HotJava(tm) Browser Applet Security Developer Notes

This page contains notes about Applet Security which are of particular interest to Applet Developers. Look here for information about:

Javakey Restriction
Loading Multiple Applets from a Single CODEBASE
Details on Applet Security Levels

Javakey Restriction

If you mark a certificate as "trusted" using the JDK's javakey utility, applets running on your machine that are signed with that certificate are treated by your system as if they are trusted local application code. These applets will not be subject to any security manager controls you set in the HotJava Browser.

This has no effect on users who download your applet, unless they also use the javakey utility to mark the certificate as trusted.

For information about using javakey, see the Javakey page for Solaris or for Windows.

Loading Multiple Applets from a Single CODEBASE

If an unsigned applet is loaded from the same CODEBASE as a signed applet, the unsigned applet uses the same class loader. When the unsigned applet calls methods in the signed applet's classes, the unsigned applet is treated with the same level of trust as the signed applet. It is generally best for applet developers to avoid mixing signed and unsigned code.

Details on Applet Security Levels

Use the Applet Security page (Edit->Preferences->Applet Security) to set a default security level that will apply to all signed applets, and one that will apply to all unsigned applets. You can allow signed applets any of four security levels, as defined below. Unsigned applets may be assigned only untrusted, high, or medium security.

The following table provides information about allowed applet behavior at each security level. The information provided here is a detailed list of allowed applet behavior, some of which might only be understood by Java applet developers. For a more general overview of what the security levels provide, see the previous page on applet security.

Note that in addition to the tangible protections described below, Java and HotJava work together to enforce other constraints on applets to make them run in a safe fashion. For example, applets are not permitted to send messages to windows that cause them to be closed (except windows the applet has created on its own).

Applet Security Restriction Level
Untrusted High Medium Low
Read Files No No¹ Warn¹ Yes
Write Files No No Warn Yes
Delete Files No No Warn Yes
Access HotJava Browser Properties No Limited² Warn Yes
Manipulate Threads No Limited³ Limited³ Limited³
Exit HotJava No No No No
Start Local Applications No No Warn Warn
Link to Local Libraries or DLLs No No No Yes
Listen on Network Port No Limited⁴ Warn Yes
Accept Network Connection No Limited⁵ Warn⁷ Yes
Connect to Another Computer No Limited⁶ Warn⁷ Yes
Create Windows No Yes⁸ Yes⁸ Yes
Access Clipboard No No No Yes
Access Print Queue No No No Yes
Access AWT Event Queue No No No Yes

Permissions listed as "Warn" have the following behavior:

Each time one of the applets that fits a particular permission set (that is, from a single signer or from a particular site) attempts to access the controlled resource (for example, read a file) HotJava checks its list of granted permissions. If the specific permission has been granted, it is allowed. If it has not been granted, the user is queried through a dialog box to choose from either allowing this specific action (read the specified file), allowing all similar actions (read any file), or block the action (deny reading this file this time).

Footnotes:

1: Applets with Medium or High security that are loaded using the file: protocol have read access (without warning) to files in the directory where they were loaded from.

2: Individual properties can be exposed to High security applets by creating another property with a name in the form of <propertyname>.applet=true. For example, to allow applets access to the user.name property, add an additional property user.name.applet=true. See Customizing the HotJava Browser for information about editing the properties file. The default standard set of properties that applets have access to are java.version, java.vendor, java.vendor.url, java.class.version, os.name, os.version, os.arch, file.separator, path.separator, and line.separator.

3: Applets with Low, Medium, or High security may manipulate their own thread priorities.

4: Applets with High security may listen on ports 1024 and higher.

5: Applets with High security may accept connections from their originating site, but no others.

6: Applets with High security may connect to their originating site, but no others.

7: User is warned and can deny permission when an applet attempts any network access except when connecting to the applet's original site.

8: Windows created by applets with High or Medium security will show a warning banner.

Additional Restrictions and Permissions:

For compatibility with earlier versions of the HotJava Browser, applets with High Security are allowed read and write access to files and directories listed in the properties acl.read, acl.read.default, acl.write and acl.write.default.
The current preferred method to set read and write permissions is to use the Advanced Applet Security user interface.
These access control lists are null by default. You can explicitly set access to individual files or directories by updating these properties in your HotJava Browser properties file. See Customizing the HotJava Browser for information about modifying your properties file.
If you allow an applet to read a directory, it can read all the files in that directory, including any files in any subdirectories of that directory. Also bear in mind that if you open up your file system for writing by applets, there is no way to limit the amount of disk space an applet might use.
Applets with High or Medium Security are not allowed access to classes in packages that are identified using the property package.restrict.access.[packagename]=true. This is true for both system classes loaded via CLASSPATH and classes loaded over the network. For example, package sun.* is not accessible to applets due to the property package.restrict.access.sun=true.
Applets with High or Medium Security are not allowed to define classes in packages identified using the property package.restrict.definition.[packagename]=true. By default, applets are not allowed to define classes in the sun and java packages.
Applets with High or Medium Security can only connect to their originating host if the applet is loaded via a protocol with the property applet.<protocol>.host.meaningful set to true. By default, the following properties are set: applet.http.host.meaningful=true, applet.https.host.meaningful=true, applet.ftp.host.meaningful=true, and applet.gopher.host.meaningful=true.

Back to HotJava Browser Applet Security

	Applet Security Restriction Level
	Untrusted	High	Medium	Low
Read Files	No	No¹	Warn¹	Yes
Write Files	No	No	Warn	Yes
Delete Files	No	No	Warn	Yes
Access HotJava Browser Properties	No	Limited²	Warn	Yes
Manipulate Threads	No	Limited³	Limited³	Limited³
Exit HotJava	No	No	No	No
Start Local Applications	No	No	Warn	Warn
Link to Local Libraries or DLLs	No	No	No	Yes
Listen on Network Port	No	Limited⁴	Warn	Yes
Accept Network Connection	No	Limited⁵	Warn⁷	Yes
Connect to Another Computer	No	Limited⁶	Warn⁷	Yes
Create Windows	No	Yes⁸	Yes⁸	Yes
Access Clipboard	No	No	No	Yes
Access Print Queue	No	No	No	Yes
Access AWT Event Queue	No	No	No	Yes