Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

applet security:

 
Ranch Hand
Posts: 354
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
jdk 1.0
-------
All applets are untrusted, hence all the restrictions.

jdk 1.1
--------
Applets can be trusted (when loaded from local classpath or when signed and keystored).
Once trusted, no restrictions. Untrusted applets are under all restrictions.

jdk 1.2+
--------
Restrictions are enforced thru security manager and policy files alone and the policies can be changed.

Is this understanding correct?

Questions:

Can extra permissions (in 1.2+) only be granted to trusted/signed applets? (I guess NO, they can be granted to unsigned applets as well)?

Is there any privilege that an applet can never have, no matter what the policy file says?

In any java environment, would it make any difference if the applet is signed but is not trusted (i.e. the certificate is not present in the keystore)?
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Is this understanding correct?


Pretty much, except that in JDK 1.2+, applets can still be signed. Using permissions and policies is the preferred way (and I'm not sure which one takes precedence if both are used), but signing still works fine. Signing is also the more practical way, unless you're in a position to ask all users to change their local policy files (which is something most people would not have a clue how to do).

Can extra permissions (in 1.2+) only be granted to trusted/signed applets? (I guess NO, they can be granted to unsigned applets as well)?


As mentioned above, the two ways are independent of each other.

Is there any privilege that an applet can never have, no matter what the policy file says?


No.

In any java environment, would it make any difference if the applet is signed but is not trusted (i.e. the certificate is not present in the keystore)?


An applet is trusted if it's certificate is accepted by the user. If the user doesn't trust the applet (by not accepting the certificate), then it doesn't matter whether it is signed - it's considered untrusted code by the JVM.
 
Abhinav Srivastava
Ranch Hand
Posts: 354
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks for clarifying that.

here is an interesting read -
http://keepitlocked.net/archive/2007/10/10/a-brief-history-of-applet-security.aspx

In Java 2, Sun added Certificate Authorities to the Applet specification, so that anyone with enough money to pony up could create a universally trusted Applet. This was tempered by the fact that now the user could create a policy to restrict these signed Applets to a specific set of permissions. So signed Applets ask for permission to run, and are granted AllPermissions, unless there is a specific client-side policy for that Applet

 
You don't know me, but I've been looking all over the world for. Thanks to the help from this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic