My Photo

Subscribe to this blog's feed

How to Subscribe

About

Categories

Recent Posts

Recent Comments

Archives

JAVA BLOGROLL

BLOGS & BLOGROLLS

Powered by TypePad

« September 2006 | Main | November 2006 »

October 27, 2006

Tell Us What You Need – We're Listening!

As a customer driven organization, we are always trying to learn from our customers what they need, as well as anticipate their future needs. Many of our most loyal customers joined us because we solved a problem for them. However, many of you are too busy dealing with your immediate issues to give us a sense of what you are going to need coming up. So I thought I’d try a new tactic this month. Contact me at pres(at)snowbound(dot)com and tell me what you need or what you’d like to see us develop.

As a prompt, here are some categories:

Our products already live on Windows, any Java platform and most Unix systems. Do you need our RasterMaster Libraries or FlexSnap Document View/Review Systems on other platforms?

We support more than 100 image and document formats, including the very popular PDF, Word, Excel, Powerpoint and AFP formats. Are we doing enough? Do you need us to provide more formats?

What about enhanced features in our Libraries, our SnowBatch converter or our FlexSnap Document Review System? There are never enough features in applications for some people – others complain the product gets too complicated. But application features make your people efficient and we have ways to configure our products to keep them simple but powerful. We listen – what do you need?

-Simon

Posted by on October 27, 2006 at 11:31 AM in President's Corner | | Comments (0) | TrackBack (0)

October 13, 2006

JavaScripting in Applets - Getting Out of the Sandbox

I'd like to describe a recent discovery with regards to using JavaScript with Applets, and running into security problems. First, I'll give an overview of "The Applet Sandbox", and using JavaScript to call into an Applet.

The Sandbox

When developers are introduced to Java Applet technology, one of the first things they learn about is the Java Applet Sandbox. The sandbox refers to a set of security restrictions imposed on an Applet. The sandbox exists to prevent potentially dangerous code from being executed on a user's machine when they simply browse to a website.

Three of the basic restrictions are as follows:

  • No access to the client's local file system.
  • No network access to a remote system other than the Applet's host machine.
  • No access to the client's printer.

There is a way to break out of the sandbox, via signing. A company can establish itself as a trusted vendor by purchasing certificates from a company like VeriSign. You can then "sign" your Applet and have the ability to do things such as read local files, and connect to an arbitrary URL. In order to write the most powerful Java Applets, this is the way to go.

Calling Applet methods via JavaScript

Since Applets are meant to be embedded in web pages, it would be nice to have your web page interact with your Applet. The way to do this is via JavaScript. Here's a really basic example.

Our Applet has one method, changeColor: 

public class ColorApplet extends Applet
{    
    public void changeColor (String color)
    {
        if (color.equals("red"))
        {
            setBackground(Color.red);
        }
        else if (color.equals("blue"))
        {
            setBackground(Color.blue);            
        }   
    }   
}

This is a pretty worthless Applet without some kind of external access into the changeColor method. Here's the HTML to call into the method: 

<html>
<body>
<applet height="100" width="100" code="ColorApplet.class" name="ColorApplet"></applet>
<a onclick="javascript:ColorApplet.changeColor('red');" href="#">Red</a>
<a onclick="javascript:ColorApplet.changeColor('blue');" href="#">Blue</a>
</body>
</html>

By clicking on the "Red" and "Blue" Links in the html page, the Applet's background would change accordingly.

Using JavaScript to call restricted methods.

Changing colors in an Applet doesn't seem very useful. But lets say I have an Applet that can open up images from a file name or from a URL. The JavaScript hyperlinks can be used to open different files and URLs in the applet. I implemented a public method, 

       public void openFile (String filename)

 

This method will open up a local file or URL and display the image in the Applet. This works fine with any filename or URL since our Applet is signed. However, when I tried to call this method from an html page with JavaScript, I got the following error: 

java.security.AccessControlException: access denied (java.io.FilePermission C:\images\img1.tif read)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkWrite(Unknown Source)

 

I was baffled. I retested openFile via my file menu, and the image opened up fine, so I knew I had signed the applet properly. I tested the JavaScript again and no luck. Hmm. Then I tried another JavaScript method that simply printed out some text to the console and that worked. Finally, I figured that there must be some additional security layer that prevents JavaScript from calling into the sandbox-restricted methods, even if the Applet is signed. After a quick Google search, I found some forum threads such as this one, which confirmed my suspicions. So what to do? I figured I would use the JavaScript method just to set some properties in the Applet. I would then create a separate thread that could be responsible for listening to changes in these fields, and calling the openFile method on behalf of the JavaScript. Here's how that worked. I made a new method called jsOpenFile, like this: 

  /**
     * @param name
     */
    public void jsOpenFile(String name)
    {
        gJavascriptFilename = name;
        gJavascriptCalled = true;
    }

Then I defined a thread in the init() method of my applet, like this: 

            Thread javascriptListener = new Thread()
            {
                public void run()
                {
                    while (true)
                    {
                        if (gJavascriptCalled)
                        {
                            gJavascriptCalled = false;
                            openFile(gJavascriptFilename);
                        }
                        try
                        {
                            sleep(JAVA_SCRIPT_POLL_INTERVAL);
                        }
                        catch (Throwable t)
                        {
                            t.printStackTrace();
                        }
                    }
                }
            };
            javascriptListener.start();

Sure enough it works!

-Alex

Posted by on October 13, 2006 at 09:44 AM in Java Programming - Applets | | Comments (4) | TrackBack (1)