GeeCON Prague 2014*
The moose likes Applets and the fly likes Residual jar file of Applet? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Applets
Bookmark "Residual jar file of Applet?" Watch "Residual jar file of Applet?" New topic
Author

Residual jar file of Applet?

Silvio Esser
Ranch Hand

Joined: Nov 05, 2005
Posts: 58
Once you closed the browser that ran an Applet, is the jar file containing the Applet left on the hard disk or the RAM of computer?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42035
    
  64
Applet jar files are cached, and remain somewhere on the hard disk. The location and size of the jar cache can be adjusted with the Java Plugin control panel.


Ping & DNS - my free Android networking tools app
Silvio Esser
Ranch Hand

Joined: Nov 05, 2005
Posts: 58
Originally posted by Ulf Dittmer:
Applet jar files are cached, and remain somewhere on the hard disk. The location and size of the jar cache can be adjusted with the Java Plugin control panel.


So someone can get the jar file and de-compile it. It is an security issue.
Is there a way to delete it after browser is closed or just keep all the classes in RAM?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42035
    
  64
No, the applet can't do anything about that - the cache is entirely dependent on client-side settings.

But having the jar cached is not more of a risk than publishing the applet in the first place. If the JVM can download the jar file, then so can the user by typing the address in the browser URL field. Caching doesn't make this any easier to do (in fact, it would take me longer to dig up the cache directory than to download the jar file directly).

So, from a security standpoint, the cache doesn't make anything worse than it already is.
Silvio Esser
Ranch Hand

Joined: Nov 05, 2005
Posts: 58
Originally posted by Ulf Dittmer:
...

So, from a security standpoint, the cache doesn't make anything worse than it already is.


It does.

Since it is a secure application, any user who can retrieve the jar has to login first because the URL of the jar is protected. A person who is not authenticated will not be able to establish a secure session, and therefore the server will deny his/her access to any application URLs except the login screen.

Now the jar is cached in HD. Technically, anyone who can get hold of the HD can get the jar.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42035
    
  64
I see. Then it gets tricky.

If you can make the applet a signed applet you could use encrypted class files and a classloader that uses a user-supplied password to decrypt and run those.

If you can require the user to be online, you might move certain critical pieces of the code to a web app, and have the applet call those, instead of executing them locally. Whether that's feasible depends on the required response time, of course, and the number of expected users.
Silvio Esser
Ranch Hand

Joined: Nov 05, 2005
Posts: 58
Encryption can make things very complex and slow.

I'm hoping that the Classloader of the JVM that runs the Applet can load the
classes from the internet (not from the jar). If it could be done, the Java classes would be just in the RAM. When the browser is closed, the RAM that the Applet classes used will be available for other things. So we can say no residual.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42035
    
  64
That's a good point - using a class file hierarchy instead of a jar file would circumvent this particular problem.
Silvio Esser
Ranch Hand

Joined: Nov 05, 2005
Posts: 58
Originally posted by Ulf Dittmer:
That's a good point - using a class file hierarchy instead of a jar file would circumvent this particular problem.


How to use class file hierarchy in Applet?

Is there a way to instruct the Classloader of the JVM running in a Browser to load the classes from the internet, not local jar file?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42035
    
  64
You would not use jar files at all (or maybe only for 3rd-party libraries and code you don't consider important). The class file hierarchy would be kept as loose files in the same directory as the HTML page having the APPLET tag (or some other directory pointed to by a codebase attribute). In any case, no archive attribute.

Some more detail is here.
[ June 09, 2008: Message edited by: Ulf Dittmer ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Residual jar file of Applet?