Skip to main content

Java Doodle: crossdomain.xml Support

Posted by joshy on May 28, 2008 at 1:59 PM PDT

While we wait for the full JavaFX SDK to be released later this summer I'd like to show you some cool desktop Java things that you can do right now. This is the first in a series I'm going to call Java Doodles, highlighting the new features in JavaSE 6 update 10, now in beta. Join me over the coming weeks when we will explore more cool things you can do with desktop Java.

A photo applet

archive="http://projects.joshy.org/demos/PhotoStrip/webstart/PhotoStrip.jar"
width="400" height="200"
>

Above is a simple applet which loads the most recent photos from my Flickr stream. It's a very simple pure Java applet that's only 8k in size. This applet isn't interesting for what it does, but rather what for what it doesn't do. If you have JavaSE 6 update 10 then you won't see a security warning dialog, even though it's hosted on my personal server (not java.net) and it's connecting to Flickr.com. How this this possible?

The applet security model, known as the sandbox, only lets applets connect to the webserver they were loaded from. They cannot connect to anywhere else unless they are signed. Signing is great when you need access to more than what is allowed inside the sandbox, but it has two problems: the user will receive an ugly warning dialog about the applet, and the applet will have full access to the user's computer. Full access is overkill when all you want to do is talk to a webservice on another server. Surely there is some middle ground between the sandbox and full access? Well now there is.

crossdomain.xml support

If the server hosting a webservice has special xml file on it then the applet plugin will allow connections to that server. This special file is called a crossdomain.xml file and it must be present on the exact subdomain hosting the webservice. Here is the crossdomain.xml file for the Flickr server hosting the images:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

Because Flickr wants people to build apps which connect to their webservices they have put a crossdomain.xml file on all of their domains which host webservices. The crossdomain.xml mechanism was originally designed for Flash applications, but with JavaSE 6 update 10 now Java apps can take advantage of these services too!

Degrading gracefully

So what happens if you don't have update 10? In a plain applet the connection to static.flickr.com would throw a security access exception. The applet has to be signed for that to work, but we don't want the applet to be signed in the update 10 case. The key to degrading gracefully is to have two sets of jars, one signed and the other unsigned, and use the new JNLP support to specify the update 10 version, falling back to the classic applet classpath for older JVMs. Here's how it works. In my webpage I put this applet tag:

<div id="applet">
    <applet code="photostrip.Applet"
            archive="http://projects.joshy.org/demos/PhotoStrip/webstart/PhotoStrip.jar"
            width="400" height="200"
            >
        <param name="jnlp_href" value="http://projects.joshy.org/demos/PhotoStrip/photostrip.jnlp">
        <param name="flickruser" value="31706743@N00"/>
        <param name="size" value="100"/>
        <param name="cols" value="4"/>
        <param name="rows" value="2"/>
    </applet>
</div>

then in the photostrip.jnlp file I put this

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="" href="">
    <information>
        <title>PhotoStrip</title>
        <vendor>Joshua Marinacci</vendor>
        <offline-allowed />
    </information>
    <resources>
        <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" />
        <jar href="unsigned/PhotoStrip.jar" main="true" />
        <!-- Application Resources -->
    </resources>
  <applet-desc
      name="PhotoStrip"
      main-class="photostrip.Applet"
      width="400"
      height="200">
  </applet-desc>
</jnlp>

The applet tag version uses the signed jar in the webstart directory. The JNLP version uses the unsigned jar in the unsigned directory. New JREs will use JNLP version without a warning dialog. Older JREs will use the applet tag version with the warning dialog. Using this simple method you can degrade gracefully in older JREs and browsers. In fact, you don't have to use this technique just for signing issues. The two jars could point to different versions of the app that turn on and off any of the other new JavaSE 6 update 10 features.

Going forward

With crossdomain.xml support in Java now all sorts of mashups become possible in applets without any jar signing at all. Here are a few other sites with crossdomain.xml supported webservices that you could connect to and do interesting things with.

For more information on crossdomain.xml support in JavaSE 6 update 10 see these references:

Source

Here is the source to the PhotoStrip application. You also need this bin directory which includes
some extra Ant tasks for packaging.

