari 7 (probably?) blocks access to local files from Java applet.

Although the applet (signed with valid Thawte certificate, and with all security requirements specific to Java 7u45 fulfilled) runs in unrestricted mode with full access to local file system (Java security prompt says that), on attempt to access the local file it catches fileNotFoundException:

java.io.FileNotFoundException: /Users/yury/Pictures/Paris 2012/L1050258.jpg (Operation not permitted)     at java.io.FileInputStream.open(Native Method)     at java.io.FileInputStream.<init>(FileInputStream.java:146)     at com.trackntag.a.v.a(Unknown Source) 

Also when opening Java file open dialog from the applet, it displays no files and the folders in the folder selector do not have any icons (normally they should have them). When you traverse back to the root folder, you can see top level folders (bin, cores, dev, home, and so on), but you cannot browse into them.

The applet does have an access to local files with latest Firefox 24 for Mac, on the same machine (Java 7u45, Mac OS X 10.9). Same with Safari 6 and Mac OS X 10.8.5, not to mention Linux and Windows machines in various configurations: no issues with accessing local files.

Having all of above, I must conclude that we have ran into the problem specific to Safari 7.

Do you have any ideas on this issue? Any thoughts are greatly appreciated.

Cheers, Yury

EDIT (Answer): In Safari 7 there is a new security setting: Safe/Unsafe mode (I think it's for Java plug-in only). You can allow Java plugin to work in Unsafe mode either for individual websites or for all sites. In Unsafe mode the applets will have unrestricted access to local file system.

It appears that this security setting works on top of Java's own security settings (restricted/unrestricted access).

This setting is available through Safari preferences / Security tab / Internet plugins: manage website settings (then select Java plugin).

So once I already answered my own original question, I would rather rephrase it: is that possible to set Unsafe mode or override Safe mode for specific web-site / URL without asking user to set this security preference? Maybe something like Apple developer certificate would help?

Thanks again!

Answer 1

I had a similar problem with another Java app today. I think you may need to add your app to the "Allow the apps below ..." list in this dialog (System Prefs -> Security & Privacy -> Accessibility):