Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Applet Security Clarification

 
Author
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi There,

Could somebody please confirm if my understanding of some core security details regarding applet security for JDK 1.2 and above are correct ... I am pretty sure A is fine, I just want to ensure B is correct !

From Java 1.2 onwards
A) if an applet is loaded into a browser over the net, and signed (ie it is trusted) it is still restricted in what it can do based on the SecurityManager and policy file combo
B) if an unsigned applet is loaded into a browser via the file system - its code has originated locally (ie it is included in the CLASSPATH of the browser) it is NOT treated in the same way as above in that it can automatically
* read and write files
* load libraries

My understanding is that both applet scenarios are still constrained by the SecurityManager but because scenario B was loaded from the file system, the default behaviour of the SecurityManager is different in these 2 cases ...

Would appreciate it if someone could either confirm or blat my analysis of these 2 scenarios !

Thanks
Nicki
 
Ranch Hand
Posts: 81
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
an unsigned applet can not, regardless of where it was launched from, access the local machine, unless you manually overwrite the security policy files that protect this. I dont recall where the files are, but bottom line, by default they cant do it, but there is an obscure manual mechanism to override this.

Signed Applets must be "trusted" and once they are, they have the freedom to do whatever
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

Some further information and links about applet security can be found on this FAQ page.
 
Nicki Watt
Author
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, but then I am very confused as to what Sun mean in their FAQ when they state, and I quote ... ( see http://java.sun.com/sfaq )

13 What is the difference between applets loaded over the net and applets loaded via the file system?

There are two different ways that applets are loaded by a Java system. The way an applet enters the system affects what it is allowed to do.

If an applet is loaded over the net, then it is loaded by the applet class loader, and is subject to the restrictions enforced by the applet security manager.

If an applet resides on the client's local disk, and in a directory that is on the client's CLASSPATH, then it is loaded by the file system loader. The most important differences are

* applets loaded via the file system are allowed to read and write files
* applets loaded via the file system are allowed to load libraries on the client
* applets loaded via the file system are allowed to exec processes
* applets loaded via the file system are allowed to exit the virtual machine
* applets loaded via the file system are not passed through the byte code verifier

Java-enabled browsers use the applet class loader to load applets specified with file: URLs. So, the restrictions and protections that accrue from the class loader and its associated security manager are now in effect for applets loaded via file: URLs.

This means that if you specify the URL like so:

Location: file:/home/me/public_html/something.html

and the file something.html contains an applet, the browser loads it using its applet class loader.
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That FAQ entry seems to contradict itself, stating both that applets residing in file:/// URLs are loaded by the applet class loader and the file system class loader. (And, either way, the FAQ seems to be rather old).

In my experience, it can vary from browser to browser (and from appletviewer to appletviewer) whether the restrictions are enforced for file: URLs.
[ August 21, 2006: Message edited by: Ulf Dittmer ]
    Bookmark Topic Watch Topic
  • New Topic