Date: Tue, 22 Jul 1997 16:40:36 -0700 (PDT)
From: Vishal Shah <vishalsh@scf-fs.usc.edu>
To: java-security@web2.javasoft.com
Subject: Trusted Applet and ClassLoader
Hello everyone,
I was wondering if the trusted applet ( digitally signed, and the
signature can be verified by trusted third-pary CA) can subclass the
classloader in the JDK 1.1 compliant web-browser ?
What I want is to read from user's local machine/anywhere from the network
a class and instantiate/run it.
The problem comes as I cannot subclass classLoader and hence cannot
override methods defineClass/loadClass/resolveClass.
I was only able to use class.forName() method because it does not use
classLoader. But this method does not give me any ability to read from
users' local storage or network. So, as a workaround I have written
applet to read a specific class from user's machine, upload that class to
a cgi script on my web-server that copies the class in the class-path of
my server, and then load the class by class.forName() method. But this
method has the overhead of transmitting entire class back and forth.
Is there any other way to do this ?
There are definately security implications if classLoader allow arbitrary
classes to load from network. My question is is it permitted in trusted
applet in 1.1 implementation or not?
If it is not permitted than besides classLoader which others classes are
protected ? Does it depend on implementation or determined by specs ?
I appreciate any pointers/solutions.
Thanks,
Vishal Shah
-_-~-+-_-~-+-_-~-+-_-~-+--_-~-+-_-~-+-_-~-+-_-~-+-_--~-+-_-~-+-_-~-+-_-~-+
vishalsh@usc.edu http://www-scf.usc.edu/~vishalsh/