Re: Batik Applet and getURL/XMLHttpRequest?

[th...@kodak.com]

Hi All,

"Helder Magalhães" <he...@gmail.com> wrote on 06/30/2008 
08:45:18 AM:

> > Setting:
> > "C:\Users\ %username%\.java.policy"
> > To:
> > grant {
> >  permission java.security.AllPermission;
> >  };
> > Allowed getURL to work OK on both IE and FF3.
> > This tells me: stop being lazy and properly sign your applet, EVEN IF 
you
> > are only in the early development/learning stages.
> 
> This seems OK for local development but not for a decent attempt to
> widely deploy a Batik-based applet, i.e., obligating users to make
> such configuration is 1) bad for obvious security issues 2) less
> experienced users won't even able to do it.

   Right, it's not good for general applet deployment.

> AFAIK, the main issue may be located in the sample applet's code
> itself - I recall Thomas Deweese has previously stated that the
> sand-boxing (which provokes this issue) resides in "setDocument" [1].

   I doubt the problem is Batik's sandboxing.  Unfortunately I
don't know what the source of the problem is.  I think that getURL
should work in an Applet without needing signing.  Can you get the
security exception that is causing the problem?

Re: Batik Applet and getURL/XMLHttpRequest?

[th...@kodak.com]

Hi Helder,

"Helder Magalhães" <he...@gmail.com> wrote on 07/16/2008 
11:53:48 AM:

> In a quick experiment I confirmed that this works as expected. 

   Good.

> Any comments on the previous proposal of publishing a marsh up of all
> this somewhere?
> «Should these (and follow-ups to similar threads) be published
> somewhere within the Wiki? Creating an "applet" page in the how-to [2]
> section maybe...?»

   Well Wiki contributions are always welcome and encouraged.
Feel free to create an Applet page on the how-to page.

> Again, thank you for your contribution. ;-)

   Thanks for helping to find the bug.

Re: Batik Applet and getURL/XMLHttpRequest?

[Helder Magalhães <he...@gmail.com>]

>    Thanks, that let me find the problem.  It's our Sandboxing ;)
> Well really it's a bug in the case where we aren't sandboxing that we
> trip over our sandboxing...
Great to know it helped! :-)

> Anyway the fix should be in SVN rev 677245.
>    Good luck.
In a quick experiment I confirmed that this works as expected. I
haven't check for all possible cases nor searched for potential
regressions, though... This probably applies to other "higher
permissions" operation (such as parseXML). :-)

Any comments on the previous proposal of publishing a marsh up of all
this somewhere?
«Should these (and follow-ups to similar threads) be published
somewhere within the Wiki? Creating an "applet" page in the how-to [2]
section maybe...?»

Again, thank you for your contribution. ;-)

Best regards,

 Helder Magalhães

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-users-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-users-help@xmlgraphics.apache.org

Re: Batik Applet and getURL/XMLHttpRequest?

[th...@kodak.com]

Hi Helder,

Thomas DeWeese wrote:

>>    I doubt the problem is Batik's sandboxing. [...] 
>> Can you get the security exception that is causing the problem?

"Helder Magalhães" <he...@gmail.com> wrote on 07/16/2008 
04:12:42 AM:

> Caused by: java.lang.NullPointerException
>       at 
org.apache.batik.script.rhino.RhinoInterpreter.getAccessControlContext(Unknown 
Source)
>       at org.apache.batik.script.rhino.WindowWrapper.getURL(Unknown 
Source)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

   Thanks, that let me find the problem.  It's our Sandboxing ;)
Well really it's a bug in the case where we aren't sandboxing that we
trip over our sandboxing...  Anyway the fix should be in SVN rev 677245.

   Good luck.

Re: Batik Applet and getURL/XMLHttpRequest?

[Helder Magalhães <he...@gmail.com>]

>    I doubt the problem is Batik's sandboxing.  Unfortunately I
> don't know what the source of the problem is.  I think that getURL
> should work in an Applet without needing signing.  Can you get the
> security exception that is causing the problem?

SVG Error:
Wrapped org.mozilla.javascript.WrappedException: Wrapped
java.lang.NullPointerException (Inline <script>
http://localhost/folder/getURL.svg:7#7) (Event attribute
http://localhost/folder/getURL.svg:4 onload#1)

Environment:
OS - Windows XP SP3
Batik - 1.8pre (rev. 6751108)
Java - 1.6.0_06

Attached are both the test case used ("getURL.svg") and the stack
trace ("BatikGetURLException-StackTrace.txt", copied from "Show
Details") for the exception.

Other (failed) attempts which have been made (and why):
1. Separate the script declarations from the SVG file to a different
(.js) file: check if the Domain exception could be related with the
specific URI from which the script was loaded;
2. Tested in a different machine, using a different operating system
(Ubuntu 8.04): check if the Domain exception could be related with
localhost testing and if it was a Windows-specific issue. Got the same
exception (server name instead of "localhost", of course);
3. Several iterations of running with the "Applet Viewer", using a
custom policy ("-J-Djava.security.policy" argument) lead to understand
that the only required permission seems to be "createClassLoader"
(which is not good news anyway as it is one of the most dangerous to
grant [1]). Attached is the policy ("SvgViewer.policy") which causes
getURL to succeed.

@Bob Brown
Note: All seems to apply to parseXML also ("parseXML.svg" attachment),
which seems to succeed in the same situations. ;-)

I was able to make the exception go away by signing both the applet
and batik jars. Again, it would be awesome to get Batik pass over this
without requiring applet signing. Common Batik-based applets with
"AJAX" support could then be easily created, which would surely boost
Batik usage within the SVG community. :-)

Should these (and follow-ups to similar threads) be published
somewhere within the Wiki? Creating an "applet" page in the how-to [2]
section maybe...?

Best regards,

 Helder Magalhães

[1] http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
[2] http://wiki.apache.org/xmlgraphics-batik/HowTo