This week's book giveaway is in the Design forum.
We're giving away four copies of Building Microservices and have Sam Newman on-line!
See this thread for details.
The moose likes Applets and the fly likes Applet Security Clarification Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "Applet Security Clarification" Watch "Applet Security Clarification" New topic

Applet Security Clarification

Nicki Watt

Joined: Aug 20, 2006
Posts: 16
Hi There,

Could somebody please confirm if my understanding of some core security details regarding applet security for JDK 1.2 and above are correct ... I am pretty sure A is fine, I just want to ensure B is correct !

From Java 1.2 onwards
A) if an applet is loaded into a browser over the net, and signed (ie it is trusted) it is still restricted in what it can do based on the SecurityManager and policy file combo
B) if an unsigned applet is loaded into a browser via the file system - its code has originated locally (ie it is included in the CLASSPATH of the browser) it is NOT treated in the same way as above in that it can automatically
* read and write files
* load libraries

My understanding is that both applet scenarios are still constrained by the SecurityManager but because scenario B was loaded from the file system, the default behaviour of the SecurityManager is different in these 2 cases ...

Would appreciate it if someone could either confirm or blat my analysis of these 2 scenarios !

Brian Mozhdehi
Ranch Hand

Joined: Aug 17, 2006
Posts: 81
an unsigned applet can not, regardless of where it was launched from, access the local machine, unless you manually overwrite the security policy files that protect this. I dont recall where the files are, but bottom line, by default they cant do it, but there is an obscure manual mechanism to override this.

Signed Applets must be "trusted" and once they are, they have the freedom to do whatever
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42958
Welcome to JavaRanch.

Some further information and links about applet security can be found on this FAQ page.
Nicki Watt

Joined: Aug 20, 2006
Posts: 16
Thanks, but then I am very confused as to what Sun mean in their FAQ when they state, and I quote ... ( see )

13 What is the difference between applets loaded over the net and applets loaded via the file system?

There are two different ways that applets are loaded by a Java system. The way an applet enters the system affects what it is allowed to do.

If an applet is loaded over the net, then it is loaded by the applet class loader, and is subject to the restrictions enforced by the applet security manager.

If an applet resides on the client's local disk, and in a directory that is on the client's CLASSPATH, then it is loaded by the file system loader. The most important differences are

* applets loaded via the file system are allowed to read and write files
* applets loaded via the file system are allowed to load libraries on the client
* applets loaded via the file system are allowed to exec processes
* applets loaded via the file system are allowed to exit the virtual machine
* applets loaded via the file system are not passed through the byte code verifier

Java-enabled browsers use the applet class loader to load applets specified with file: URLs. So, the restrictions and protections that accrue from the class loader and its associated security manager are now in effect for applets loaded via file: URLs.

This means that if you specify the URL like so:

Location: file:/home/me/public_html/something.html

and the file something.html contains an applet, the browser loads it using its applet class loader.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42958
That FAQ entry seems to contradict itself, stating both that applets residing in file:/// URLs are loaded by the applet class loader and the file system class loader. (And, either way, the FAQ seems to be rather old).

In my experience, it can vary from browser to browser (and from appletviewer to appletviewer) whether the restrictions are enforced for file: URLs.
[ August 21, 2006: Message edited by: Ulf Dittmer ]
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link:
subject: Applet Security Clarification
It's not a secret anymore!