Firewalls: Re: Java

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Java
From:	Mike Shaver <shaver @ neon . ingenia . com>
Date:	Tue, 31 Oct 1995 07:52:28 -0500 (EST)
To:	jmason @ iona . ie (Justin Mason)
Cc:	Firewalls @ greatcircle . com
In-reply-to:	<199510311237 . MAA22112 @ destructor . dublin . iona . ie> from "Justin Mason" at Oct 31, 95 12:37:21 pm

Justin Mason mumbled something vague about:
> Mike Shaver <shaver @
 neon .
 ingenia .
 com>:
> [HotJava security modes:]
> >- Originating host access: the applet can open connections back to the
> >host from which it was loaded (although there is a bug that sometimes
> >forbids the applet from opening connections to the original host), but
> >nowhere else.
> 
> By the way, there's problems with these security modes and a web proxy
> (in the 1.0b3 version on Solaris). When an applet tries to access a
> URL, it actually opens a connection to the web proxy; this is spotted
> by the security mode, and a security exception is raised.

I presume you mean "1.0a3"... they still haven't made the beta
release, most likely to give Netscape a headstart on everybody
else. =)

Is this fixed in the beta stuff, do you know?

(Nice to see it failing on the side of fascism, though. =) )

> You can see the problems this raises: The only way to get a URL-opening
> applet working is to open up security and allow conns to the proxy,
> which means that anything the proxy can access, the java applet can
> access too. Hey presto, no security mode.

Sort of... in theory, the proxy should only be passing HTTP requests
and the like, and not generic TCP connections.  So the only resources
at risk are those which can be accessed by the proxy, but not by the
outside world, and which are accessible via HTTP/FTP/gopher/what have
you.  That's really just internal web/ftp stuff, I think, and I've
always advocated denying the proxy access to those resources for
exactly that reason; it's nice to have a "sealed" path to the outside
that can be allowed reasonably relaxed access without an internal
breach.

(And I think you can configure HJ/NS to not use a proxy for a given
set of hosts, so that eliminates _that_ problem.)

Mike

-- 
#> Mike Shaver (shaver @
 ingenia .
 com) Ingenia Communications Corporation <#
#>        Technical Specialist -- will tame sendmail(8) for food       <#
#>                                                                     <#
#> "You are a very perverse individual, and I think I'd like to get to <#
#>  know you better." --- eric @
 reference .
 com                           <#

References:

Re: Java
From: Justin Mason <jmason @ iona . ie>

Indexed By Date	Previous:	Re: Java From: Justin Mason <jmason @ iona . ie>
Indexed By Date	Next:	Re: WWW & Proxy Servers From: sangster @ reston . ans . net (Paul Sangster)
Indexed By Thread	Previous:	Re: Java From: Justin Mason <jmason @ iona . ie>
Indexed By Thread	Next:	Re: Java From: David A Abbajay <dabbajay @ cisco . com>