Comments

Hi, I have the issue just recently, how can I resolve ...

Hi, I have the issue just recently, how can I resolve it?

http://api.flickr.com/services/feeds/photos_public.gne?id=31706743@N00&l... with proxy=DIRECT
network: Cache entry not found [url: http://api.flickr.com/crossdomain.xml, version: null]
network: Connecting http://api.flickr.com/crossdomain.xml with proxy=DIRECT
network: Connecting http://api.flickr.com:80/ with proxy=DIRECT
network: Cache entry not found [url: http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd, version: null]
network: Connecting http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd with proxy=DIRECT
network: Cache entry not found [url: http://www.macromedia.com/crossdomain.xml, version: null]
network: Connecting http://www.macromedia.com/crossdomain.xml with proxy=DIRECT
network: Connecting http://www.macromedia.com:80/ with proxy=DIRECT
network: Cache entry found [url: http://www.adobe.com/crossdomain.xml, version: null] prevalidated=false/0
java.security.AccessControlException: access denied (java.util.PropertyPermission http.agent read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
at java.lang.System.getProperty(System.java:667)
at com.sun.deploy.net.BasicHttpRequest.createUrlConnection(BasicHttpRequest.java:304)
at com.sun.deploy.net.BasicHttpRequest.doRequest(BasicHttpRequest.java:148)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(BasicHttpRequest.java:67)
at com.sun.deploy.net.DownloadEngine.isUpdateAvailable(DownloadEngine.java:977)
at com.sun.deploy.cache.DeployCacheHandler.get(DeployCacheHandler.java:178)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:863)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2116)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1367)
at com.sun.deploy.net.CrossDomainXML$3.run(CrossDomainXML.java:417)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.net.CrossDomainXML.privilegedConnect(CrossDomainXML.java:414)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:375)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:167)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Applet2SecurityManager.java:513)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:521)
at sun.net.www.http.HttpClient.(HttpClient.java:227)
at sun.net.www.http.HttpClient.New(HttpClient.java:300)
at sun.net.www.http.HttpClient.New(HttpClient.java:317)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:675)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1313)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startDTDEntity(XMLEntityManager.java:1280)
at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.setInputSource(XMLDTDScannerImpl.java:283)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1191)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1087)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:1000)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:198)
at com.sun.deploy.net.CrossDomainXML$2.run(CrossDomainXML.java:386)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:384)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:167)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Applet2SecurityManager.java:513)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:521)
at sun.net.www.http.HttpClient.(HttpClient.java:227)
at sun.net.www.http.HttpClient.New(HttpClient.java:300)
at sun.net.www.http.HttpClient.New(HttpClient.java:317)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at java.net.URL.openStream(URL.java:1010)
at photostrip.PhotoStream.parse(PhotoStream.java:36)
at photostrip.PhotoStrip$1.run(PhotoStrip.java:53)
at java.lang.Thread.run(Thread.java:680)
java.security.AccessControlException: access denied (java.net.SocketPermission www.macromedia.com:80 connect,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Applet2SecurityManager.java:505)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:521)
at sun.net.www.http.HttpClient.(HttpClient.java:227)
at sun.net.www.http.HttpClient.New(HttpClient.java:300)
at sun.net.www.http.HttpClient.New(HttpClient.java:317)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:675)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1313)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startDTDEntity(XMLEntityManager.java:1280)
at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.setInputSource(XMLDTDScannerImpl.java:283)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1191)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1087)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:1000)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:198)
at com.sun.deploy.net.CrossDomainXML$2.run(CrossDomainXML.java:386)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:384)
at com.sun.deploy.net.CrossDomainXML.check(CrossDomainXML.java:167)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Applet2SecurityManager.java:513)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:521)
at sun.net.www.http.HttpClient.(HttpClient.java:227)
at sun.net.www.http.HttpClient.New(HttpClient.java:300)
at sun.net.www.http.HttpClient.New(HttpClient.java:317)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:970)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at java.net.URL.openStream(URL.java:1010)
at photostrip.PhotoStream.parse(PhotoStream.java:36)
at photostrip.PhotoStrip$1.run(PhotoStrip.java:53)
at java.lang.Thread.run(Thread.java:680)
couldn't access flickr. probably on an older jre

@ joshy: Any idea when will other subset of crossdomainl.xml be supported? EG: allow-access-from domain "*.mysite.com" Thanks [QUOTE] you are correct. Currently we only support a subset of the crossdomain.xml format, using just the "*" domains. [/QUOTE]

joshy : I see...,and appreciate your reply very much !

