topic Re: Applet "codebase" to IP address resolution in Operating System - OpenVMS

Applet "codebase" to IP address resolution

Richard J Maher — Thu, 07 Aug 2008 10:13:10 GMT

Hi,

Can someone please tell me the strategy(ies) used by Java (the Security
Manager or whatever) to determine if a given IP address conforms to the
definition of the codebase from which an applet was retrieved?

For example, if an Applet was loaded from mycluster.mydomain.com, and
"mycluster" was a cluster alias that was using DNS load-balancing (or
round-robin or a.n.other distribution technique) to distribute client
connections among available nodes in the cluster, could such an unsigned
applet connect a socket to *any* of the available nodes or interface
addresses?

Is the DNS translation done only once when the Object/Applet tag is
encountered and, from then on, all "codebase" checks must match that same IP
address?

Is it just an ASCII string check, so that one relative -vs- one absolute URL
specification could point to the same address yet fail the check?

But then, when it comes to UDP messages arriving at an Applet's socket, when
only the IP address is available, what criteria is used to say "Hey, did
this message come from my codebase?

Is the equivalent a C gethostent() call performed, and *all* alias addresses
and names are checked to say "It's in there somewhere"? (This would be nice
:-)

I've got two sheep-stations and an oil-rig that says checkConnect() socketPermission() etc, do a InetAddress.getAllByName(host) and anyone who says otherwise is a lying dog :-)

To see an example of just such code, please click on: -
http://manson.vistech.net/~tier3/tier3pager.html

Once you've done that (and read the gumpf) please then also telnet to manson.vistect.net (If you don't have an account then use Username: DEMO Password: USER) Then: -

DEMO$ SET TERM/WIDTH=132
DEMO$ RUN SYS$USERS:[USERS.TIER3.WEB]DEMO_UDP_MSG

. . . and enter the IP Address of your browser client node.

Your client should spring into life and you should be able to type-in adhoc messages and have them appear in the seperate Java Frame on the client.

See attached for source code of DEMO_UDP_MSG.COB See below for source for Tier3Pager.java But *all* can be found on MANSON at: -

SYS$USERS:[USERS.TIER3.WEB]

Enjoy!

Cheers Richard Maher

PS. Why can't a Multicast message from the Applet's codebase be retrieved
from an unsigned Applet in the same way a UDP message can?

Tier3Pager.java
================

/**
* Copyight Tier3 Software. All rights reserved.
*
* Author: Richard Maher
*
**/

import java.applet.Applet;
import java.awt.*;
import java.net.*;
import java.io.IOException;
import netscape.javascript.JSObject;
import netscape.javascript.JSException;

public class Tier3Pager extends Applet
{
private String hostName;
private JSObject browser;
private static MessageThread socketThread;
private static Tier3Talk chat;

public class MessageThread extends Thread
{
private DatagramSocket socket;
private DatagramPacket packet;
private String threadData;

public MessageThread(String name, String txt) throws Exception
{
super(name);

byte[] buffer;
threadData = txt;

String port = getParameter("PORT");
String maxBuf = getParameter("MAXBUF");
try
{
if (port == null)
socket = new DatagramSocket();
else
socket = new DatagramSocket(Integer.parseInt(port));

if (maxBuf == null)
buffer = new byte[512];
else
buffer = new byte[Integer.parseInt(maxBuf)];

packet = new DatagramPacket(buffer, buffer.length);
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Unable to create UDP Socket");
throw new Exception("Message thread could not be created");
}

setDaemon(true);
start();
}

public void shutdown()
{
socket.close();
}

public int getLocalPort()
{
return socket.getLocalPort();
}

public void run()
{
System.out.println("Started Message thread. ThreadData = " + threadData);
String args[] = {"Started Message Thread " + threadData};
browser.call("alert", args);
boolean stopThread = false;

readLoop:
while (!stopThread)
{
try
{
socket.receive(packet);
String received = new String(packet.getData(), 0, packet.getLength());
processMessage(received);
}
catch (SocketException e)
{
System.out.println("Shutting up shop");
stopThread = true;
continue readLoop;
}
catch (IOException e)
{
e.printStackTrace();
System.out.println("Unable to retrieve UDP message");
}
}

