hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Httpclient 3.0.1 + applet Security
Date Tue, 04 Jul 2006 17:00:21 GMT
On Sun, 2006-07-02 at 00:39 -0600, Jeff Davis wrote:
> Hi,
> I'm attempting to utilize the httpclient library inside an applet to 
> handle Get and Post requests to sites that may be different from the 
> originating site.  Thus I need to use a signed jar to open up the 
> security to allow this, which I am utilizing a self cert to sign the 
> jar.   I have discovered there is a problem with commons.logging-1.1 
> inside a jar that fails the sandbox security regardless if it is signed 
> or not.   The post I read indicating rolling the logging jar back to 
> version 1.0.4 would resolve that one, which I have done, and it did 
> solve the initial problem.  Since that time I get the following 
> exception listed below whether I use a singed jar or not, and regardless 
> whether I sign the httpclient jar or not as well.  So my question has 
> several parts:

Hi Jeff,
I am by no means qualify as an expert in applets, as I usually would not
touch applets with a two meter barge pole, but since no one else
responded I'll try my best

> 1) Is it be possible to utilize httpClient with proper certificates and 
> signing to operate inside an applet to access other sites?

HttpClient is known to have been used successfully in applets before

> 2) Is it ok to use HttpClient-3.0.1 with logging-1.0.4?

Yes, it is. HttpClient requires commons-logging 1.0.2 or above.

> 3) Which jars if any should be signed besides the application jar (i.e. 
> httpclient, codecs, and/or logging jars)?

I believe all jars must be signed

> 4) Is it possible to use a non authenticated self cert for jar signing 
> in this instance?

I believe so

> 5) Assuming this is actually possible, Can anyone shed some light on 
> fixing this for me?

You must explicitly grant HttpClient permissions to resolve DNS names
and connect to remote hosts. There should be an entry similar to this
one in the policy file of your application 

grant codeBase "file:${myapp_lib}/commons-httpclient.jar" {
    permission java.net.SocketPermission "*", "resolve";
    permission java.net.SocketPermission "localhost:*", "connect";
    permission java.net.SocketPermission "mytargethost:*", "connect";

Please refer to the java documentation for exact syntax and detailed

Hope this helps


> Thanks in advance!
> Jeff
> -------------------------------------
> Stack trace of a fail
> java.security.AccessControlException: access denied 
> (java.net.SocketPermission www.XXXXXXX.com resolve)
>    at java.security.AccessControlContext.checkPermission(Unknown Source)
>    at java.security.AccessController.checkPermission(Unknown Source)
>    at java.lang.SecurityManager.checkPermission(Unknown Source)
>    at java.lang.SecurityManager.checkConnect(Unknown Source)
>    at java.net.InetAddress.getAllByName0(Unknown Source)
>    at java.net.InetAddress.getAllByName0(Unknown Source)
>     at java.net.InetAddress.getAllByName(Unknown Source)
>     at java.net.InetAddress.getByName(Unknown Source)
>     at java.net.InetSocketAddress.<init>(Unknown Source)
>     at java.net.Socket.<init>(Unknown Source)
>     at 
> org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:79)
>     at 
> org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:121)
>     at 
> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
>     at 
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
>     at 
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
>     at 
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
>     at 
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

View raw message