Date: Thu, 22 Jan 1998 18:46:59 -0500 (EST)
From: Arash Baratloo <baratloo@cs.nyu.edu>
To: java-security@web1.javasoft.com
Subject: Applet and RMI security model
Hi,
We have a mechanism for inter- Java applet communication that might be
breaking the applet security model but, we are not sure. We want to
clarify whether we used a 'bug' or a 'feature' of RMI.
Here is the setting:
1. Machine A runs a Java application.
2. Machine B downloads an applet from machine A and runs it within
HotJava. This applets passes a remote reference of itself (using RMI)
to the application running on machine A.
3. Machine C downloads an applet from machine A and runs it within
HotJava. This applet contacts the application on machine A (using
RMI) and gets the remote reference of the applet running on machine B.
4. The application on machine A terminates. (In fact, the machine A can
be turned off.)
5. The applet running on machine C can invoke methods of the applet
running on machine B (again, using RMI). Which clearly indicates
direct applet-to-applet communication.
We tested this idea using the appletviewer (JDK1.1.3) and HotJava
running on Linux and NT -- it works.
---------------------
Notice that using sockets and under host-of-origin policy, the
application on host A can be used to 'route' messages from C to B.
Which means that C and B are able to communicate.
On one hand, what we did seems to violate the host-of-origin security
model, since internally, a network connection is established between
machines B and C.
But on the other hand, since both applets come from machine A, and
both trust A, the inter-applet communication does not allow any more
information dissemination than before. We can not find a
documentation clarifying this.
We would like to find out which. I would appreciate any comments that
you may have on this.
Thanks,
-arash