System.out.println("Thread run() unit terminating");
}

public void processMessage(String msgText)
{
int msgType = Integer.parseInt(msgText.substring(0,2));
switch (msgType){
case 1:
chat.append(msgText.substring(2));
break;
case 2:
String args[] = {msgText.substring(2)};
try {browser.call("priceUpdate", args);}
catch (JSException e)
{
System.out.println("Error when calling JS priceUpdate()");
}
break;
default:
System.out.println("Unknown rec type "+msgText);
}
}
}

public void init()
{
System.out.println("Initializing. . .");
hostName = getCodeBase().getHost();

chat = new Tier3Talk("Tier3 Messages");
requestFocus();

browser = JSObject.getWindow(this);

if (socketThread == null)
{
try
{
socketThread = new MessageThread("MsgDaemon", "SomeData");
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Could not init Tier3Pager");
}
}
}

public void alert(String alertText)
{
String args[] = {alertText};
browser.call("alert", args);
}

public void destroy()
{
if (chat != null)
chat.dispose();

boolean stillDying;

if (socketThread != null){
socketThread.shutdown();
do
{
stillDying = false;
System.out.println("Joining MessageThread");
try {socketThread.join();}
catch (InterruptedException e){
System.out.println("Interrupted Join");
stillDying = true;
}
} while (stillDying);

socketThread = null;
}

System.out.println("Tier3Pager Applet Rundown complete");
super.destroy();
}
}

Re: Applet "codebase" to IP address resolution

Wim Van den Wyngaert — Mon, 11 Aug 2008 08:38:18 GMT

I know nothing but with the help of Google found the following.

http://www.mozilla.org/projects/security/components/same-origin.html

Wim

Re: Applet "codebase" to IP address resolution

Wim Van den Wyngaert — Mon, 11 Aug 2008 09:00:42 GMT

This one is more neutral
http://en.wikipedia.org/wiki/Same_origin_policy

Wim

Re: Applet "codebase" to IP address resolution

Richard J Maher — Mon, 11 Aug 2008 10:04:58 GMT

Hi Wim,

Thanks for replying. Unfortunately you are talking apples and my oranges still have fruit-fly.

Your "same-origin" policy is for http stuff like Ajax (although easily defeatable with run-time <script> tag insertion and JSON - So why bother? But then we all love those Google-Map mash-ups so who cares about security?)

If you re-read my post you'll see that my Applet "codebase" issue involves many questions (such as UDP datagram-origin vetting)that appear to be out of the scope of the bollocks http "same-origin" policy.

Has Bojan stopped listening/replying?

Cheers Richard Maher

Re: Applet "codebase" to IP address resolution

Bojan Nemec — Mon, 18 Aug 2008 07:38:03 GMT

Richard,

I am still listening, but have no time to reply. I was also on holidays last 14 days so I missed your thread.

Now abbout your problem. First I must say that I have no experience with this problem.

I think that the implementation is (once again) browser dependant. The browser puts the Applet in a sandbox replacing the java.lang.SecurityManager or java.security.AccessControler or both (I am not shure how this is done).
A quick look to the Java source code shows that the default implementation of the SecurityManager checks the IP address expressed as a string (InetAddress.getHostAddress()).
I think that the address is checked only at connect time. You can find the exact behavior exploring the Java source code (provided in the top directory of the Java SDK in the src.zip file).

Bojan

Re: Applet "codebase" to IP address resolution

Richard J Maher — Sat, 20 Sep 2008 21:53:02 GMT

Hi Bojan,

Thanks for the reply.

> You can find the exact behavior exploring
> the Java source code (provided in the top
> directory of the Java SDK in the src.zip
> file).

I had rather hoped someone else out there would've already done the hard work for me :-)

I think you're probably right about "implementation dependant" but when it comes to security-policy enforcement a universal, transparent, and common approach would probably have been a better idea.

With clustering these days, and mutliple-interfaces from long before that, it seems strange to be restricting the code-base or document-base to a single IP address :-(

Anyway sorry for the late reply, I was wondering if anyone had an example of an Applet receiving Multicast datagrams? A public web-page would be ideal!

I beleive that such an Applet has to be signed, is that true?

Is it also true that some routers and public networks are not interested in propagating Multicast data?

Any other problems/issues?

Cheers Richard Maher