Why this difference between Jdk versions for Applet?

Hi,

I was testing an Applet in JDK1.3, yes, 1.3 and in Jdk1.6.0_39 using appletviewver.

I got response in 1.3 in 2 sec and it took 15 sec to show that rsponse in my installed jdk 1.6.0_39 ie latest.

Besides, in 1.6 I was getting

socket creation= java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)

for a call
socket = new Socket(host, 80);

on localhost and that in appletviewer !!!

Any thoughts?

Thanks,


Maki Jav

Applets can only open sockets that go to the host where they were served from. if you want topen sockets to other hosts you have to sign the applet.

It is running locally and Applet is on local computer. It was only in Jdk1.6 I was getting this exception and not in Jdk1.3. That is why I am asking this question...

I just copied Jdk1.6.0_39 to drive d: so as to avoid any access restrictions and ran the applet from its bin folder just as I was doing for jdk1.3. Got the same results.
some output statements from Applet to appletviewer window
getDocumentBase()
url=file:/D:/jdk1.6.0_39/bin/info.html url.getHost() =
socket creation= java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)


The Applet is running from a local file and from the same very machine but it is not able to open socket to localhost only in Jdk1.6 but in Jdk1.3 the speed is good and it does make connection to local host and give me expected results...

There must be something wrong that Oracle engineers have done to it ie Jdk1.6 or it must require a .java.policy file even for a local machine now.

On my site, where there is that Applet too, it runs from there okay. whether Jdk 1.3 or Jdk 1.6 is installed


Thanks,

Maki Jav

Yes, I think they tightened security enforcement between Java 1.3 and Java 6.

Yes, I have changed .java.policy for jdk1.6.0_38 using its policy tool and it is working. But it takes a lot longer time than jdk1.3; and the beauty that I was catching my computer name ie Host name is no longer there in Jdk1.6.

And yes, using Appletviewer to view or run local files is like using a Swing based GUI Java application running on one's own system. And if they are restricting one to do anything one likes with his computer (using appletviewer), it is really stupid.


And besides I would vote for jre 1.3 as it did not have the problem that jre1.6 faced and even Oracle is trying get the vulnerbility of Jdk 1.6 across when we view an applet on a web page. It says to upgrade to jre 7.

I would like to make a lot of things in Applets. Oh I hear "ajax" and a million libraries based on Javascript... Well I can do a lot with a non-gui based Java Applet on a web page.
And turning off of Java in a browser by client? Well well we have NoScript add-on for Firefox and I used it all time
Without permissions, and Applet and Javascript is equivalent. And building trust among user of a page is our task.


Maki Jav

Without permissions, and Applet and Javascript is equivalent.

Unfortunately not. The JVM continues to have security holes that can be (and are) exploited by malicious applets. JavaScript engines -which by their nature do not have full access to the client machine- do not have this problem.

I won't be making malicious Applets for visitors of my sites. Would you?


I can have clear instructions and a .java.policy file for clients to download with ample comments and restrictions, if I need to access client side. Others no need to do that.



Thanks,

Maki Jav

Having users fiddle with policy files is not a viable approach unless the users are highly technical, and very motivated to use the applet.

I won't be making malicious Applets for visitors of my sites.

Goog. That would likely be illegal anyway :-)