Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Applet security restriction

 
Wolfgang Tintemann
Ranch Hand
Posts: 65
Eclipse IDE MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I recently read about what is forbidden for a normal Applet :

Create a network connection to any computer other than the host from which it originated.

I simply wanted to read a Website via HttpURLConnection and this failed with access denial
as mentioned above.
I am puzzled now : what kind of crime shall be prevented by this restriction ?
I can read this page in every browser - why not by an Applet ?

Please give me the argument as I don't understand this.
 
Paul Clapham
Sheriff
Posts: 21416
33
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Without that restriction, the applet could connect to any site and upload any information it had asked you to input. Reading from a foreign server isn't that much of a problem, but writing to one certainly is.
 
Wolfgang Tintemann
Ranch Hand
Posts: 65
Eclipse IDE MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:... Reading from a foreign server isn't that much of a problem, but writing to one certainly is.


I agree with this statement. But then : why is reading forbidden ?

I am only a advanced beginner but as far as I understand it is possible with JavaScript to read from a network connection
to any computer. So : is this a bug in the security software for Java Applets ? There is a command setDoInput in the API
and I think if I execute this then why is reading not allowed. But there may be other reasons for not allowing this.
What about PHP ? Are there similar restrictions ?

 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Standard Java sockets provide two-way communication, so unless the JVM had a type of one-way socket, there's no easy way to differentiate between read-only and read/write. It's not a bug in the security system, it's designed to work that way.

It could be argued that JavaScript being able to connect everywhere is a security hole; it wasn't originally intended to be that way. See Same origin policy and the "official" (and safe) way to get around it Cross-Origin Resource Sharing.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic