The goal for the JDK is to enable browsers to run untrusted applets in
a trusted environment. Our approach is to be conservative at first,
and to add functionality when it can be added securely. The intent is
to prevent applets from inspecting or changing files on the client
file system. Also, the intent is to prevent applets from using
network connections to circumvent file protections or people's
expectations of privacy.
JDK 1.1 provides the basic technology for loading and authenticating
signed classes. This enables browsers to run trusted applets in a
trusted environment. This does not make obselete the need to run
untrusted applets in a secure way. In the release following JDK 1.1,
we will provide tools for finer-grained control of flexible security
policies.
See the chronology page to
check on the status of security-related bugs.
Applet Security
- Applets
- What are applets prevented from doing?
- Can applets read or write files?
- How do I let an applet read a file?
- How do I let an applet write a file?
- What system properties can be read by applets, and how?
- How do I hide system properties that applets are allowed to read by default?
- How can I allow applets to read system properties that they aren't allowed to read by default?
- How can an applet open a network connection to a computer on the internet?
- How can an applet open a network connection
to its originating host?
- How can an applet maintain persistent state?
- Can an applet start another program running on the client?
- What features of the Java language help people build secure applets?
- What is the difference between applets loaded over the net,
and applets loaded via the file system?
- What's the applet class loader, and what does it buy me?
- What's the applet security manager, and what does it buy me?
- Is there a summary of applet capabilities?
- If other languages are compiled to Java
bytecodes, how does that affect the applet security model?
- Examples
- Tiny applet examples that demonstrate the security features of your web browser.
- Glossary
- Terms used in this FAQ.
- See Also
- Other references on Java security
- What are applets prevented from doing?
In general, applets loaded over the net are
prevented from reading and writing files on the client file system, and from making network
connections except to the originating
host.
In addition, applets loaded over the net are prevented from
starting other programs on the client. Applets loaded over the net
are also not allowed to load libraries, or to define native method
calls. If an applet could define native method calls, that would give
the applet direct access to the underlying computer.
There are other specific capabilities denied to applets loaded
over the net, but most of the applet security policy is described by
those two paragraphs above. Read on for the gory details.
- Can applets read or write files?
In Java-enabled browsers, untrusted applets cannot read or write files at
all. By default, downloaded applets are considered untrusted. There are
two ways for an applet to be considered trusted:
- The applet is installed on the local hard disk, in a directory
on the CLASSPATH used by the program that you are using to run the
applet. Usually, this is a Java-enabled browser, but it could be
the appletviewer, or other Java programs that know how to load applets.
- The applet is signed by an identity marked as trusted in your
identity database. For more information on signed applets, refer to
an example of using signed applets, and
to a short description on using javakey.
Sun's appletviewer allows applets to read files that reside in
directories on the access control lists.
If the file is not on the client's access control list, then applets
cannot access the file in any way. Specifically, applets cannot
- check for the existence of the file
- read the file
- write the file
- rename the file
- create a directory on the client file system
- list the files in this file (as if it were a directory)
- check the file's type
- check the timestamp when the file was last modified
- check the file's size
- How do I let an applet read a file?
Applets loaded into a Java-enabled browser can't read files.
Sun's appletviewer allows applets to read files that are named on the
access control list for reading. The access control list for reading
is null by default, in the JDK. You can allow applets
to read directories or files by naming them in the
acl.read property in your
~/.hotjava/properties file.
Note: The "~ " (tilde) symbol is used on UNIX
systems to refer to your home directory. If you install a web browser
on your F:\ drive on your PC, and create a top-level
directory named .hotjava , then your properties file is
found in F:\.hotjava\properties .
For example, to allow any files in the directory home/me
to be read by applets loaded into the appletviewer, add this line to
your ~/.hotjava/properties file.
acl.read=/home/me
You can specify one file to be read:
acl.read=/home/me/somedir/somefile
Use ":" to separate entries:
acl.read=/home/foo:/home/me/somedir/somefile
Allowing an applet to read a directory means that it can read all the
files in that directory, including any files in any subdirectories that might
be hanging off that directory.
- How do I let an applet write a file?
Applets loaded into a Java-enabled browser can't write files.
Sun's appletviewer allows applets to write files that are named on the
access control list for writing. The access control list for writing
is empty by default.
You can allow applets to write to your /tmp directory by setting the
acl.write property in your ~/.hotjava/properties file:
acl.write=/tmp
You can allow applets to write to a particular file by naming it explicitly:
acl.write=/home/me/somedir/somefile
Use : to separate entries:
acl.write=/tmp:/home/me/somedir/somefile
Bear in mind that if you open up your file system for writing by
applets, there is no way to limit the amount of disk space an applet
might use.
- What system properties can be read by applets, and how?
In both Java-enabled browsers and the appletviewer, applets can read
these system properties by invoking
System.getProperty(String key) :
key meaning
____________ ______________________________
java.version Java version number
java.vendor Java vendor-specific string
java.vendor.url Java vendor URL
java.class.version Java class version number
os.name Operating system name
os.arch Operating system architecture
os.version Operating system version
file.separator File separator (eg, "/")
path.separator Path separator (eg, ":")
line.separator Line separator
Applets are prevented from reading these system properties:
key meaning
____________ _____________________________
java.home Java installation directory
java.class.path Java classpath
user.name User account name
user.home User home directory
user.dir User's current working directory
To read a system property from within an applet, simply invoke
System.getProperty(key) on the property you are
interested in.
For example,
String s = System.getProperty("os.name");
- How do I hide system properties that applets
are allowed to read by default?
There's no way to hide the above ten system properties from applets
loaded into a Java-enabled browser. The reason is that the browsers
don't consult any external files as part their Java configuration, as
a security precaution, including the
~/.hotjava/properties file.
From the appletviewer, you can prevent applets from finding out
anything about your system by redefining the property in your
~/.hotjava/properties file. For example, to hide the
name of the operating system that you are using, add this line to your
~/.hotjava/properties file:
os.name=null
- How can I allow applets to read system
properties that they aren't allowed to read by default?
There's no way to allow an applet loaded into a Java-enabled browser
to read system properties that they aren't allowed to read by default.
To allow applets loaded into the appletviewer to read the property
named by key , add the property
key.applet=true to your ~/.hotjava/property
file. For example, to allow applets to record your user name, add
this line to your ~/.hotjava/properties file:
user.name.applet=true
- How can an applet open a network connection to a
computer on the internet?
Applets are not allowed to open network connections to any computer,
except for the host that provided the .class files. This is either
the host where the html page came from, or the host specified in the
codebase parameter in the applet tag, with
codebase taking precendence.
For example, if you try to do this from an applet that did not
originate from the machine foo.com, it will fail with a security
exception:
Socket s = new Socket("foo.com", 25, true);
- How can an applet open a network connection
to its originating host?
Be sure to name the originating host exactly as it was specified when
the applet was loaded into the browser.
That is, if you load an HTML page using the URL
http://foo.state.edu/~me/appletPage.html
then your applet will be able to connect to its host only by using the
name foo.state.edu . Using the IP address for
foo.state.edu won't work, and using a "shorthand" form of the host
name, like foo.state instead of foo.state.edu, won't work.
- How can an applet maintain persistent state?
There is no explicit support in the JDK applet API for persistent
state on the client side. However, an applet can maintain its own
persistent state on the server side. That is, it can create files on
the server side and read files from the server side.
Interesting examples are
- Can an applet start another program on the
client?
No, applets loaded over the net are not allowed to start programs on the
client. That is, an applet that you visit can't start some rogue
process on your PC. In UNIX terminology, applets are not allowed to
exec or fork processes. In particular, this means that applets can't
invoke some program to list the contents of your file system, and it
means that applets can't invoke System.exit() in an attempt to kill
your web browser. Applets are also not allowed to manipulate threads
outside the applet's own thread group.
- What features of the Java language help people
build secure applets?
- What is the difference between applets loaded
over the net and applets loaded via the file system?
There are two different ways that applets are loaded by a Java system.
The way an applet enters the system affects what it is allowed to do.
If an applet is loaded over the net, then it is loaded by the applet
class loader, and is subject to the restrictions enforced by the applet
security manager.
If an applet resides on the client's local disk, and in a directory
that is on the client's CLASSPATH, then it is loaded by the file
system loader. The most important differences are
- applets loaded via the file system are allowed to read and write files
- applets loaded via the file system are allowed to load libraries on the client
- applets loaded via the file system are allowed to exec processes
- applets loaded via the file system are allowed to exit the virtual machine
- applets loaded via the file system are not passed through the byte code verifier
Java-enabled browsers use the applet class loader to
load applets specified with file: URLs. So, the restrictions and
protections that accrue from the class loader and its associated
security manager are now in effect for applets loaded via file: URLs.
This means that if you specify the URL like so:
Location: file:/home/me/public_html/something.html
and the file something.html contains an applet, the browser loads
it using its applet class loader.
- What's the applet class loader, and what does it buy me?
Applets loaded over the net are loaded by the applet class loader.
For example, the appletviewer's applet class loader is implemented by
the class sun.applet.AppletClassLoader.
The class loader enforces the Java name space hierarchy. The class
loader guarantees that a unique namespace exists for classes that come
from the local file system, and that a unique namespace exists for
each network source. When a browser loads an applet over the net,
that applet's classes are placed in a private namespace associated
with the applet's origin. Thus, applets loaded from different network
sources are partitioned from each other.
