security-model should be more like netscape's

Dag Welinder (dag.x.welinder@telia.se)
Wed, 29 Jul 1998 09:18:45 +0200

Date: Wed, 29 Jul 1998 09:18:45 +0200
From: Dag Welinder <dag.x.welinder@telia.se>
To: java-security@java.sun.com
Subject: security-model should be more like netscape's

Hello!

I'm developing an applet, which uses a database residing on the applet
host. When I first started, I thought an applet could make
database-connections to its host and still remain in the applet sandbox.
I thought so even more, when it worked in Netscape Communicator 4.04
with SmnartUpdate (java 1.1.4) I was a bit confused though, when the
applet could even get database-access when I ran it locally, not on the
host with the database. But it worked, so I was happy.

Then, when I was pretty much ready with the applet, I tested it in IE
4.0, in Netscape with java plugin 1.1.1 and in the appletviewer. I got
security exceptions and had no idea what to do. It didn't matter where
the applet was loaded from. Someone on a newsgroup told me applets using
JDBC-ODBC (mine does) need access to the local filesystem and thus it
has to be signed. That's when I started to work with signing. I tried
javakey and keytool. I liked keytool better (even if I never could get
it working with applets signed with it), but since it seemed like people
used javakey more, I stayed with it. I got it working somewhat.

Later I tried netscape's Capabilities-classes and signing with their
signtool. I liked that one more. it was more straightforward. And
userfriendly! (It's getting closer to my point) Using javakey, the end
user has to either (If I got the main parts right)
1 ) install JDK, download my certificate, install it using some obscure
javakey option and then get going or
2) download the identitydb.obj-file containing my certificate, copy it
to the right location (which depends) and then run the applet. The
problem here must be if two departements of the same company both send
an end-user their identitydb.obj-file.

With Netscape's model, you, being the developer, import
netscape.security.PrivilegeManager and use it. Then you can decide
whether you want to sign the file (using netscape signtool) or not. If
you don't sign it, the user gets informed about the risk and that the
applet is not signed and can the decide whether he/she wants to run the
applet or not. If it's signed, then a dialog tells the user so and again
asks the user to grant the applet.

Couldn't the java-plugin work the same way?

Ok, that's it. Regards, Dag Welinder