Re: Java Sockets and Firewalls

[Justin Mason <jmason () iona com>]

Aleph One said:
> On Thu, 7 May 1998, Kirkilis, John wrote:
>
> > I'm trying to understand the whole issue about Java applets and
> > Firewalls and have a few questions. [...]

> > *    If the Java applet is loaded from an SSL-secured web page are
> > all communications via Java socket calls also protected by this sleeve
> > ... or ... must the java applet itself establish itself as an SSL client
> > and use java security APIs.
>
> The applet will be downloaded over HTTPS (HTTP + SSL) but any 
> connections made by the Applet will not be (unless its uses some
> functions that takes a URL object that starts with "https://"; to download
> something).

Only Netscape 4.0 or higher support using https from a java applet's URL
or URLConnection objects, by the way.  I have not tested IE4 but I've been
told it doesn't support this.

> > *    If a java applet is retrieved through a proxy server, does the
> > browser consider it downloaded from the proxy or the actual server? Are
> > there any problems given the network security sandbox and issues such as
> > proxy servers or routers which perform network address translation?

The browser considers it downloaded from the actual server. This means
that the applet will only be able to connect to the same server hostname
(note: stringwise comparison, so connecting to "realname.iona.com" will
not be allowed if the applet was downloaded from "www.iona.com").

This raises an issue: if there are proxy servers the applet will not be
able to connect via them, unless they are transparent (a la NAT) or the
applet is signed (in which case it can connect to any host).

This is why so many java applets use HTTP, and the built-in HTTP support
classes java.net.URL and java.net.URLConnection, to communicate with their
servers; the built-in classes can generally use the browser's HTTP layer
and will therefore use the appropriate HTTP proxies.

> > *    Must the server which is serving up the applet have reverse DNS
> > capability over the internet to conform to the sandbox restrictions? I
> > recall some mention of this a while back.

> Dont sure it needs to have a hostname at all but if it does
> the forward and reverse lookups probably need to match.

IP addresses can be used, so DNS is not strictly required.


--j. (with my java hat on),

-- 
Justin Mason                 Jon Snow:  "In a sense, Deng Xiaoping's death
jmason () iona com                          was inevitable, wasn't it?"
http://jmason.home.ml.org/   Expert:    "Er, yes."

Send spam to abanspam () iona com or zbanspam () iona com -- go on, make my day!