Applet Security

From sheep
Jump to navigation Jump to search

References:

Signed applets

User will be asked if they want to accept the applet

Signed applet may access files depending on security policy file ?java.policy?

Signed applets get access to everything - all or nothing approach.

JNLP (similar to webstart) allows finer grained control - this is a full installation of an application.

Restrictions

Don't apply if the applet is on the browsers class path

  • may not read and write files
  • may not load libraries on the client
  • may not load or run native code/libraries
  • not allowed to exec processes
  • not allowed to exit the virtual machine
  • are passed through the byte code verifier
  • may not print

Policy Files

Control File

  • $JAVA_HOME/jre/lib/security/

separate policy filesor each applet in ${java.home}lib/security/java.security file:

 policy.url.3=<url>


Network access

Only allowed to connect to the machine the applet was loaded from

Name must match the name in the URL downloaded from

Access to files

Can not access files by default

System properties

Only allowed access to the following properties:

 java.version		Java version number
 java.vendor		Java vendor-specific string
 java.vendor.url	Java vendor URL
 java.class.version	Java class version number
 os.name		Operating system name
 os.arch		Operating system architecture
 os.version	        Operating system version
 file.separator	File separator (eg, "/")
 path.separator	Path separator (eg, ":")
 line.separator	Line separator 

Persist data

Can use connection to server to persist information