Re: [U2] UniObjects security in an applet
Wendy, The applet was trying to connect to localhost (thanks John H.). I changed the settings there and now I'm talking to my proxy. I now have a problem with my Proxy configuration. I am getting a exception on applets and java applications alike. asjava.uniobjects.UniSessionException: The RPC failed Here is an entry from my uniproxy log 06.06.15-21.35.42-C1539168Error: addConnection() The requested item does NOT exist. My uniproxy.config. This is an adaptation from Ch.3 or UOJ dev. Guide. PROXY_PORT=31448 ADMIN_PORT=31458 ADMIN_ACCESS_TOKEN=password1 BUFFER_SIZE=4096 DEBUG_LEVEL=0 MAX_CONNECTIONS=75 MAX_MULTIPLEXED_SERVERS=12 NAME_LOG=testLog PATH_LOG=/opt/udproxy/ NETWORK_TIMEOUT=12 ACCESS_TOKEN=password2 ACCESS_TOKEN_SERVER=localhost ACCESS_TOKEN_SERVER=localhosts_real_name ACCESS_TOKEN_SERVER=client1 ACCESS_TOKEN_SERVER=client2.workgroup.domain.com ACCESS_SERVER=my_ud_server I've tried reducing everything down to just an ACCESS_TOKEN but that gets the same results. The documentation states that any client providing the access token should be authorized for any server if there is only an access_token defined. On Fri, 2006-06-16 at 05:45 +0200, Wendy Smoak wrote: Same machine as what? An (unsigned) applet can only connect back to the server from which it was loaded. If you have a separate web server and database server, the proxy needs to be running on the web server. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Adrian Merrall wrote: No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. It might be an IBM JRE vs. Sun JRE issue. We're using IBM's JRE with Websphere, and it doesn't care if the files have a .zip extension. I think where I might have run into the problem before was with the JRun appserver, which uses Sun's JRE. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Almost there ... The proxy server is running now that I'm using a jar instead of zip. I am, however, still getting the java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:31448 connect,resolve) from the IE and firefox browsers on client Win/Lin PC's. Running firefox on the server however I get another error message. asjava.uniobjects.UniSessionException: The RPC failed at asjava.uniobjects.UniSession.connect(UniSession.java) This machine is the apache web server and uni proxy. So, it seems that the browser still won't even touch the proxy unless it is on the same machine and then I still have problems with the proxy not connecting to the UniData server. Incidentally I cannot connect a regular Java app through the proxy. I get the same RPC message. Any ideas? Thanks, Jeff On Thu, 2006-06-15 at 17:14 +1200, Adrian Merrall wrote: John, This is a long shot, but you might try unzipping the asjava_p and asjava files and putting the paths to the resulting directory hierarchies in your classpath. Seems like I ran into some oddball issue many years ago, and that fixed it. No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. Regards, Adrian --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff Powell wrote: The proxy server is running now that I'm using a jar instead of zip. I am, however, still getting the java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:31448 connect,resolve) from the IE and firefox browsers on client Win/Lin PC's. Looks like the applet is attempting to connect to port 31448 on the client PC rather than the server. That will cause a security error since it can't step outside the sandbox. Try replacing localhost with the name or external IP address of your server, I'm guessing in the uniproxy.config file. Running firefox on the server however I get another error message. asjava.uniobjects.UniSessionException: The RPC failed at asjava.uniobjects.UniSession.connect(UniSession.java) Not sure about this one, but maybe a result of the server name issue. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
On 6/14/06, Adrian Merrall [EMAIL PROTECTED] wrote: No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. That's a Tomcat (or possibly Servlet Specification) thing. The JVM thing is that you have to specify the jar (or zip) filename on the classpath. You can't just say -cp /path/to/lib (where lib contains some jars) and have them automatically picked up. Conversely, if you have class files loose in a hierarchy, you need only put the top level directory on the classpath. That's why people will often extract the files from a jar and then discover that it works. :) -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
On 6/14/06, Adrian Merrall [EMAIL PROTECTED] wrote: No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. That's a Tomcat (or possibly Servlet Specification) thing. The JVM thing is that you have to specify the jar (or zip) filename on the classpath. You can't just say -cp /path/to/lib (where lib contains some jars) and have them automatically picked up. Conversely, if you have class files loose in a hierarchy, you need only put the top level directory on the classpath. That's why people will often extract the files from a jar and then discover that it works. :) -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
On 6/15/06, Jeff Powell [EMAIL PROTECTED] wrote: So, it seems that the browser still won't even touch the proxy unless it is on the same machine Same machine as what? An (unsigned) applet can only connect back to the server from which it was loaded. If you have a separate web server and database server, the proxy needs to be running on the web server. and then I still have problems with the proxy not connecting to the UniData server. Incidentally I cannot connect a regular Java app through the proxy. I get the same RPC message. Could there be a firewall preventing access? -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
