As I am about to embark on a large project involving an applet that will require arbitrary read access to the user drive, I am worried that signed applets will not allow me free access to the local disk. That said there has been no specific mention that I can find of what, if any, *read* restrictions apply for Java applets within IE7s sandbox.
I would like to make the assumption that after the user has given permission to the signed applet there is:
write access - only within applet scope delete access - only within applet scope read access - *full permissions!*
I really want to know for sure before I chose Java as my platform of choice for this project. Can someone help me out?
There is no particular "applet scope". If the applet is signed, and the user accepts its certificate, then the applet can do everything the user can do. [ August 19, 2007: Message edited by: Ulf Dittmer ]
Joined: Aug 18, 2007
Apparently applets run within IE7 that comes with Vista is different, and this known limitation is stated within the Java release notes. It only directly mentions saving and deleting files, though. I am still unsure how restricted read access is.
Joined: Aug 18, 2007
To whom it may concern,
I deciced to follow-up on this question now that I have gone to the lengths of finding the answer. I am now developing on a Vista machine and most manufacturers ship Java with their PCs, including mine. Most of the machines out there pre-installed with Windows Vista also have IE7 and the version of the Java that does not circumvent the tighter sandbox of IE7. This problem (Bug ID: 6504236) has caused much pain to people maintaining applications that used to take local disk access on signed applets for granted, as they should.
The bug claims to be fixed as of November pending a branch merge. While users encountering your website could be encouraged to get the latest version of the runtime, installation requests and futher disruption to the end-user experience can affect your bottom line. So best to try and work within the sandbox for those users who have had their Java installed by the OEMs the last year and saw the Java update balloons as annoyware (similar to every other update request the average user is bombarded with).
So, I tested signed applets on Java 1.6.0_02_b6 and found:
Internet Explorer 7.0.6000.16546 - Arbitrary read access - Write file/directory and delete restricted to %USERPROFILE%\AppData\LocalLow\ - Searching on the internet suggests %USERPROFILE% is not directly accessible by Java - the closest is System.getproperty("user.home") which Java find by getting the Desktop folder and finding its parent... dumb as the desktop folder can be moved around. (It's been like this since 1.3 - Bug ID: 4787931 )
Moral of the story, if you want to write to the local drive, be sure to detect for Vista do some nifty tricks to get the LocalLow directory of the user. I hope this helps other people who need to store local data and don't want to torture the user anymore than the Java install process already does.