Date: Fri, 09 Jan 1998 16:58:24 -0500
From: Guillaume Boissiere <boissier@media.mit.edu>
To: java-security@web1.javasoft.com, security-notes@netscape.com
Subject: Java code signing problem: Too much security?
I want to setup a Web page that would let people do nslookup
from a Java applet.
Obviously, in this case, my applet requires extended privileges
to connect to any machine on the Net. The particular Java method
that needs the privileges is I believe:
InetAddress.getByName(....);
I'm using Communicator 4.04 on NT with the JDK 1.1 upgrade, so I
decided to use the Netscape Capabilities classes. When the applet
inits, I use:
PrivilegeManager.enablePrivilege("UniversalConnect");
PrivilegeManager.enablePrivilege("UniversalListen");
to request these necessary extended capabilities.
To make the whole thing working, I signed my Java code with a
free signing certificate that I got from Entrust
(http://www.entrust.com/freecerts/index.htm) using Zigbert 0.60
and packaged it in a JAR file.
This whole thing worked without problem (checked the archive with
zigbert -v -w) so I put the JAR file on the Web page.
The applet is on the following Web page so feel free to test it:
http://boissier.www.media.mit.edu/people/boissier/java/signing/test.html
For some reason, the applet enables the privileges successfully
and everything starts fine, but then fails to perform the nslookup
as if all the Netscape Capability Classes were not doing their job ..
When I enter an IP address and press Enter, I get a "# Security
Exception: Cannot connect to .. from .."
Any idea of what is going on?
Cheers,
-- Guillaume
Source code of the applet
----------------------------------------
import java.awt.*;
import java.applet.Applet;
import java.net.InetAddress;
import java.net.UnknownHostException;
import netscape.security.PrivilegeManager;
public class HostResolution extends Applet {
/**
* Makes the conversion hostname --> IP
*/
void hostTextField_EnterHit(Event event)
{
String hostname = host_textField.getText();
try
{
search_label.setText("Searching the DNS and the Internet
...");
InetAddress address =
InetAddress.getByName(hostname);
StringBuffer ip = new StringBuffer("");
byte tab[] = address.getAddress();
for (int i = 0; i < tab.length; i++)
{
if (i > 0)
ip.append(".");
int unsignedByte = (tab[i] < 0) ? (tab[i] + 256) :
tab[i];
ip.append(Integer.toString(unsignedByte));
}
ip_textField.setText(new String(ip));
search_label.setText("");
}
catch (UnknownHostException e)
{
ip_textField.setText("???");
search_label.setText("");
}
}
/**
* Makes the conversion IP --> hostname
*/
void ipTextField_EnterHit(Event event)
{
String ip_address = ip_textField.getText();
try
{
search_label.setText("Searching the DNS and the Internet
...");
InetAddress ia = InetAddress.getByName(ip_address);
host_textField.setText(ia.getHostName());
search_label.setText("");
}
catch (UnknownHostException e)
{
host_textField.setText("???");
search_label.setText("");
}
}
public void init() {
// Get extended applet privileges from Netscape to create the
// network connection
try {
System.out.println("Requesting the right to create a connection
"+
"to any machine on the Internet");
PrivilegeManager.enablePrivilege("UniversalConnect");
System.out.println("Request accepted ...");
}
catch (netscape.security.ForbiddenTargetException fte) {
System.out.println("Request not accepted by Netscape...");
}
catch (Exception e) {
System.out.println("Request not accepted, unknown error");
}
try {
System.out.println("Requesting the right to accept a connection
"+
"from any machine on the Internet");
PrivilegeManager.enablePrivilege("UniversalListen");
System.out.println("Request accepted ...");
}
catch (netscape.security.ForbiddenTargetException fte) {
System.out.println("Request not accepted by Netscape...");
}
catch (Exception e) {
System.out.println("Request not accepted, unknown error");
}
//{{INIT_CONTROLS
super.init();
setLayout(null);
addNotify();
resize(407, 150);
setBackground(new Color(246, 219, 140));
ip_label = new Label("IP Address", 1);
ip_label.reshape(276, 60, 99, 24);
add(ip_label);
ip_textField = new TextField();
ip_textField.reshape(252, 84, 144, 24);
add(ip_textField);
host_label = new Label("Hostname", 1);
host_label.reshape(60, 60, 120, 21);
add(host_label);
host_textField = new TextField();
host_textField.reshape(12, 84, 216, 24);
add(host_textField);
title_label = new Label("Internet Address Resolution", 1);
title_label.reshape(12, 0, 385, 50);
title_label.setFont(new Font("TimesRoman", 3, 24));
add(title_label);
search_label = new Label("", 0);
search_label.reshape(12, 120, 300, 24);
search_label.setFont(new Font("System", 2, 14));
add(search_label);
//}}
}
public boolean handleEvent(Event event)
{
if (event.target == host_textField && event.id ==
Event.ACTION_EVENT)
{
hostTextField_EnterHit(event);
return true;
}
if (event.target == ip_textField && event.id ==
Event.ACTION_EVENT)
{
ipTextField_EnterHit(event);
return true;
}
return super.handleEvent(event);
}
//{{DECLARE_CONTROLS
java.awt.Label ip_label;
java.awt.TextField ip_textField;
java.awt.Label host_label;
java.awt.TextField host_textField;
java.awt.Label title_label;
java.awt.Label search_label;
//}}
----------------------------------------
Source code of the Web page
----------------------------------------
boissier@media.mit.edu