Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restrictions on what an unsigned Java applet can do?

Tags:

java

security

jvm

applet

I'm trying to compile a complete list of all restrictions placed on unsigned Java applets (defined as things a normal Java application can do, but an unsigned Java applet cannot).

This is the list I've compiled so far:

An unsigned Java applet ...

  1. Cannot access the local filesystem.
    • Cannot access the system clipboard.
    • Cannot initiate a print job.
    • Cannot connect to or retrieve resources from any third party server (any server other than the server the applet originated from).
    • Cannot use multicast sockets.
    • Cannot create or register a SocketImplFactory, URLStreamHandlerFactory, or ContentHandlerFactory.
    • Cannot listen to incoming socket connections.
    • Cannot listen for datagrams.
    • Cannot access some of the system properties (java.class.path, java.home, user.dir, user.home, user.name).
    • Cannot create or register a SecurityManager object.
    • Cannot dynamically load native code libraries with the load() or loadLibrary() methods of Runtime or System.
    • Cannot spawn new processes by calling any of the Runtime.exec() methods.
    • Cannot create or access threads or thread groups outside of the thread group in which the untrusted code is running.
    • Cannot define classes in java.*, sun.* and netscape.*.
    • Cannot explicitly load classes from the sun.* package.
    • Cannot exit the Java runtime by calling System.exit() or Runtime.exit().
    • Cannot access the system event queue.
    • Cannot use the java.lang.Class reflection methods to obtain information about nonpublic members of a class, unless the class was loaded from the same host as the untrusted code.
    • Cannot manipulate security identities in any way (java.security).
    • Cannot set or read security properties (java.security).
    • Cannot list, look up, insert, or remove security providers (java.security).

Question: Are there any restrictions missing? If so, please clearly state what restriction you believe is missing from the list.

like image 887
knorv Avatar asked Sep 27 '09 13:09

knorv

People also ask

What are the restrictions imposed on Java applets?

An applet cannot load libraries or define native methods. An applet cannot ordinarily read or write files on the execution host. An applet cannot read certain system properties. An applet cannot make network connections except to the host that it came from.

Why there are so many restrictions in applet programming?

Applets have many restrictions over the areas of security because they are obtained from remote machines and can harm client-side machines.

What are the security issues related to Java applets?

There is a security model for Java applets that has two rules: Applets may communicate only with the Web server from which they were downloaded. Applets may not have access to local resources, such as files, the clipboard and printer ports, on a workstation to which they are downloaded.

2 Answers

See this from Sun's tutorial: What Applets Can and Cannot Do.

like image 92
Jesper Avatar answered Sep 30 '22 19:09

Jesper

Also you cannot register an UncaughtExceptionHandler.

like image 32
fury Avatar answered Sep 30 '22 19:09

fury
Sign in to Comment

Related questions

AspectJ load-time weaving in production systems
Java Pdf Diff library
EJB and Synchronization
Performance of hibernate Second Level Caching ehcache
Keeping i18n resources synced
GWT with a Content Management System
Scala - Java interop: can Scala emit enums in bytecode for Java to consume?
List as a named parameter in JPA query using TopLink
Do any Java libraries use annotations for code generation?
Bulk upload data into data store for GAE Java project
Converting an Eclipse Java project to a Google AppEngine one
What are good methods to perform spreadsheet-like calculations in a programming language?
Hibernate one to many using something other than a primary key
Catching every exception in Java EE web apps
How to draw a 2d overlay on a Java 3d scene?
Creating triggers over JDBC (oracle)
Jetty Servlet does not run -- getting directory listing instead
Is constant polling in RXTX necessary?
parsing/scanning/tokenizing "raw XML"
JAXB XJC code generation - ObjectFactory class is incomplete

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!