@ kilene you are correct. Currently we only support a subset of the crossdomain.xml format, using just the "*" domains.

sorry for post duplicate ,but some code was filtered by System It seems like this sample only works when allow-access-from domain="*" I tried it successfully when the domain="*" but it doesn't work when i specify a domain such as allow-access-from domain="*.a.com" and put this crossdomain.xml file in www.b.com then run an Applet at site a which access to site b the result is always "access denied" is there anybody who meet the same problem whith me? Please tell me why dose this happen and how to solve this problem if you know, Thanks very much(sorry for poor english :)

It seems like this sample only works when I tried it successfully when the domain="*" but it doesn't work when i specify a domain such as and put this crossdomain.xml file in www.b.com then run an Applet at site a which access to site b the result is always "access denied" is there anybody who meet the same problem whith me? Please tell me why dose this happen and how to solve this problem if you know, Thanks very much(sorry for poor english :)

It did not work the first time I tried (Actually it worked for one of the eight images). Here is my console output: Java Plug-in 1.6.0_11 Using JRE version 1.6.0_11 Java HotSpot(TM) Client VM User home directory = C:\Users\Morten ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to ---------------------------------------------------- Validating http://projects.joshy.org/demos/PhotoStrip/unsigned/PhotoStrip.jar , version null... init image = http://farm4.static.flickr.com/3223/3137709120_877ea012cb_m.jpg image = http://farm4.static.flickr.com/3215/3136881273_bd8ca6050c_m.jpg image = http://farm4.static.flickr.com/3236/3136880405_4ef4c12af0_m.jpg image = http://farm4.static.flickr.com/3226/3136879481_dddf521158_m.jpg image = http://farm4.static.flickr.com/3089/3136878411_9b40c8ceb7_m.jpg image = http://farm4.static.flickr.com/3205/3136877583_d3cfeb8cf3_m.jpg image = http://farm4.static.flickr.com/3214/3136876503_6f14aa13d1_m.jpg image = http://farm4.static.flickr.com/3286/3137702640_0f88a4c8b7_m.jpg image = http://farm4.static.flickr.com/3242/3137701730_eca54c7904_m.jpg image = http://farm4.static.flickr.com/3230/3137700740_e12a502d57_m.jpg image = http://farm4.static.flickr.com/3114/3136872567_dd1959d2fa_m.jpg image = http://farm4.static.flickr.com/3260/3137698986_4567a981fc_m.jpg image = http://farm4.static.flickr.com/3213/3136870591_79952ed582_m.jpg image = http://farm4.static.flickr.com/3109/3136869611_2e5c5ecebc_m.jpg image = http://farm4.static.flickr.com/3230/3136868659_4fc88bf3e2_m.jpg image = http://farm4.static.flickr.com/3115/3137695322_03d7e56979_m.jpg image = http://farm4.static.flickr.com/3160/3136866993_a2dc7e9267_m.jpg image = http://farm4.static.flickr.com/3262/3137693356_a3af002540_m.jpg image = http://farm4.static.flickr.com/3087/3137692328_7c7cc31c1f_m.jpg image = http://farm4.static.flickr.com/3295/3136864029_f7c2150f35_m.jpg Exception in thread "Thread-18" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-13" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-16" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-15" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-14" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-20" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) Exception in thread "Thread-19" java.security.AccessControlException: access denied (java.net.SocketPermission farm4.static.flickr.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at javax.imageio.ImageIO.read(Unknown Source) at photostrip.PhotoResource$2.run(PhotoResource.java:82) at java.lang.Thread.run(Unknown Source) done loading: http://farm4.static.flickr.com/3089/3136878411_9b40c8ceb7_m.jpg = BufferedImage@f0b7f8: type = 3 DirectColorModel: rmask=ff0000 gmask=ff00 bmask=ff amask=ff000000 IntegerInterleavedRaster: width = 240 height = 159 #Bands = 4 xOff = 0 yOff = 0 dataOffset[0] 0

Ok, It's working fine in Java 6 update 11. Probably update 12 ea is causing these errors.