On 6/14/06, Adrian Merrall [EMAIL PROTECTED] wrote: No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. That's a Tomcat (or possibly Servlet Specification) thing. The JVM thing is that you have to specify the jar (or zip) filename on the classpath. You can't just say -cp /path/to/lib (where lib contains some jars) and have them automatically picked up. Conversely, if you have class files loose in a hierarchy, you need only put the top level directory on the classpath. That's why people will often extract the files from a jar and then discover that it works. :) -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
On 6/15/06, Jeff Powell [EMAIL PROTECTED] wrote: So, it seems that the browser still won't even touch the proxy unless it is on the same machine Same machine as what? An (unsigned) applet can only connect back to the server from which it was loaded. If you have a separate web server and database server, the proxy needs to be running on the web server. and then I still have problems with the proxy not connecting to the UniData server. Incidentally I cannot connect a regular Java app through the proxy. I get the same RPC message. Could there be a firewall preventing access? -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Thanks everyone. This is my first applet so I'm in a steep learning curve. My applet now signed but now I'm having trouble with starting the proxy server on my Linux boxes (FC5 RHEL ES4) . Any suggestions? Thanks, Jeff Here is my java command java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -config=/opt/udproxy/uniproxy.config -command=start -access_token=myPasswd Starting proxy server... Proxy server started. [EMAIL PROTECTED] udproxy]# It returns control to bash and it does not show up in the process table (ps -ef | grep -in java). It also does not respond to connection requests. [EMAIL PROTECTED] udproxy]# java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -config=/opt/udproxy/uniproxy.config -command=status -access_token=myPasswd Error: Invalid combination of -port, -config and -command. Usage: UniProxyAdminClient -config=configPath -command=start [-access_token=xx] UniProxyAdminClient -port=x -command=xx [-server=xx] [-access_token=xx] UniProxyAdminClient -help Currently supported commands are: start, suspend, restart, shutdown, shutdown:fast, reconfigure, status [EMAIL PROTECTED] udproxy]# java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -port=31458 -command=status -access_token=myPasswd Connecting to proxy admin server. java.net.ConnectException: Connection refused [EMAIL PROTECTED] udproxy]# java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -port=31448 -command=status -access_token=myPasswd Connecting to proxy admin server. java.net.ConnectException: Connection refused uniproxy.config PROXY_PORT=31448 ADMIN_PORT=31458 ADMIN_ACCESS_TOKEN=myPasswd BUFFER_SIZE=4096 DEBUG_LEVEL=0 MAX_CONNECTIONS=75 MAX_MULTIPLEXED_SERVERS=12 NAME_LOG=testLog PATH_LOG=/opt/udproxy/ NETWORK_TIMEOUT=12 ACCESS_TOKEN=myPasswd ACCESS_TOKEN_SERVER=localhost ACCESS_SERVER=localhost ACCESS_SERVER=myUdServer contents of /opt/udproxy -rw-r--r-- 1 jpowell jpowell 32805 Nov 13 2002 asjava_p.zip -rw-r--r-- 1 jpowell jpowell 93237 Nov 13 2002 asjava.zip -rw-r--r-- 1 rootroot 298 Jun 14 10:48 uniproxy.config On Tue, 2006-06-13 at 17:20 -0700, John Hester wrote: An applet is a little bit of a different animal because it can't get out of the java VM sandbox on the client machine. The applet's only allowed to connect back to the server that served it up, which is a problem if the UV server you need data from is not the same box as your web server. You don't have this issue with server-side java since its code never leaves home. As for VB, well, let's just say its architects prioritized convenience over security. -John --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff Powell wrote: Here is my java command java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -config=/opt/udproxy/uniproxy.config -command=start -access_token=myPasswd Starting proxy server... Proxy server started. [EMAIL PROTECTED] udproxy]# It returns control to bash and it does not show up in the process table (ps -ef | grep -in java). It also does not respond to connection requests. This is uncharted territory for me since I've only used UOJ with servlets, but you might try: netstat -a | grep 314*8 to see if the service is actually listening on those ports. If nothing shows up, see if the ports are defined in /etc/services and grep for the name instead. If you do find that the service is listening, you can use: fuser 31448/tcp fuser 31458/tcp to determine the specific process that's listening on those ports. If you determine that the proxy server is running like it's supposed to, maybe there's something else interfering with your connection (like a software firewall). You could also: telnet localhost 31448 telnet localhost 31458 to see if you can at least establish a connection. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Definitely nobody home there. I'm pretty sure that uniproxy is bombing out. It does not give any helpful information or even a log. Thanks, Jeff On Wed, 2006-06-14 at 13:04 -0700, John Hester wrote: Jeff Powell wrote: Here is my java command java -cp ./asjava_p.zip:./asjava.zip:/usr/lib/jvm/java/jre asjava.uniproxy.UniProxyAdminClient -config=/opt/udproxy/uniproxy.config -command=start -access_token=myPasswd Starting proxy server... Proxy server started. [EMAIL PROTECTED] udproxy]# It returns control to bash and it does not show up in the process table (ps -ef | grep -in java). It also does not respond to connection requests. This is uncharted territory for me since I've only used UOJ with servlets, but you might try: netstat -a | grep 314*8 to see if the service is actually listening on those ports. If nothing shows up, see if the ports are defined in /etc/services and grep for the name instead. If you do find that the service is listening, you can use: fuser 31448/tcp fuser 31458/tcp to determine the specific process that's listening on those ports. If you determine that the proxy server is running like it's supposed to, maybe there's something else interfering with your connection (like a software firewall). You could also: telnet localhost 31448 telnet localhost 31458 to see if you can at least establish a connection. -John --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff Powell wrote: Definitely nobody home there. I'm pretty sure that uniproxy is bombing out. It does not give any helpful information or even a log. This is a long shot, but you might try unzipping the asjava_p and asjava files and putting the paths to the resulting directory hierarchies in your classpath. Seems like I ran into some oddball issue many years ago, and that fixed it. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
