AppletTalk.com Java discussions newsgroups   Archives   FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  Applet Security Issue          AppletTalk.com Forum Index -> Security and Java View previous topic :: View next topic   Author Message Ron VanDerMaarel Guest Posted: Mon Nov 22, 2004 6:25 pm    Post subject: Applet Security Issue Hi All. We have created a java application that runs our business application, and are now looking to run it as an applet so that it can be accessed from the internet. We have loaded both the classes and a jar file to the web server for testing, and have found that when we try to run the applet, it returns a java.net.SocketPermission error, which can be corrected by placing the correct permissions in the ..java.profile file in the users home directory. This raises our first question. #1. Do we have to install the .java.profile file in the users home directory of each user, or is there an easier way to make the applet work without this. We have users that may access the applet from any pc on the internet, and find it hard to believe we have to have the ..java.profile file installed first. Things we have found while testing is that the applet works fine if everything is located on the office network (ie: http code CODEBASE = .. and database connection is on an ip address located in the office). #2 Is it because the code is located on the same machine that the applet is being acccessed from that makes this work. Once we make the CODEBASE = "the web address", that is when we run into problems. Thank You Ron VanDerMaarel VDM Management Systems Inc. Back to top Chris Guest Posted: Tue Nov 23, 2004 2:28 am    Post subject: Re: Applet Security Issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ron VanDerMaarel wrote: Quote: Hi All. We have created a java application that runs our business application, and are now looking to run it as an applet so that it can be accessed from the internet. We have loaded both the classes and a jar file to the web server for testing, and have found that when we try to run the applet, it returns a java.net.SocketPermission error, which can be corrected by placing the correct permissions in the .java.profile file in the users home directory. This raises our first question. #1. Do we have to install the .java.profile file in the users home directory of each user, or is there an easier way to make the applet work without this. We have users that may access the applet from any pc on the internet, and find it hard to believe we have to have the .java.profile file installed first. Things we have found while testing is that the applet works fine if everything is located on the office network (ie: http code CODEBASE = . and database connection is on an ip address located in the office). #2 Is it because the code is located on the same machine that the applet is being acccessed from that makes this work. Once we make the CODEBASE = "the web address", that is when we run into problems. Thank You Ron VanDerMaarel VDM Management Systems Inc. Hi, Yes, the problem is precisely that: applets, barring additional permissions, are only allowed to open network connections to their originating machine (the machine their code is downloaded from). The "proper" solution is to sign the applet, but that opens many evil cans of worms (you actually have to sign something like three times, once for Netscape, once for IE, and once for the Java plugin), and then use the three different APIs to request the required additional permissions, etc. etc.. Don't go there. I'd say the best way of doing this is to set up port forwarding from the web server to the database server, then have the applet connect to the web server and access the database through the forward. Also, I must inform you that if this is intended for public use, what you've done is a bad idea: the applet should *almost* *never* connect directly to the database in a public system. See, someone could easily download your applet and pull a username and password out for the database. Once this is done, they can log into the database directly. In general, the database's access control system doesn't provide the level of control necessary to make this "not a problem". A better solution is usually to use servlets to talk to the database and have the applet talk to the servlets. The applet and servlets could send (for example) XML back and forth. This also means there's less chance of somebody not being able to connect because they're behind a firewall which doesn't allow outbound connections to the database at your site. Using the servlet method, the applet only needs to be able to access Web (which is obviously already possible, since the user downloaded the applet). Anyway, those are my two cents. Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBoqBGgxSrXuMbw1YRAmM6AJ0a1HBgv1aSbUtZodQDECWh6vM48ACeO+c7 MIoe/mMtCtr6ADSz5pLT7Ss= =l6mB -----END PGP SIGNATURE----- Back to top Terry Guest Posted: Fri Nov 26, 2004 2:42 pm    Post subject: Re: Applet Security Issue Chris <chris2k01 (AT) hotmail (DOT) com> wrote Quote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ron VanDerMaarel wrote: Hi All. We have created a java application that runs our business application, and are now looking to run it as an applet so that it can be accessed from the internet. We have loaded both the classes and a jar file to the web server for testing, and have found that when we try to run the applet, it returns a java.net.SocketPermission error, which can be corrected by placing the correct permissions in the .java.profile file in the users home directory. This raises our first question. #1. Do we have to install the .java.profile file in the users home directory of each user, or is there an easier way to make the applet work without this. We have users that may access the applet from any pc on the internet, and find it hard to believe we have to have the .java.profile file installed first. Things we have found while testing is that the applet works fine if everything is located on the office network (ie: http code CODEBASE = . and database connection is on an ip address located in the office). #2 Is it because the code is located on the same machine that the applet is being acccessed from that makes this work. Once we make the CODEBASE = "the web address", that is when we run into problems. Thank You Ron VanDerMaarel VDM Management Systems Inc. Hi, Yes, the problem is precisely that: applets, barring additional permissions, are only allowed to open network connections to their originating machine (the machine their code is downloaded from). The "proper" solution is to sign the applet, but that opens many evil cans of worms (you actually have to sign something like three times, once for Netscape, once for IE, and once for the Java plugin), and then use the three different APIs to request the required additional permissions, etc. etc.. Don't go there. I'd say the best way of doing this is to set up port forwarding from the web server to the database server, then have the applet connect to the web server and access the database through the forward. Also, I must inform you that if this is intended for public use, what you've done is a bad idea: the applet should *almost* *never* connect directly to the database in a public system. See, someone could easily download your applet and pull a username and password out for the database. Once this is done, they can log into the database directly. In general, the database's access control system doesn't provide the level of control necessary to make this "not a problem". A better solution is usually to use servlets to talk to the database and have the applet talk to the servlets. The applet and servlets could send (for example) XML back and forth. This also means there's less chance of somebody not being able to connect because they're behind a firewall which doesn't allow outbound connections to the database at your site. Using the servlet method, the applet only needs to be able to access Web (which is obviously already possible, since the user downloaded the applet). Anyway, those are my two cents. Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBoqBGgxSrXuMbw1YRAmM6AJ0a1HBgv1aSbUtZodQDECWh6vM48ACeO+c7 MIoe/mMtCtr6ADSz5pLT7Ss= =l6mB -----END PGP SIGNATURE----- Chris, There is no direct connection to the database, because one thing that was not mentioned which would impact the programming substantially, is that we already have designed an RMI server that works fine with the internal office LAN. Instead of going with an applet-to-servlet design we are considering an applet-to-RMI server design. Looks to me though that this will still require port forwarding between the web server and the RMI server. For now the database and the RMI reside on the same server. Any suggestions? Terry VanDerMaarel VDM Management Systems Inc. Back to top Chris Guest Posted: Sat Nov 27, 2004 7:27 pm    Post subject: Re: Applet Security Issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terry wrote: Quote: Chris, There is no direct connection to the database, because one thing that was not mentioned which would impact the programming substantially, is that we already have designed an RMI server that works fine with the internal office LAN. Instead of going with an applet-to-servlet design we are considering an applet-to-RMI server design. Looks to me though that this will still require port forwarding between the web server and the RMI server. For now the database and the RMI reside on the same server. Any suggestions? Terry VanDerMaarel VDM Management Systems Inc. Hi, I'm not very familiar with RMI, but yes, assuming it works in an applet at all, you would need to port-forward from the Web server to the RMI server, so that your Internet connections from the applet are going to the same machine its code came from (or, once again, sign it). Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBqNU9gxSrXuMbw1YRAofwAKD78dPxpF74/UGw+l3ux0FFNI/c2QCgpjFO /+bVRynl94HETaYMVxwZ06I= =ois1 -----END PGP SIGNATURE----- Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         AppletTalk.com Forum Index -> Security and Java All times are GMT Page 1 of 1   Jump to: Select a forum Java Newsgroups----------------Java DiscussionsWeb-based java games comp.lang.java 3D Graphics API's for Java Java: Support and criticism Java System Announcements comp.lang.java.api JavaBeans Java and CORBA Java and Databases comp.lang.java.developer Java GUI Toolkits Java Help comp.lang.java.javascript JVM, native methods and hardware comp.lang.java.misc Java Language Programming Security and Java comp.lang.java.setup Java Software Tools comp.lang.java.tech ibm.software.java.linux  Non-English Java Newsgroups----------------Java Language (German)Language Java (Français)Java (Italian)  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2006 phpBB Group SEO toolkit © 2004-2006 webmedic.