requesting a .java.policy file from URL security risk

StackOverflow https://stackoverflow.com/questions/16696337

Question

My client wants to use an applet to do drag and drop file transfers from the browser. We have everything working for the most part, but the .java.policy file granting the applet file system access needs to be uploaded to every client in order for the applet to have permission to read/write to the file system.

My technical counterpart at the client has just done some research and wants me to look into the java deployment toolkit (a js library that takes care of deployment instead of using html tags). He wants me to see if I can configure the applet to use a policy file requested from a URL. I haven't been able to find how to do this, which is what I expected, since I think it would be a terrible security risk.

The trouble is that they need to be able to grant the applet read/write file system access, but I feel that requesting a policy file from a URL is a bad idea and I need help explaining why.

So that's my question: is requesting a .java.policy file from a URL even possible? If so, isn't that a terrible security risk?

Was it helpful?

Solution

So that's my question: is requesting a .java.policy file from a URL even possible?

Yes it is, but not in any way that is practical. The thing is:

  1. The policy file needs to be in a certain location on the local file system, in order to work.
  2. Any Java app. or applet would need trust to place it there, or even find out where the right location is.
  • A Java app. needs extended permissions to be able to import the policy file to where it will have an affect.
  • If a Java app. has the permissions to insert the policy file, it is already trusted.

If so, isn't that a terrible security risk?

Yes, it would be.

If this applet needs trust, digitally sign it.

Addendum

See Java 7 Update 21 Security Improvements in Detail for more info. on the ever tightening Java security environment.

It is apparently planned to have a future JRE default to maximum security. That would mean that by default, only classes in a Jar, digitally signed by a certificate issued by a Certification Authority (e.g. Comodo $180/year, Thawte $300/year) would ever run. Everything else would be rejected.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top