LWJGL applet loader

OpenGL Development
#1

I wonder if I should post it here or on the LWJGL forum but hopefully most people look at both places :slight_smile:

I have an applet that works fine in eclipse and worked fine with the JOGL applet loader but when running it with the LWJGL one I run into a security problem.

All I do is:
new URL(getCodeBase(), “pictures/” + name)
(I tried it with one parameter as well as without a subfolder but it always gives the same error, doing .toString() on the URL gives me the correct URL so it isn’t a problem with a slash)

The error I get is:
SecurityException: denied access outside a permitted URL subpath

Do I need to sign my applet when using LWJGL even though I create a connection to the same server as where the applet is located?

I am running on JRE 6u13 with Windows XP.

#2

If anyone else has this issue look at this thread:
http://lwjgl.org/forum/index.php/topic,2905.0.html

There is a workaround while the LWJGL crew fixes the problem:

[quote]just a quick update, I’ve managed to get the current LWJGL AppletLoader to work when using a crossdomain.xml file such as http://kappa.javaunlimited.net/temp/crossdomain.xml just put that on the base of your domain where the applet is hosted, its not a proper fix but should get you going for now, will update you once a proper fix is found.
[/quote]

#3

just a note as mentioned on the other forum, this issue is now fixed and checked into svn, should be available in next lwjgl release.

#4

when’s that coming? :wink:

#5

grab the nightly to start with - I am contemplating the next release, but would like the4 wait for Ken Russels answer from the security team

#6

sweet =D

#7

I am so looking forward to this, it would be so sweet to be able to just browse to the game and everything works :slight_smile: No popups and no troubles :slight_smile:

#8

seriously? so you wont have to sign applets with LWJGL. But you will still have to sign webstarts.

Time to start using applets

#9

No, you won’t even have to sign webstarts either.
HOWEVER…

there is an issue. JOGL is just openGL drivers, and in themselves, openGL drivers are completely benign. I can fully appreciate why it’s been given a secret cert. LWJGL on the other hand also includes JInput and “LWJGLInput”. Input is a different kettle of fish. Input allows 1 pixel wide applets to sit quietly in other tabs reading your keyboard strokes while you log in to Natwest Bank in another tab.

What will have to happen is that we’ll have to couch the input initialisation stuff in a privileged access. So the LWJGL libraries can be used by unsigned applets and webstarted applications, but attempting to use input will require privilege escalation and therefore fully signing your applet.

And LWJGL display fullscreen support likewise opens the possibility of a crafty phishing attack, so that’d have to be wrapped too.

Cas :slight_smile:

#10

web browser based security is always an headhach… anyway about the security did you thought of screenshot ? because a “1 pixel wide applets” could monitor your screen too and show a lot of personal information peope would like to mask.

#11

Unfortunate about the fullscreen issue. Is it possible to make security popups at runtime?
For example, if the webstart opens in window, then requests fullscreen, first show security popup.

#12

Yup it is.

However I’d say the easiest way to go about this is don’t sign jinput.jar with the magic certificate (LWJGL doesn’t really need it except if you want to use controllers) and disable fullscreen for the LWJGL jar that is signed with the magic certificate, if you need those features just grab the standard LWJGL jars and sign them yourself.

So LWJGL would just provide lwjgl_applet.jar (same as lwjgl.jar but no fullscreen and signed with magic certificate).

The hardest part is getting Sun to give us a magic certificate or agreeing to sign jars for us ;D

#13

No, LWJGL has its own keyboard and mouse handling, and the keyboard handling is the security issue.
As far as reading the screen goes - this is impossible with LWJGL anyway.

Cas :slight_smile:

#14

oh, I thought LWJGL’s keyboard handling only works if the applet/Display has focus? just like a JApplet + key listener.

#15

Actually I’m not sure if that’s the case :slight_smile: Can’t say as I’ve ever tested it.

Cas :slight_smile:

#16

it is the case, well at least from my tests, unless theres a way to create and poll a Keyboard without a Display. :wink:
So really its just JInput and Fullscreen that would need extra security permissions. Could alternatively just bind exiting fullscreen when escape key is pressed (like Flash).

#17

Flash also has the fullscreen warning shown automatically too. We’d have to do that as well as the ESC key binding.

Cas :slight_smile:

#18

…which we could do with a popup modal dialog.

Cas :slight_smile:

#19

Quick question Cas. Is this things that the LWJGL team has come up with or have you been in contact with Sun and they put these demands on you before you’re allowed to get the magic cert?

#20

No, this is just what I know it needs. Beyond that, LWJGL is identical to JOGL (except that we also include OpenAL).

Cas :slight_smile: