I have an easy self-signed an applet (done with keytool and the jarsigner):
public class NetAppletLauncher extends JApplet {
private static final long serialVersionUID = 1L;
public void init() {
exec("notepad c:/hello.txt");
}
public void exec(String command) {
try {
// launch EXE and grab stdin/stdout and stderr
Process process = Runtime.getRuntime().exec(command);
// OutputStream stdin = process.getOutputStream();
InputStream stderr = process.getErrorStream();
InputStream stdout = process.getInputStream();
// "write" the parms into stdin
// stdin.write(arguments.getBytes());
// stdin.flush();
// stdin.close();
// clean up if any output in stdout
String line = "";
BufferedReader brCleanUp = new BufferedReader(new InputStreamReader(stdout));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stdout] " + line);
}
brCleanUp.close();
// clean up if any output in stderr
brCleanUp = new BufferedReader(new InputStreamReader(stderr));
while ((line = brCleanUp.readLine()) != null) {
//System.out.println ("[Stderr] " + line);
}
brCleanUp.close();
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
Basically, what it does, is that it executes 'notepad c:/hello.txt'.
Then i embed the applet in html:
<applet id='applet' name='applet' archive='NetAppletLauncher1.jar' code='src.NetAppletLauncher' width='100' height='100' MAYSCRIPT ></applet>
When i visit the page, JRE starts and asks me if i want to start this applet and if i trust it. I press ok. Then notepad starts - as it should. No problem here.
But then i add this into the HTML-page:
<p class="link" onclick="document.applet.exec('calc');">remote desktop2</p>
Now when i press on this text, calc should start - right? But this gives me:
java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)
at java.security.AccessControlContext.checkPermission(Unknown Source)
The Java 2 security model requires (roughly) that every frame on the stack must be granted a permission for the access control context (acc) to have that permission. JavaScript is on the stack and does not have file access permissions.