Cannot get it to work with the Google translation services. Google has a cross domain file at this location: http://ajax.googleapis.com/crossdomain.xml But still getting SocketPermission access denied. Java 6 update 12 EA, WIndows XP What am I doing wrong? network: Connecting http://ajax.googleapis.com/ajax/services/language/translate?langpair=%7C... with proxy=DIRECT 23-dec-2008 0:46:22 translator.ui.TranslationDialog$TranslateAction$5 done WARNING: Translation error java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve) at java.util.concurrent.FutureTask$Sync.innerGet(Unknown Source) at java.util.concurrent.FutureTask.get(Unknown Source) at javax.swing.SwingWorker.get(Unknown Source) at translator.ui.TranslationDialog$TranslateAction$5.done(TranslationDialog.java:541) Caused by: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at applications.translator.utils.TranslationUtils.openHttpConnection(TranslationUtils.java:393)

Can you upgrade to a more recent build of update 10? You are using b14. I believe the support for crossdomain.xml was added in b20 or b22.

You are correct. ( I feel like a game show host :) ). I am running ff3. I wasn't aware that the applet integration there was different. Though i am not surprised.

carcour: I've added a link the source. Sorry I forgot that earlier.

malte_kosian which browser and version are you using? I forgot to mention that you need FireFox3 or IE 7 on windows for the new plugin to be used. If you have another browser then the older plugin will be used.

Josh,

Someone should really document *why* applets prevent you from doing X or Y. I always believed, as did grlea, that the limitation was in place to assure users that their machine wouldn't be accessing files outside the domain of the applet purely for a security reason (to prevent DDoS attacks for example).

The whole concept behind crossdomain.xml is sort of counter-intuitive to me. I would think that when an applet connects to an arbitrary network, it should be forced to advertise the codebase (the domain hosting the applet) so the receiving network could then decide whether to reject it or not.

It's sort of weird expecting an applet to block itself from outgoing connections. One would expect a network to manage its own security instead of relying on inbound client connections to manage it for them.

test it with j java version "1.6.0_10-beta" Java(TM) SE Runtime Environment (build 1.6.0_10-beta-b23) Java HotSpot(TM) Client VM (build 11.0-b11, mixed mode, sharing) got one first initializing security warning, but never on reload or in other browsers. If the applet is in the cache, everything works fine.

