Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (577)
games submitted by our members
Games in WIP (498)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  LWJGL applet loader  (Read 7053 times)
0 Members and 1 Guest are viewing this topic.
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Posted 2009-05-18 17:46:20 »

I wonder if I should post it here or on the LWJGL forum but hopefully most people look at both places Smiley

I have an applet that works fine in eclipse and worked fine with the JOGL applet loader but when running it with the LWJGL one I run into a security problem.

All I do is:
new URL(getCodeBase(), "pictures/" + name)
(I tried it with one parameter as well as without a subfolder but it always gives the same error, doing .toString() on the URL gives me the correct URL so it isn't a problem with a slash)

The error I get is:
SecurityException: denied access outside a permitted URL subpath

Do I need to sign my applet when using LWJGL even though I create a connection to the same server as where the applet is located?

I am running on JRE 6u13 with Windows XP.

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #1 - Posted 2009-05-22 09:51:51 »

If anyone else has this issue look at this thread:
http://lwjgl.org/forum/topics/shaving/2905/view.html

There is a workaround while the LWJGL crew fixes the problem:
Quote
just a quick update, I've managed to get the current LWJGL AppletLoader to work when using a crossdomain.xml file such as http://kappa.javaunlimited.net/temp/crossdomain.xml just put that on the base of your domain where the applet is hosted, its not a proper fix but should get you going for now, will update you once a proper fix is found.

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #2 - Posted 2009-05-22 11:24:25 »

just a note as mentioned on the other forum, this issue is now fixed and checked into svn, should be available in next lwjgl release.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Markus_Persson

JGO Wizard


Medals: 12
Projects: 19


Mojang Specifications


« Reply #3 - Posted 2009-05-22 16:13:17 »

when's that coming? Wink

Play Minecraft!
Offline Matzon

JGO Knight


Medals: 19
Projects: 2


I'm gonna wring your pants!


« Reply #4 - Posted 2009-05-22 18:38:04 »

grab the nightly to start with - I am contemplating the next release, but would like the4 wait for Ken Russels answer from the security team

Offline Markus_Persson

JGO Wizard


Medals: 12
Projects: 19


Mojang Specifications


« Reply #5 - Posted 2009-05-22 22:38:43 »

sweet =D

Play Minecraft!
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #6 - Posted 2009-05-23 14:04:00 »

grab the nightly to start with - I am contemplating the next release, but would like the4 wait for Ken Russels answer from the security team

I am so looking forward to this, it would be so sweet to be able to just browse to the game and everything works Smiley No popups and no troubles Smiley

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline bobjob

JGO Knight


Medals: 10
Projects: 6


David Aaron Muhar


« Reply #7 - Posted 2009-06-30 02:07:53 »

seriously? so you wont have to sign applets with LWJGL. But you will still have to sign webstarts.

Time to start using applets

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #8 - Posted 2009-06-30 13:09:03 »

No, you won't even have to sign webstarts either.
HOWEVER...

there is an issue. JOGL is just openGL drivers, and in themselves, openGL drivers are completely benign. I can fully appreciate why it's been given a secret cert. LWJGL on the other hand also includes JInput and "LWJGLInput". Input is a different kettle of fish. Input allows 1 pixel wide applets to sit quietly in other tabs reading your keyboard strokes while you log in to Natwest Bank in another tab.

What will have to happen is that we'll have to couch the input initialisation stuff in a privileged access. So the LWJGL libraries can be used by unsigned applets and webstarted applications, but attempting to use input will require privilege escalation and therefore fully signing your applet.

<edit>And LWJGL display fullscreen support likewise opens the possibility of a crafty phishing attack, so that'd have to be wrapped too.

Cas Smiley

Offline DzzD
« Reply #9 - Posted 2009-06-30 13:27:01 »

No, you won't even have to sign webstarts either.
HOWEVER...

there is an issue. JOGL is just openGL drivers, and in themselves, openGL drivers are completely benign. I can fully appreciate why it's been given a secret cert. LWJGL on the other hand also includes JInput and "LWJGLInput". Input is a different kettle of fish. Input allows 1 pixel wide applets to sit quietly in other tabs reading your keyboard strokes while you log in to Natwest Bank in another tab.

