Platinum Edition Using HTML 4, XML, and Java 1.2
(Publisher: Macmillan Computer Publishing)
Author(s): Eric Ladd
ISBN: 078971759x
Publication Date: 11/01/98

Another proposal is to write a server that provides security from the start. This is the idea behind Secure Hypertext Transfer Protocol (S-HTTP), developed by Enterprise Information Technologies (EIT), RSA Labs, and the National Center for Supercomputer Applications (NCSA).

•  To learn more about security protocols, see “Server-Side Security Issues,” p. 937.

---

NOTE:  The National Center for Supercomputer Applications (NCSA) is the group that developed Mosaic, the first graphical Web browser. Marc Andressen and the Mosaic design team went on to fame and fortune by completely rewriting Mosaic into a new and original Web browser: Netscape Navigator.

---

In your organization, you might want to provide a firewall between the public and private areas of your networks. Therefore, for a number of reasons, you might need more protection for your network than TCP/IP provides.

Java provides a set of methods called SocketImpl, an abstract class, for implementing either of these strategies. To use it, you create a subclass and implement its methods, such as connecting to the server, accepting client requests, getting file information, writing to local files, and so on. Even if you have never written your own server or a custom socket class, it is nice to know it’s possible to do in Java.

Will Security Considerations Disable Java Applets?

Imagine a world in which Java applets on any network can set up client/server communications of the type discussed in this chapter. Perhaps an applet on your network can call a method in an applet on someone else’s network or run a program on that other network remotely. An applet connects to a quote server, for example, determines that the price of a certain stock has reached the target price, and then connects to a user’s machine on a network, displaying a message and requesting permission to buy. Or perhaps the applet can run an Excel spreadsheet macro to update the portfolio every 10 minutes. Many powerful applets could be written.

With this power comes potential danger. How can you prevent the applet from deleting files, downloading unauthorized data, or even being aware of the existence of such files? In this world of distributed objects, a profound tension exists between enabling more capabilities for an applet and fear of unwanted use. This tension is why the debate on object access is fierce. The main stage is a standard called Common Object Request Broker Architecture, or CORBA.

	ON THE WEB
	http://www.acl.lanl.gov/CORBA/ You can get an overview of CORBA online and earn more about writing Java programs that can interface with object request brokers.

Currently, untrusted applets loaded from a network cannot run Windows DLLs on the local machine, nor can they run local commands, such as the DOS dir command, that would find out the names of files on the client. In addition, network applets cannot make network connections except to the machine from which they were loaded.

---

NOTE:  These limitations apply only to applets loaded from a network. Locally loaded applets have fewer restrictions. See Sun’s Security FAQ at http://java.sun.com/sfaq/ for details.

---

•  To learn more about Java security protocols, see “Executable Content and Security,” p. 1142.

The debate between power and security seems to be veering toward the security side. An example is a “bug” that Drew Dean, Ed Felten, and Dan Wallach of Princeton University found in an old version of Netscape Navigator (version 2.0) running a Java applet. They tricked the domain name server (DNS—the program that resolves host names, such as www.yahoo.com, into IP addresses) into disguising their origin. They made DNS believe they were actually from another computer, and then they were able to breach security on it. Netscape acknowledged the situation and quickly provided an update (version 2.01) that provided closer control over how an IP address is resolved.

Another security flaw was found in Internet Explorer version 3.0. It allowed a Web site or Webmaster to place a Windows 95 shortcut on your system. This shortcut could be any kind of command to run a program or even format your hard disk.

These situations have caused a stir in the Internet community. Concerns about Internet security are rampant. Many users and developers have also raised concerns about restricting applet access to the point where the usefulness of the applications is diminished.

With JDK 1.2, you can attach a digital signature to your applets before they are distributed. This approach ensures the user that he or she is getting the applet they want.

•  To learn more about signed applets, see “Signing Your JARs,” p. 1166.

Using Network Communications in Applets

Recall from “Writing Your Own Client and Server” earlier in this chapter that you can write your own server or use a commercial server to communicate with your applets. You’ll find a collection of servers written in Java at http://www.developer.com/directories/pages/dir.java.net.server.html.

You can review the applets at http://www.developer.com/directories/pages/dir.java.net.html to get an idea of what other developers are doing with network programming. You’ll find a set of classes, for example, that gives you access to your SMTP (email) server at http://www.io.com/~maus/JavaPage.html. Visit http://www.io.com/~maus/qsmtp/SmtpApplet.html to see these classes in action.

Sock Bean is an applet that gives you direct access to network sockets (although you’re still restricted regarding which servers your applet can contact). Read about Sock Bean at http://www.iaccess.com/au/customers/detailer/software.html.

The Gamelan page http://www.developer.com/directories/pages/dir.java.net.intertools.html also lists several Telnet clients and an FTP client, all written as applets.