Downloading applets through firewalls?

Lantern567@aol.com
Sat, 20 Mar 1999 23:42:55 EST

From: Lantern567@aol.com
Date: Sat, 20 Mar 1999 23:42:55 EST
To: java-security@java.sun.com
Subject: Downloading applets through firewalls?

To the Security group:

Consider the exerpt below concerning a firewall product. There are others
like it, I believe. The idea is that the applet is not allowed through the
firewall.

I work for a Big-5 Accounting firm, and the management here is very reluctant
to let us write applets. Apparently they have a history of problems with
firewalls.

Please tell me that we are missing some critical point, and that there is a
way around this restriction. What is the "JavaSoft party line" on this
problem? Java is a wonderful product, and I've been able to do some truly
amazing things with it, including applet/servlet communication using a URL
connection... I hate to throw all that away and go back to straight HTML on
the client side.

Here is a thought: I would hope that firewalls could be configured to accept
java applets that have been signed. Kind of like a server certificate used
within a web server, this would be a firewall usage of a certificate. That
way it could allow in only those applets it trusts. Is it possible that this
is already in place?

Actually, would a firewall product as described below be able to read the
"Applet start codes" if it were in a signed jar file?

Many of your on-line articles and questions address the problem of how applets
communicate once they are downloaded. My problem appears to be getting them
downloaded in the first place.

Many thanks,

Colleen

P.S. I just started playing with the JDK1.2 security stuff, and so far it's
straightforward to use - I am very impressed.

___
Firewall example: http://www.essential.co.uk/HMTL/SecurIT.htm

Applet Filtering

SecurIT FIREWALL Applet filtering provides an effective means of keeping Java
and ActiveX Applets from being downloaded through the Firewall by Users
browsing the World Wide Web. Applet filtering analyses all HTTP traffic for
Applet start codes. If a code is found, SecurIT FIREWALL scans through the
incoming information for the Applet end codes and then removes the Applet from
the stream.

Applet blocking filters Java and ActiveX Applets downloaded as part of a web
page or as a separate file, as long as that file is downloaded using an HTTP
proxy. If the User downloads a file from a web page using FTP, the file is not
filtered for Applets.