• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security issue

 
Cleverson Schmidt
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi friends

I'm wondering what happens when I want to use some sensitive operation, like push for example, but I don't ask for permission in the Jad file.
Suppose my Jad doesn't contain any MIDlet-permission attribute and my app tries to access sensitive operations opening an https connection for example. What is supposed to happen? A SecurityException may be thrown but I think this will depend on the Protection domain my application is bound to.
Any ideas?

Thank you in advance
Best Regards
Cleverson
 
Cleverson Schmidt
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no clues???
 
Punit Raizada
Ranch Hand
Posts: 156
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The user using the MIDlet gets prompted "MIDlet trying to connect via http..do u want to allow that ?" or something like that .. there is a prompt for every method protected in the security domain .. i dont know abt push though ... have never tried that ...
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you do not sign your MIDlet, the user will be asked to approve the operations. If you do sign the MIDlet but fail to declare the required permissions, a SecuritryException will be thrown.
 
Cleverson Schmidt
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Michael

Thank you for your answer.

I couldn't find any statement on the MIDP2.0 specification which proves that when a MIDlet suite is signed and it doesn't explicitly ask for authorization in the JAD/Manifest, a SecurityException is thrown.

Actually I think it is a little bit illogical to deny the operation without first ask the user. What I could verify is that Sun WTK prompts the user when a signed MIDlet uses a sensitive operation without, explicitly; asks for the corresponding permission in the JAD file.

What lead me to think this way is that when an unsigned and untrusted MIDlet suite doesn�t add a MIDlet-Permission in the JAD file, it still can access sensitive operations, but with previous user authorization. No SecurityException is thrown; at least in the case the user authorizes the MIDlet to access the sensitive operation. But when a MIDlet is signed, in my opinion a signed MIDlet is at least more reliable than an unsigned one, the implementation, under the same circumstances; should not deny the access to the sensitive operation. The user should be warned and decide by himself.

What do you think?

Thank you in advance
Best Regards
Cleverson
[ August 19, 2004: Message edited by: Cleverson Schmidt ]
 
Fred Grott
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I seem to remeber a discussion of exactly this conflict in the bug database that Sun runs..sorry do not remmeber what teh J2ME proejct lead had recommended would be for resolution..
 
Lindo Estrera
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Good Day.

I have to do some research on Permission, I am confused if the permission for a trusted MIDlet should be both declared on the JAR Manifest file and on JAD(application descriptor)file.

Or is there any case that JAD file has permission and JAR doesn't have? Or the opposite case having JAR file had permission and JAD doesn't have?

What is allowed and permitted then for MIDP2.0?

Need some explanations. Thanks a lot.
Note: Actually I have tried a code using Java toolkit with the following setup..

Permission attribute both present in JAD and JAR - OK
Permission attribute in JAD but not in JAR - OK
Permission attribute not in JAD but present in JAR - NG

Is there any document that explains this situation..please help..

--
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic