[1835] in java-interest
Re: Security
daemon@ATHENA.MIT.EDU (Chuck McManis)
Mon Sep 18 19:15:15 1995
Date: Fri, 15 Sep 1995 13:33:08 -0700
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: java-interest@java.Eng.Sun.COM
>Is there more information on the security issues of java, besides the
>paper "HotJava: The Security Story"?
There is the entire source release. Various folks are preparing papers
that will be available, one is planned for the WWW95 conference in Boston.
>How much security is built into the Java interpreter and how much is
>left to a "java enabled browser" (such as HotJava or soon Netscape).
>Which is responsible for what?
The language design and implementation provides immunity from legal
Java code damaging either the runtime system or its classes. The
runtime (kernel if you will) implements a verifier to guarantee
that the loaded byte codes abide by the language rules. The classes
that consider themselves dangerous (FileInputStream, Socket, etc)
query a security policy class (SecurityManager) for explicit policies
as to their operation. An application (such as HotJava) provides a
subclass of the security policy class to specify its policies.
>The things I'm interested in are what access to the local disk does a
>Java Applet have? Can a Java Applet execute local programs?
a) Constrained to reading/writing files in user specified directories
(/tmp/hotjava, ~/.hotjava by default on UNIX implementations). Note
that all accesses still pop up a confirmation dialog.
b) No.
>Is the HotJava browser code and the Java Interpreter code the best place
>to look for detailed answers?
Look at the SecurityManager code in
src/share/java/java/lang/SecurityManager.java, also the implementations of
the classes like System that provide an interface to executing local code.
--Chuck
--NAA24050.811197368/java.sun.com--
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
