1) Tunneling can be nothing more than using the Command
pattern to serialize a request and stuff into an HTTP request (open port 80) and stream in the result. A
servlet can be used to deserialize the Command/XML and delegate the request (i.e., issue CORBA call). The result must be serialized and streamed out. You tunnel the request (as a
String) not the protocol (IIOP, JRMP). RMI and URLConnection give you some "roll your own" features. But effectively, you are doing the same.
3) "Listen" is a permission that must be granted.
4) Code doesn't load code, unless you are talking about native libraries which requires permission. Untrusted code might require some class which isn't loaded and the appletloader would attempt to load that class, given the state of the permissions.
Scott
[This message has been edited by scott irwin (edited May 31, 2001).]