John, This is a long shot, but you might try unzipping the asjava_p and asjava files and putting the paths to the resulting directory hierarchies in your classpath. Seems like I ran into some oddball issue many years ago, and that fixed it. No you mention it. IIRC there was a change regarding zip files. The contents of zip files are no longer automatically added to the classpath, only jars. An easy fix is to rename asjava.zip to asjava.jar. I know this is the case for the tomcat class-loader, but I don't know if this a tomcat thing or a jvm thing. Regards, Adrian --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
[U2] UniObjects security in an applet
Has anyone implemented UniObjects in an Applet? I am getting a java.security.AccessControlException when I attempt to connect. Can someone tell me what I need to do to set the permissions? IE and Firefox both have issues. Thanks, Jeff --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff Powell wrote: Has anyone implemented UniObjects in an Applet? I am getting a java.security.AccessControlException when I attempt to connect. Can someone tell me what I need to do to set the permissions? IE and Firefox both have issues. I've only used UOJ with servlets, but I believe with an applet you may need to use the UOJ proxy server to get around the security restrictions. The proxy server handles all communications between applet and server. See chapter 3 of the UOJ developers manual. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
My servlets, java and VB apps run fine without any proxy server. For example the same Windows client PC will run a VB program but not an applet in IE6. (scratch, scratch) Thanks, Jeff On Tue, 2006-06-13 at 13:46 -0700, John Hester wrote: I've only used UOJ with servlets, but I believe with an applet you may need to use the UOJ proxy server to get around the security restrictions. The proxy server handles all communications between applet and server. See chapter 3 of the UOJ developers manual. -John --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff, My servlets, java and VB apps run fine without any proxy server. For example the same Windows client PC will run a VB program but not an applet in IE6. (scratch, scratch) Which server is your U2 database running on? From your post I'm guessing it is a different server to the one you are using to serve the applet. As John mentioned, you may need to use the proxy server. I'm a bit rough on this but you were getting an AccessControlException. Applets are special and run inside a sandbox preventing access to the local disk and AFAIK preventing access to any other server apart from the one that served them. If your U2 server is on a separate box, you need the proxy server. Your applet UOJ code talks to the proxy server running on your webserver and this then connects to your u2 server. If your UOJ connection object is attempting to access a different server this would cause the security exception. The stack trace may give you more information and there is a good explanation here ( http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html) You don't have this problem with servlets because the code is on your server, not the client and runs as a regular java application, not an applet and is therefore implicitly trusted. You also wouldn't have it with any other java app because it is not running inside the applet sandbox and is also implicitly trusted. I'm out on a limb here but I think you can get around this by digitally signing your applets but I have no idea what is involved in doing this. The above link seems to cover this. Plan b would be to look at re-architecting. Instead of the applet making the uoj connection, the applet makes a normal url get/post to your server which has a servlet do the uoj stuff. That way you can implement connection pooling etc and don't have to worry about the uoj proxy although you are effectively making your own. This could also cut down on your applet size because it doesn't need the UOJ library. It would be easier to use https to encrypt the traffic between the applet and the server this way. HTH Adrian PS Just scanned the above article prior to sending - according to it the u2 server would only need to be in the same domain, not necesarily be the same server. However you would still need to proxy to get through your firewall assuming you don't want your u2 server on the internet. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] UniObjects security in an applet
Jeff Powell wrote: My servlets, java and VB apps run fine without any proxy server. For example the same Windows client PC will run a VB program but not an applet in IE6. (scratch, scratch) An applet is a little bit of a different animal because it can't get out of the java VM sandbox on the client machine. The applet's only allowed to connect back to the server that served it up, which is a problem if the UV server you need data from is not the same box as your web server. You don't have this issue with server-side java since its code never leaves home. As for VB, well, let's just say its architects prioritized convenience over security. -John -- John Hester System Network Administrator Momentum Group Inc. (949) 833-8886 x623 http://memosamples.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/