Also, classes loaded by the class loader are passed through the
verifier. The verifier checks that the class file conforms to the
Java language specification - it doesn't assume that the class file
was produced by a "friendly" or "trusted" compiler. On the contrary,
it checks the class file for purposeful violations of the language
type rules and name space restrictions. The verifier ensures that
- There are no stack overflows or underflows.
- All register accesses and stores are valid.
- The parameters to all bytecode instructions are correct.
- There is no illegal data conversion.
The verifier accomplishes that by doing a data-flow analysis of the
bytecode instruction stream, along with checking the class file
format, object signatures, and special analysis of
finally clauses that are used for Java exception
handling.
Details on the verifier's design and
implementation were presented in a paper by Frank Yellin at the
December 1995 WWW conference in Boston.
A web browser uses only one class loader, which is established
at start-up. Thereafter, the system class loader cannot
be extended, overloaded, overridden or replaced. Applets cannot
create or reference their own class loader.
- What's the applet security manager, and what
does it buy me?
The applet security manager is the Java mechanism for enforcing the
applet restrictions described above. The appletviewer's applet
security manager is implemented by sun.applet.AppletSecurity.
A browser may only have one security manager. The security manager is
established at startup, and it cannot thereafter be replaced,
overloaded, overridden, or extended. Applets cannot create or
reference their own security manager.
- Is there a summary of applet capabilities?
The following table is not an exhaustive list of applet capabilities.
It's meant to answer the questions we hear most often about what
applets can and cannot do.
Key:
- NN: Netscape Navigator 4.x, loading unsigned applets over the Net
- NL: Netscape Navigator 4.x, loading unsigned applets from the Local file system
- AN: Appletviewer, JDK 1.x, loading applets over the Net
- AL: Appletviewer, JDK 1.x, loading applets from the Local file system
- JS: Java Standalone applications
Stricter ------------------------> Less strict
NN NL AN AL JS
read file in /home/me, no no no yes yes
acl.read=null
read file in /home/me, no no yes yes yes
acl.read=/home/me
write file in /tmp, no no no yes yes
acl.write=null
write file in /tmp, no no yes yes yes
acl.write=/tmp
get file info, no no no yes yes
acl.read=null
acl.write=null
get file info, no no yes yes yes
acl.read=/home/me
acl.write=/tmp
delete file, no no no no yes
using File.delete()
delete file, no no no yes yes
using exec /usr/bin/rm
read the user.name no yes no yes yes
property
connect to port no no no yes yes
on client
connect to port no no no yes yes
on 3rd host
load library no yes no yes yes
exit(-1) no no no yes yes
create a popup no yes no yes yes
window without
a warning
- If other languages are compiled to Java
bytecodes, how does that affect the applet security model?
The verifier is independent of Sun's reference implementation of
the Java compiler and the high-level specification of the Java
language. It verifies bytecodes generated by other Java compilers.
It also verifies bytecodes generated by compiling other languages into
the bytecode format. Bytecodes imported over the net that pass the
verifier can be trusted to run on the Java virtual machine. In order
to pass the verifier, bytecodes have to conform to the strict typing,
the object signatures, the class file format, and the predictability of
the runtime stack that are all defined by the Java language
implementation.
None of these examples are malicious - the one line descriptions can
be taken at face value. You can look at the source code for each
applet, before visiting the page that has that applet inside. (The
first link in each example takes you to the source code, and the
second link takes you to an html page that includes the executable
content for the example.)
Files:
System Properties:
Sockets:
Processes:
Libraries and name spaces:
Windows:
Glossary of terms used in this FAQ
- Applet
- A Java program that is run from inside a web browser. The html
page loaded into the web browser contains an
<applet> tag, which tells the browser where to find
the Java .class files. For example,
appletviewer http://foo.com/~jo/coolApplet.html
- Standalone Java application
- A Java program that is run by invoking the
java interpreter. For example,
java coolApplication
- Server
- The computer that hosts the web page that contains an applet.
The .class files that make up the applet, and the .html files that
reference the applet, reside on the server. When someone on the
internet connects to a web page that contains an applet, the server
delivers the .class files over the internet to the client that made
the request.
The server is also known as the originating host.
- Client
- The computer that displays the web page that contains an applet.
The terms server and client are sometimes used to refer
to computers, and are sometimes used to refer to computer programs.
For example, www.sun.com is a server, and the httpd process running on
www.sun.com is its server process. My computer at home is a client,
and the web browser running on my computer at home acts as the client
process.
- Low-level Security in Java, Frank
Yellin, WWW4 Conference, December, 1995
- This paper presents the details of the lowest levels of the java
security mechanism. Before any downloaded code is executed, it is
scanned and verified to ensure that it conforms to the specifications
of the virtual machine.
- HotJava: The
Security Story
- This paper from May 1995 (the 1.0alpha3 release of Java and
HotJava) provides a high-level overview of the security mechanisms,
which were elaborated on for the JDK 1.0 release.
|