Java小程序沙箱安全，当地VS外部访问 [英] Java Applet sandbox security, local vs external access

问题描述

我有一个错误在我们（code签字）Java小程序访问被拒绝（java.net.SocketPermission XXXX：443 connect_resolve我们有一个html保存按钮被调用（通过JavaScript）的小程序方法来保存文件，装入小程序，到网络服务器。一些广泛的谷歌研究之后，我通过包装我们的applet的保存方法code在doPrivileged的（）固定它。错误似乎是固定的，人是幸福的。

我要确认我彻底明白，原来情况和我申请的解决方案（倒退，我知道，但环顾四周并没有让我真正研究这个问题）。

请告诉我具体困惑我的是，我们在我们的内部网络测试了我们的小程序在测试服务器上广泛而直到我们从客户机外部到我们的网络试图javascript的保存按钮从来没有得到这个错误。所以在这一点上，我只是做一个猜测：这是Java小程序沙箱机制的工作原理。

这是真的吗？只要客户端小程序从客户机是它的沙盘城墙内认为是同一个域网络中访问的Web服务器的资源呢？并且如果客户机外部的网页服务器的本地网络的小程序请求被认为是沙箱壁的外和需要doPrivileged的？还是有另一种解释，在这里，我很想念？

我一直没能找到太阳的文档或通过谷歌任何明确证明或反驳我的说法。从某人与Java小程序更多的经验，澄清是极大的AP preciated

解决方案

  

只要在客户端小应用程序从客户机是它是在沙箱壁内认为是相同的域网络中的访问网络服务器资源？

如果通过，你的意思是一个沙箱的小程序可以打电话回家到自己的服务器，那么是的。

  

和如果客户机外部的网页服务器的本地网络的小程序请求被认为是沙箱壁的外面，需要doPrivileged的？

这是小程序需要信任（数字签名+由最终用户接受）从其他服务器访问资源。进一步复杂化它是JavaScript的事情。突然有由JRE视为'不可信'元素。通过在doPrivileged的包裹code（）方法，我们要说的JRE，这code，甚至到被信任，如果通过所谓别的东西，如JS。

I had a bug in our (code signed) java applet "access denied (java.net.SocketPermission x.x.x.x:443 connect_resolve." We had an html "save" button that was calling (via javascript) an applet method to save a file, loaded into the applet, onto the webserver. After some extensive google research, I fixed it by wrapping our applet's save method code in doPrivileged(). Bug seems to be fixed, people are happy.

I want to confirm that I completely understand the original circumstances and the solution I applied (backwards, I know, but turn around time didn't allow me to really research the issue).

Whats specifically confusing me is that we tested our applet on a test server in our in-house network extensively and never got this error until we attempted the javascript "save" button from a client machine external to our network. So at this point, I'm just making an educated guess: that is how the java applet sandbox mechanism works.

Is this true? As long as the client applet is accessing web server resources from a client machine that is within the same domain network it is considered within the sandbox walls? And if the client machine is external to the web-server's local network the applet request is considered outside of the sandbox walls and needs the doPrivileged? Or is there another explanation here that I am missing?

I haven't been able to find anything in sun's documentation or through google that specifically proves or disproves my assertion. Clarification from someone with more experience in java applets is greatly appreciated

解决方案

As long as the client applet is accessing web server resources from a client machine that is within the same domain network it is considered within the sandbox walls?

If by that, you mean a sand-boxed applet can 'phone home' to its own server, then yes.

And if the client machine is external to the web-server's local network the applet request is considered outside of the sandbox walls and needs the doPrivileged?

An applet needs trust (digitally signed + accepted by the end user) to access resources from other servers. The thing that further complicates it is the JavaScript. Suddenly there is an 'untrusted' element to be considered by the JRE. By wrapping the code in the doPrivileged() method we are saying to the JRE that this code is to be trusted even if called by something else such as JS.

这篇关于Java小程序沙箱安全，当地VS外部访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！