Java Plug-in 1.6.0_10-beta Match: beginTraversal Match: digest JREDesc: JREDesc[version 1.5+, heap=-1--1, args=null, href=http://java.sun.com/products/autodl/j2se, sel=false, null, null] Match: ignoring maxHeap: -1 Match: ignoring InitHeap: -1 Match: digesting vmargs: null Match: digested vmargs: [JVMParameters: isSecure: true, args: ] Match: JVM args after accumulation: [JVMParameters: isSecure: true, args: ] Match: Try Version 0/1: 1.5+ Match: selected selectedJREDesc: null -> JREDesc[version 1.5+, heap=-1--1, args=null, href=http://java.sun.com/products/autodl/j2se, sel=false, null, null] ; versionID: null -> 1.5+ Match: Try JRE 0/4: JREInfo for index 0: platform is: 1.5 product is: 1.5.0_06 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre1.5.0_06\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: false Match: JVM version did not match: have:<1.5.0.06> !satisfy want:<1.5+ > Match: Try JRE 1/4: JREInfo for index 1: platform is: 1.6 product is: 1.6.0_04 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre1.6.0_04\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: false Match: JVM version did not match: have:<1.6.0.04> !satisfy want:<1.5+ > Match: Try JRE 2/4: JREInfo for index 2: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: false Match: JREInfo selected: JREInfo for index 2: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: false -> JREInfo for index 2: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: false Match: Try JRE 3/4: JREInfo for index 3: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: true Match: JREInfo selected: JREInfo for index 3: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: true -> JREInfo for index 3: platform is: 1.6 product is: 1.6.0_10 location is: http://java.sun.com/products/autodl/j2se path is: C:\Archivos de programa\Java\jre6\bin\javaw.exe args is: native platform is: Windows, x86 [ x86, 32bit ] enabled is: true registered is: false system is: true Match: digest LaunchDesc: null Match: digest properties: [] Match: JVM args: [JVMParameters: isSecure: true, args: ] Match: endTraversal .. Match: JVM args final: Match: Running JREInfo Version match: 1.6.0.10 == 1.6.0.10 Match: Running JVM args match: have:<> satisfy want:<> java.lang.NullPointerException at com.sun.deploy.net.DownloadEngine.isUpdateAvailable(Unknown Source) at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source) at com.sun.deploy.net.DownloadEngine.getCachedFile(Unknown Source) at sun.plugin2.applet.JNLP2Manager.prepareToLaunch(Unknown Source) at sun.plugin2.applet.JNLP2Manager.initialize(Unknown Source) at sun.plugin2.main.client.PluginMain$StartAppletRunner.run(Unknown Source) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) Excepción: java.lang.NullPointerException ExitException[ 3]java.lang.NullPointerException at sun.plugin2.applet.JNLP2Manager.prepareToLaunch(Unknown Source) at sun.plugin2.applet.JNLP2Manager.initialize(Unknown Source) at sun.plugin2.main.client.PluginMain$StartAppletRunner.run(Unknown Source) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) Error while initializing manager: ExitException[ 3]java.lang.NullPointerException, bail out

Thank you Josh for this example, for next examples though is it possible to post the source code as well. Thanks, Carl Antaki

Hmmm, I am running Java(TM) Plug-in 1.6.0_10-beta-b23 and I get the security dialog (trust). Anything else that would cause that?

lstroud: you must also be running firefox3 or ie 7.

Doesn't this undermine the intended security?
I always thought that the point of restricting access to only the server that the applet came from was to give the user the confidence that any information they entered in the applet would only go to the server containing the applet, because they had chosen to trust the site that the applet was on.
This change seems to take the decision out of the user's hands and say that the deployer of the web service gets to choose whether they are trusted or not!?
What have I missed?

Great info, thanks.

Yup, it works in b23. Except it really wants to throw Exception when clicking on the applet or using the browsers back button:
java.lang.Exception: comp is null at sun.plugin2.applet.Plugin2Manager.runOnEDT(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

grlea: no. The point of the applet sandbox is to prevent the applet from accessing your computer or anything else on your network (like your intranet website). It is to protect you from a rogue program. It does nothing to protect data you put into the applet from people other than the webserver it came from because the owners of that webserver could just as easily proxy your data to someone else anyway. This new feature simply removes the need for the proxy. It doesn't open up any new exploits.

hi malte. It sounds like you were using the older plugin. Firefox 2 won't work with the new plugin. Which is why it worked in FF3 but not in 2. I'm not sure why IE failed the first time, but the fact that it worked when you updated tells me again that it was using the old plugin. I'm glad that it is working for you now.

Hi, Josh. The problem appeares with both browsers IE7 and FFox 2.0.14 with 1.6.0_10-beta" Java(TM) SE Runtime Environment (build 1.6.0_10-beta-b23). I tested it with build 25 on LInux PC and it workedFF3... and also with IE7 build 25 is okay. Malte

With 1.6.0_10b14 on Vista, I get an error dialog that insists on stealing focus (mind you, not a modal dialog) from my browser. Would it not be better degradation to simply display an error placeholder on the website and not pop up focus stealing dialogs? com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://weblogs.java.net/blog/joshy/archive/2008/05/unsigned/PhotoStrip.jar at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source) at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source) at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source) at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source) at com.sun.deploy.net.DownloadEngine.getResource(Unknown Source) at com.sun.javaws.LaunchDownload.downloadJarFiles(Unknown Source) at com.sun.javaws.LaunchDownload.downloadEagerorAll(Unknown Source) at sun.plugin2.applet.JNLP2Manager.downloadResources(Unknown Source) at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source) at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source)