What will have to happen is that we'll have to couch the input initialisation stuff in a privileged access. So the LWJGL libraries can be used by unsigned applets and webstarted applications, but attempting to use input will require privilege escalation and therefore fully signing your applet.

<edit>And LWJGL display fullscreen support likewise opens the possibility of a crafty phishing attack, so that'd have to be wrapped too.

Cas Smiley

web browser based security is always an headhach... anyway about the security did you thought of screenshot ? because a "1 pixel wide applets" could monitor your screen too and show a lot of personal information peope would like to mask.

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline bobjob

JGO Knight


Medals: 10
Projects: 6


David Aaron Muhar


« Reply #10 - Posted 2009-06-30 13:29:28 »

What will have to happen is that we'll have to couch the input initialisation stuff in a privileged access. So the LWJGL libraries can be used by unsigned applets and webstarted applications, but attempting to use input will require privilege escalation and therefore fully signing your applet.

<edit>And LWJGL display fullscreen support likewise opens the possibility of a crafty phishing attack, so that'd have to be wrapped too.
Cas Smiley

Unfortunate about the fullscreen issue. Is it possible to make security popups at runtime?
For example, if the webstart opens in window, then requests fullscreen, first show security popup.


My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #11 - Posted 2009-06-30 15:37:56 »

Is it possible to make security popups at runtime?

Yup it is.

However I'd say the easiest way to go about this is don't sign jinput.jar with the magic certificate (LWJGL doesn't really need it except if you want to use controllers) and disable fullscreen for the LWJGL jar that is signed with the magic certificate, if you need those features just grab the standard LWJGL jars and sign them yourself.

So LWJGL would just provide lwjgl_applet.jar (same as lwjgl.jar but no fullscreen and signed with magic certificate).

The hardest part is getting Sun to give us a magic certificate or agreeing to sign jars for us Grin
Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #12 - Posted 2009-06-30 18:26:26 »

No, LWJGL has its own keyboard and mouse handling, and the keyboard handling is the security issue.
As far as reading the screen goes - this is impossible with LWJGL anyway.

Cas Smiley

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #13 - Posted 2009-06-30 18:33:54 »

oh, I thought LWJGL's keyboard handling only works if the applet/Display has focus? just like a JApplet + key listener.
Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #14 - Posted 2009-06-30 19:33:36 »

Actually I'm not sure if that's the case Smiley Can't say as I've ever tested it.

Cas Smiley

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #15 - Posted 2009-06-30 20:03:48 »

it is the case, well at least from my tests, unless theres a way to create and poll a Keyboard without a Display.  Wink
So really its just JInput and Fullscreen that would need extra security permissions. Could alternatively just bind exiting fullscreen when escape key is pressed (like Flash).
Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #16 - Posted 2009-07-01 11:37:11 »

Flash also has the fullscreen warning shown automatically too. We'd have to do that as well as the ESC key binding.

Cas Smiley

Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #17 - Posted 2009-07-01 11:37:30 »

...which we could do with a popup modal dialog.

Cas Smiley

Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #18 - Posted 2009-07-01 11:45:37 »

Quick question Cas. Is this things that the LWJGL team has come up with or have you been in contact with Sun and they put these demands on you before you're allowed to get the magic cert?

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline princec

JGO Kernel


Medals: 282
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #19 - Posted 2009-07-01 13:28:32 »

No, this is just what I know it needs. Beyond that, LWJGL is identical to JOGL (except that we also include OpenAL).

Cas Smiley

Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (23 views)
2014-04-15 18:08:23

BurntPizza (18 views)
2014-04-15 03:46:01

UprightPath (32 views)
2014-04-14 17:39:50

UprightPath (16 views)
2014-04-14 17:35:47

Porlus (32 views)
2014-04-14 15:48:38

tom_mai78101 (58 views)
2014-04-10 04:04:31

BurntPizza (116 views)
2014-04-08 23:06:04

tom_mai78101 (216 views)
2014-04-05 13:34:39

trollwarrior1 (183 views)
2014-04-04 12:06:45

CJLetsGame (190 views)
2014-04-01 02:16:10
List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:05:20
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!