Login/Register
Restrictions on what an unsigned Java applet can do?
Asked Answered
Solved javasecurityappletjvm
P

2

6

I'm trying to compile a complete list of all restrictions placed on unsigned Java applets (defined as things a normal Java application can do, but an unsigned Java applet cannot).

This is the list I've compiled so far:

An unsigned Java applet ...

  1. Cannot access the local filesystem.
    • Cannot access the system clipboard.
    • Cannot initiate a print job.
    • Cannot connect to or retrieve resources from any third party server (any server other than the server the applet originated from).
    • Cannot use multicast sockets.
    • Cannot create or register a SocketImplFactory, URLStreamHandlerFactory, or ContentHandlerFactory.
    • Cannot listen to incoming socket connections.
    • Cannot listen for datagrams.
    • Cannot access some of the system properties (java.class.path, java.home, user.dir, user.home, user.name).
    • Cannot create or register a SecurityManager object.
    • Cannot dynamically load native code libraries with the load() or loadLibrary() methods of Runtime or System.
    • Cannot spawn new processes by calling any of the Runtime.exec() methods.
    • Cannot create or access threads or thread groups outside of the thread group in which the untrusted code is running.
    • Cannot define classes in java.*, sun.* and netscape.*.
    • Cannot explicitly load classes from the sun.* package.
    • Cannot exit the Java runtime by calling System.exit() or Runtime.exit().
    • Cannot access the system event queue.
    • Cannot use the java.lang.Class reflection methods to obtain information about nonpublic members of a class, unless the class was loaded from the same host as the untrusted code.
    • Cannot manipulate security identities in any way (java.security).
    • Cannot set or read security properties (java.security).
    • Cannot list, look up, insert, or remove security providers (java.security).

Question: Are there any restrictions missing? If so, please clearly state what restriction you believe is missing from the list.

Pfeifer answered 27/9, 2009 at 13:37 Comment(3)
Applets (from 6u10) can use JNLP APIs to access the local file system (under control of the user). System clipboard is available under certain conditions. If the application attempts to print, a confirmation dialog is shown. Cross domain support allows accessing web servers with the server's permission. Server sockets can be listened to, but can only accept from same origin. No program can define classes in java.*, but I believe applets can define them in sun.* (just not usefully). The event queue of the applet is accessible. Reflection is based upon Java (1.0) language access.Apeman
Did you get that list from somewhere? If you really want a full list of checks, you can grep for SecurityManager in the source, although that wont cover any extension library restrictions..Apeman
Tom: The list is a compilation of similar incomplete lists on the net.Pfeifer
R
3

See this from Sun's tutorial: What Applets Can and Cannot Do.

Rothko answered 27/9, 2009 at 14:3 Comment(0)
C
1

Also you cannot register an UncaughtExceptionHandler.

Carvey answered 9/1, 2012 at 1:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.