Java Applet 沙箱安全,本地访问与外部访问 [英] Java Applet sandbox security, local vs external access

查看:32
本文介绍了Java Applet 沙箱安全,本地访问与外部访问的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的(代码签名)Java 小程序中有一个错误访问被拒绝(java.net.SocketPermission xxxx:443 connect_resolve."我们有一个 html保存"按钮,它正在调用(通过 javascript)一个小程序方法来保存一个文件,加载到小程序中,到网络服务器上.经过一些广泛的谷歌研究,我通过将小程序的保存方法代码封装在 doPrivileged() 中来修复它.错误似乎已修复,人们很高兴.

I had a bug in our (code signed) java applet "access denied (java.net.SocketPermission x.x.x.x:443 connect_resolve." We had an html "save" button that was calling (via javascript) an applet method to save a file, loaded into the applet, onto the webserver. After some extensive google research, I fixed it by wrapping our applet's save method code in doPrivileged(). Bug seems to be fixed, people are happy.

我想确认我完全理解原来的情况和我应用的解决方案(倒退,我知道,但时间不允许我真正研究这个问题).

I want to confirm that I completely understand the original circumstances and the solution I applied (backwards, I know, but turn around time didn't allow me to really research the issue).

让我特别困惑的是,我们在内部网络中的测试服务器上广泛测试了我们的小程序,直到我们尝试从我们网络外部的客户端机器上使用 javascript保存"按钮之前,从未出现此错误.所以在这一点上,我只是在做一个有根据的猜测:这就是 java applet 沙箱机制的工作原理.

Whats specifically confusing me is that we tested our applet on a test server in our in-house network extensively and never got this error until we attempted the javascript "save" button from a client machine external to our network. So at this point, I'm just making an educated guess: that is how the java applet sandbox mechanism works.

这是真的吗?只要客户端小程序从位于同一域网络内的客户端机器访问 Web 服务器资源,它就被视为在沙箱墙内?如果客户端机器在 web 服务器的本地网络外部,applet 请求被认为在沙箱墙之外并且需要 doPrivileged?或者这里还有我遗漏的其他解释吗?

Is this true? As long as the client applet is accessing web server resources from a client machine that is within the same domain network it is considered within the sandbox walls? And if the client machine is external to the web-server's local network the applet request is considered outside of the sandbox walls and needs the doPrivileged? Or is there another explanation here that I am missing?

我无法在 sun 的文档中或通过谷歌找到任何具体证明或反驳我的断言的内容.非常感谢在 Java 小程序方面有更多经验的人的澄清

I haven't been able to find anything in sun's documentation or through google that specifically proves or disproves my assertion. Clarification from someone with more experience in java applets is greatly appreciated

推荐答案

只要客户端小程序从位于同一域网络内的客户端机器访问 Web 服务器资源,它就被视为在沙箱墙内?

As long as the client applet is accessing web server resources from a client machine that is within the same domain network it is considered within the sandbox walls?

如果您的意思是沙盒小程序可以回拨"到自己的服务器,那么可以.

If by that, you mean a sand-boxed applet can 'phone home' to its own server, then yes.

如果客户端机器在网络服务器的本地网络之外,applet 请求被认为是在沙箱墙之外并且需要 doPrivileged?

And if the client machine is external to the web-server's local network the applet request is considered outside of the sandbox walls and needs the doPrivileged?

小程序需要信任(数字签名+最终用户接受)才能从其他服务器访问资源.更复杂的是 JavaScript.突然间,JRE 需要考虑一个不受信任"的元素.通过将代码包装在 doPrivileged() 方法中,我们向 JRE 表示即使被其他东西(例如 JS)调用,此代码也是可信的.

An applet needs trust (digitally signed + accepted by the end user) to access resources from other servers. The thing that further complicates it is the JavaScript. Suddenly there is an 'untrusted' element to be considered by the JRE. By wrapping the code in the doPrivileged() method we are saying to the JRE that this code is to be trusted even if called by something else such as JS.

这篇关于Java Applet 沙箱安全,本地访问与外部访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