Re: protocols&security

Matthias Oelmann (mao@lava.de)
Fri, 31 Jan 1997 23:48:27 +0100

Date: Fri, 31 Jan 1997 23:48:27 +0100
From: Matthias Oelmann <mao@lava.de>
To: Marianne Mueller <mrm@Eng>
Subject: Re: protocols&security

Hi Marianne,

>From my point of view, just having a protocol name other than http
doesnt affect security at all. i don't want to change any security
policy, but in my case, im trying to implement a new messaging
protocol. i have no problems doing that, except that i cannot use
a URL like "mmp://my.host.com/~mao" as my personal messaging address.

the problem is, that there are 3 ways to define a new URL protocol,
but they simply dont work:

1. set up a URLStreamHandlerFactory
(works in standalone apps, not with the tuner, haven't tried
with netscape)

2. set the system property java.handler.protocol.pkgs
(forbidden by security manager)

3. define a class sun.net.www.protocol.<protocol>.Handler
(forbidden, because it's a 'sun' class)

if it is the intention that java should support other protocols
than http, there should be a way to do that.
Again, I don't think it's a security issue.

Matthias

Marianne Mueller wrote:
>
> > i cannot define my own protocol with the castanet tuner
> > because of the security manager. that is because
> > i cannot define a class sun.net.www.protocol.<protocol>.Handler
> > (Cause: securityException, cannot define classes under 'sun')
> >
> > it is a one-line change in URL.java, but I had to reimplement
> > the whole URL Classes to get my code running.
> >
> > consider this for jdk 1.1:
> > (Line 409 in URL.java, JDK 1.02)
> >
> > packagePrefixList += "sun.net.www.protocol";
> >
> > a simple change (like: "misc.protocol") would help a lot!
>
> It's not clear to me that it's a good thing to open up Castanet tuners
> (or any code that uses URL.java) to arbitrary downloaded protocols,
> absent a more flexible and configurable security policy
> infrastructure.
>
> We are working towards more flexible and configurable security
> policies.
>
> Marianne