Applet and RMI security model

Arash Baratloo (baratloo@cs.nyu.edu)
Thu, 22 Jan 1998 18:46:59 -0500 (EST)

Date: Thu, 22 Jan 1998 18:46:59 -0500 (EST)
From: Arash Baratloo <baratloo@cs.nyu.edu>
To: java-security@web1.javasoft.com
Subject: Applet and RMI security model

Hi,

We have a mechanism for inter- Java applet communication that might be
breaking the applet security model but, we are not sure. We want to
clarify whether we used a 'bug' or a 'feature' of RMI.

Here is the setting:

1. Machine A runs a Java application.

2. Machine B downloads an applet from machine A and runs it within
HotJava. This applets passes a remote reference of itself (using RMI)
to the application running on machine A.

3. Machine C downloads an applet from machine A and runs it within
HotJava. This applet contacts the application on machine A (using
RMI) and gets the remote reference of the applet running on machine B.

4. The application on machine A terminates. (In fact, the machine A can
be turned off.)

5. The applet running on machine C can invoke methods of the applet
running on machine B (again, using RMI). Which clearly indicates
direct applet-to-applet communication.

We tested this idea using the appletviewer (JDK1.1.3) and HotJava
running on Linux and NT -- it works.

---------------------

Notice that using sockets and under host-of-origin policy, the
application on host A can be used to 'route' messages from C to B.
Which means that C and B are able to communicate.

On one hand, what we did seems to violate the host-of-origin security
model, since internally, a network connection is established between
machines B and C.

But on the other hand, since both applets come from machine A, and
both trust A, the inter-applet communication does not allow any more
information dissemination than before. We can not find a
documentation clarifying this.

We would like to find out which. I would appreciate any comments that
you may have on this.

Thanks,
-arash