Nicholas, JMS server is a problem, there is no justification some JMS vendors doing this. But in the past I saw following message on this board.
"Actually the AccessControlException is a bit misleading. Our enterprise apps connect applets directly to the EJBs so I have some experience with this. This error usually occurs when the applet tries to access a class that is in a jar file it doesn't have access to. More specifically the stubs for the particular EJB that it's trying to access. What we have done is include these files in either the applet's jar itself, or in a separate jar file. This is pretty much the only way since to make them available for download from the server you would have to place them somewhere in the classpath of the server. This violates the EJB spec that says these files should only be available to the server through the EJB jar file. In fact, if you're using Weblogic 6.0, the server won't even deploy the EJB if any of its files are in the server classpath." For a pitty I didn't record the name of the author. I would like to talk to him. Anatole >From: Nicholas <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: Applet & JMS security >Date: Wed, 27 Mar 2002 13:03:57 -0800 > >I think Anatole expressed that his JMS server was >running on the same host as the HTTP server that >served the applet. Considering that the default >security policy allows the applet to open a socket >back to the originating server, it seems strange that >he cannot do so without modifying the local policy >file. > >Is it possible that the applet sees the host in terms >of the IP address but the JMS client sees the host in >terms of a host name (or vice-versa) and this is >confusing the security classes ? > >//Nicholas > >--- "Richard S.Martin" <[EMAIL PROTECTED]> >wrote: > > I'm talking about the policy on the client. It is > > this policy file that > > dictates what the applet can and cannot do. One of > > the permissions it grants > > or denies is the connecting to a socket. (It also > > allows the user to grant > > permissions to access files and do others things as > > well) > > > > By default the applet (or anything which uses the > > policy) has very > > restrictive permissions (for example, it can only > > connect back to the web > > server that the classes were downloaded from). To > > allow an applet to do > > things like open a socket to an arbitrary machine, > > the manager of the policy > > (ie. the user) must grant this permission in the > > policy file. > > > > Perhaps you should consider having a servlet provide > > a facade to your ejbs. > > The applet can post to the servlet without any > > policy changes. The servlet > > can then handle the request, perform any initial > > validation, and access the > > ejbs. > > > > > > On Wednesday 27 March 2002 03:23 am, Anatole Kulick > > wrote: > > > Hi Richard, > > > > > > >>The default policy file does not allow an applet > > to do much more than > > > >> > > > >> >>open a connection the web server the class > > was downloaded from. If > > > >> >>you need to do anything else (like open a > > connection to an EJB) then > > > >> >>the client will have to change their policy. > > There is no way round > > > >> >>this - If there were, it would > > > >> > > > >>defy the whole point of the policy which is to > > prevent untrusted code > > > >> > > > >> >>from doing anything potentially damaging. > > > > > > Which policy file you are talking about? On the > > server or on the client? > > > I understand about server. But why I have to > > change policy file on the > > > client? Applet do not access any files on the > > client. > > > > > > >The next best thing would be to have an installer > > that the client can > > > >download and run. This could update the policy > > file to whatever you > > > > wanted. > > > > > > My client don't want any players on his machine. > > Otherwise I would use > > > application+webstart. > > > Thanks > > > Anatole > > > > > > > > > From: "Richard S.Martin" > > <[EMAIL PROTECTED]> > > > > > > >To: "Anatole Kulick" <[EMAIL PROTECTED]> > > > >Subject: Re: Applet & JMS security > > > >Date: Tue, 26 Mar 2002 10:23:57 +0000 > > > > > > > >The default policy file does not allow an applet > > to do much more than open > > > >a > > > >connection the web server the class was > > downloaded from. If you need to do > > > >anything else (like open a connection to an EJB) > > then the client will have > > > >to > > > >change their policy. There is no way round this - > > If there were, it would > > > >defy the whole point of the policy which is to > > prevent untrusted code from > > > >doing anything potentially damaging. > > > > > > > >The next best thing would be to have an installer > > that the client can > > > >download and run. This could update the policy > > file to whatever you > > > > wanted. > > > > > > > >On Saturday 23 March 2002 18:09 pm, you wrote: > > > > > Hi all! > > > > > > > > > > I developed an applet which allows > > communications between clients using > > > > > > > >JMS > > > > > > > > > in J2EE environment. Everything works fine, > > but to my surprise every > > > > > > > >client > > > > > > > > > have to change his .java.policy file. Why? My > > applet is in a sandbox. > > > > > Apparently JMS vendors are doing this and I > > tried several. How to avoid > > > > > changing policy files on the client side? Any > > JMS experts here? I > > > > > guess the same thing will happen when applet > > will call EJB. Thanks. > > > > > > > > > > Anatole > > > > > > > > > > > > >_________________________________________________________________ > > > > > MSN Photos is the easiest way to share and > > print your photos: > > > > > http://photos.msn.com/support/worldwide.aspx > > > > > > > > > > >========================================================================== > > > >= > > > > > > > > > To unsubscribe, send email to > > [EMAIL PROTECTED] and include in the > > > > > > > >body > > > > > > > > > of the message "signoff EJB-INTEREST". For > > general help, send email to > > > > > [EMAIL PROTECTED] and include in the body > > of the message "help". > > > > > > > > > > >========================================================================== > > > >==== This email and any files transmitted with it > > are confidential and > > > > intended solely for the use of the individual or > > entity to whom they are > > > > addressed. All information is the view of the > > individual and not > > > > necessarily the company. If you are not the > > intended recipient you are > > > > hereby notified that any dissemination, > > distribution, or copying of this > > > > communication and its attachments is strictly > > prohibited. If you have > > > > received this email in error please notify: > > > >[EMAIL PROTECTED] > > > > > > > > > > > > > > >========================================================================== > > > >==== > > > > > > > > >_________________________________________________________________ > > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp. > > > > > > > > >=========================================================================== > > > To unsubscribe, send email to > > [EMAIL PROTECTED] and include in the body > > > of the message "signoff EJB-INTEREST". For > > general help, send email to > > > [EMAIL PROTECTED] and include in the body of > > the message "help". > > > > >============================================================================== > > This email and any files transmitted with it are > > confidential and intended solely for the use of the > > individual or entity to whom they are addressed. All > > information is the view of the individual and not > > necessarily the company. If you are not the intended > > recipient you are hereby notified that any > > dissemination, distribution, or copying of this > > communication and its attachments is strictly > > prohibited. If you have received this email in error > > please notify: > > [EMAIL PROTECTED] > > > > > > >============================================================================== > > > > >=========================================================================== > > To unsubscribe, send email to [EMAIL PROTECTED] > > and include in the body > > of the message "signoff EJB-INTEREST". For general > > help, send email to > > [EMAIL PROTECTED] and include in the body of the > > message "help". > > > > >===== >Nicholas Whitehead >Home: (973) 377 9335 >Cell: (201) 615 2716 >Work: (212) 235 5783 >[EMAIL PROTECTED] > >__________________________________________________ >Do You Yahoo!? >Yahoo! Movies - coverage of the 74th Academy Awards� >http://movies.yahoo.com/ > >=========================================================================== >To unsubscribe, send email to [EMAIL PROTECTED] and include in the body >of the message "signoff EJB-INTEREST". For general help, send email to >[EMAIL PROTECTED] and include in the body of the message "help". > _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
