This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Applets and the fly likes Applet Security Clarification Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "Applet Security Clarification" Watch "Applet Security Clarification" New topic
Author

Applet Security Clarification

Nicki Watt
Greenhorn

Joined: Aug 20, 2006
Posts: 2
Hi There,

Could somebody please confirm if my understanding of some core security details regarding applet security for JDK 1.2 and above are correct ... I am pretty sure A is fine, I just want to ensure B is correct !

From Java 1.2 onwards
A) if an applet is loaded into a browser over the net, and signed (ie it is trusted) it is still restricted in what it can do based on the SecurityManager and policy file combo
B) if an unsigned applet is loaded into a browser via the file system - its code has originated locally (ie it is included in the CLASSPATH of the browser) it is NOT treated in the same way as above in that it can automatically
* read and write files
* load libraries

My understanding is that both applet scenarios are still constrained by the SecurityManager but because scenario B was loaded from the file system, the default behaviour of the SecurityManager is different in these 2 cases ...

Would appreciate it if someone could either confirm or blat my analysis of these 2 scenarios !

Thanks
Nicki
Brian Mozhdehi
Ranch Hand

Joined: Aug 17, 2006
Posts: 81
an unsigned applet can not, regardless of where it was launched from, access the local machine, unless you manually overwrite the security policy files that protect this. I dont recall where the files are, but bottom line, by default they cant do it, but there is an obscure manual mechanism to override this.

Signed Applets must be "trusted" and once they are, they have the freedom to do whatever
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41180
    
  45
Welcome to JavaRanch.

Some further information and links about applet security can be found on this FAQ page.


Ping & DNS - my free Android networking tools app
Nicki Watt
Greenhorn

Joined: Aug 20, 2006
Posts: 2
Thanks, but then I am very confused as to what Sun mean in their FAQ when they state, and I quote ... ( see http://java.sun.com/sfaq )

13 What is the difference between applets loaded over the net and applets loaded via the file system?

There are two different ways that applets are loaded by a Java system. The way an applet enters the system affects what it is allowed to do.

If an applet is loaded over the net, then it is loaded by the applet class loader, and is subject to the restrictions enforced by the applet security manager.

If an applet resides on the client's local disk, and in a directory that is on the client's CLASSPATH, then it is loaded by the file system loader. The most important differences are

* applets loaded via the file system are allowed to read and write files
* applets loaded via the file system are allowed to load libraries on the client
* applets loaded via the file system are allowed to exec processes
* applets loaded via the file system are allowed to exit the virtual machine
* applets loaded via the file system are not passed through the byte code verifier

Java-enabled browsers use the applet class loader to load applets specified with file: URLs. So, the restrictions and protections that accrue from the class loader and its associated security manager are now in effect for applets loaded via file: URLs.

This means that if you specify the URL like so:

Location: file:/home/me/public_html/something.html

and the file something.html contains an applet, the browser loads it using its applet class loader.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41180
    
  45
That FAQ entry seems to contradict itself, stating both that applets residing in file:/// URLs are loaded by the applet class loader and the file system class loader. (And, either way, the FAQ seems to be rather old).

In my experience, it can vary from browser to browser (and from appletviewer to appletviewer) whether the restrictions are enforced for file: URLs.
[ August 21, 2006: Message edited by: Ulf Dittmer ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Applet Security Clarification
 
Similar Threads
SCJEA Sample questions on Sun's site (whoops)
applet restriction question
difference between applet & application.
Issues with Jar Files and loading images
SSL and Security basic questions