Java 2 Applet Security


Abdul Habra, 2.7.2000

Java 2 (JDK 1.2) introduced a new security model for Applets. Applets that run outside the sandbox no longer need to have certificates. An initialization text file, stored on the user's disk, can tell the JVM what "forbidden" resources are accessible to the applet. This article will show you how to do that.

What do you need: You must have the JDK 1.2 (or higher). For this example, I am using MS-Windows NT 4.0 (SP 5.0) and JDK 1.2.2-001.

1. Create Work Directory: For our test, create a directory and call it "C:\Test\". This directory will contain our Java program.

2. The Applet: Create an applet that will run outside the sandbox, for this example, the applet will write to the hard disk. Here is the source code:

import java.awt.*;
import java.io.*;
import java.applet.*;

public class NoBox extends Applet {

  public void paint(Graphics g) {
    String fileName = "NoBox.txt";
    try {
      FileOutputStream fos = new FileOutputStream(fileName);
      PrintStream outputFile = new PrintStream(fos);
      outputFile.println("This file was created by a Java Applet");
      outputFile.close();
      fos.close();
      g.drawString("The applet created the file " + fileName, 10, 20);
    }
    catch (SecurityException e) {
      g.drawString(e + "", 10, 20);
    }
    catch (IOException ioe) {
      g.drawString("NoBox: i/o exception", 10, 20);
    }
  } // paint

} // NoBox


The file should be named "NoBox.java" and located in "C:\Test\" directory. Compile this file into NoBox.class.

3. The HTML Document: Now, create an HTML file (NoBox.html) to display this applet. Here is how:

<html>
<title> Testing Java2 Security </title>
<applet code=NoBox.class width=600 height=100> </applet>
</html>

4. Appletviewer: To test the applet, view it with the Appletviewer like this:

C:\Test>appletviewer NoBox.html

And BANG, you got an error message like this:

"java.security.AccessControlException: access denied (java.io.FilePermission NoBox.txt write)"

In English, this means that the applet can not write to your hard disk. Which shows that Java is doing what it is supposed to do.

5. Giving Permission: Now go to you home directory. If you are using Unix, you should know what a home directory is. However, for Windows NT, this is usually "C:\WINNT\Profiles\UserName\", while for Windows 95/98 is "C:\Windows\".

Check if there is a file named ".java.policy". If it exists, open it with a text editor, otherwise, create a text file with this name ".java.policy".

Add the following lines to the file:

grant codeBase "file:/c:/Test/" {
  permission java.io.FilePermission "<<ALL FILES>>", "write";
};

Save and close the file. Now view the applet again (see step 4). The viewer should display this message "The applet created the file NoBox.txt".

Look in the "C:\Test\" directory and you will find a file named "NoBox.txt".

What happened here is that the JVM looked in your home directory for the file ".java.policy" and granted the applet residing in "C:\Test\" the right to write to the disk. The permission can be stricter, for example, the applet can be restricted to only read from the disk.

6. Conclusion: Java2 security model allows applet access to specific resources on the user's machine without the need for certificates.

You can not run the applet with a Microsoft or Netscape web browser (current versions) directly. Both do not support Java 2 specifications. Fortunately, there is a solution. You need to use the Java 2 plug-in from Sun. Installing and running it is another story that you can read at http://java.sun.com/products/plugin/.

This article was a quick introduction to Java 2 Security. You can find many examples on the web. Here are some:

http://java.sun.com/docs/books/tutorial/security1.2/tour1/index.html
http://developer.java.sun.com/developer/onlineTraining/Security/Fundamentals/abstract.html
http://www.redbooks.ibm.com/abstracts/sg242109.html


Comments