CODEWITHSUNDEEP
javaappletsystem-properties
Ian Boyd
Ian Boyd

Reputation: 256841

How to grant applet permission to read system properties?

I have a Java applet that is trying to read the http.strictPostRedirect System Property.

The code is not mine (it's Java's; so i cannot change it). But you can find the code online:

HttpURLConnection.java:

if (method.equals("POST") && !Boolean.getBoolean("http.strictPostRedirect") && (stat!=307)) 
{
   /* The HTTP/1.1 spec says that a redirect from a POST 
    * *should not* be immediately turned into a GET, and
    * that some HTTP/1.0 clients incorrectly did this.
    * Correct behavior redirects a POST to another POST.
    * Unfortunately, since most browsers have this incorrect
    * behavior, the web works this way now.  Typical usage
    * seems to be:
    *   POST a login code or passwd to a web page.
    *   after validation, the server redirects to another
    *     (welcome) page
    *   The second request is (erroneously) expected to be GET
    * 
    * We will do the incorrect thing (POST-->GET) by default.
    * We will provide the capability to do the "right" thing
    * (POST-->POST) by a system property, "http.strictPostRedirect=true"
    */
    ...
}

The basic failure comes from calling:

Boolean.getBoolean("http.strictPostRedirect")

Which has caused a lot of people grief. Apparently i'm not allowed to read the http.strictPostRedirect System Property. Trying to read it throws an AccessControlException:

java.security.AccessControlException: access denied (java.util.PropertyPermission http.strictPostRedirect read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at java.lang.Boolean.getBoolean(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown Source)

So, if i don't have permission to read permission to a System Property:

How do i get read permission to a system property?

There obviously must be a setting that gives me permission to read a system property, otherwise Sun wouldn't have code that transparently tries to access it.

Is it a machine world-wide setting? Is it a domain-wide setting? Is it a machine-wide setting? Is it a per-user setting? Is it a per-applet setting? Is it a per-invocation setting? Is it a setting tied to a particular version of the Java Runtime Engine?

tl;dr: How make not crash?

Reading system properties

Java does have a list of system properties than at applet cannot read:

My system property, http.strictPostRedirect, is not on that list. So why can't i read it?

See also

Upvotes: 2

Views: 13831

Answers (1)

Andrew Thompson
Andrew Thompson

Reputation: 168835

The 'fix' here is to digitally sign the applet, then convince the user to OK the code when prompted.

Java does have a list of system properties than at applet cannot read:

  • java.class.path
  • java.home
  • user.dir
  • user.home
  • user.name

My system property, http.strictPostRedirect, is not on that list. So why can't i read it?

That is the 'short list' of properties that a sand-boxed app. cannot read. There are also many more. E.G. nothing under user is permitted1. Just consider those to be 'typical'.

  1. Output for 7 user properties in a sand-boxed app.
Name            Value
user.country    unknown
user.dir        unknown
user.home       unknown
user.language   unknown
user.name       unknown
user.timezone   unknown
user.variant    unknown

There obviously must be a setting that gives me permission to read a system property, otherwise Sun wouldn't have code that transparently tries to access it.

True. See the fix above.

Upvotes: 1

Related Questions