Security Problem with Java

[Oppenhiemer]

Hi -

I am really wanting some help on a problem Im having obtaining HTML response from a CGI application. My intention is to query a CGI application that I have written (using Perl) and to display the results to the user in an easy to use way. I can easy do this using Delphi, but would like to be able to do it with an applet.

The problem is that regardless of what I try, I keep getting the same error message saying something about ms.security violation or some such rubbish.Error reads as follows :

exception : com.security.SecurityExceptionEx(BespokeData.ini):cant access

http://www.opp.Dns2Go.com

The code I am using follows :
===========================================================
import java.awt.*;
import java.applet.*;
import java.net.*;
import java.io.*;
import opp.QueryString;

public void init()
{
symantec.itools.net.RelativeURL or symantec.itools.awt.util.StatusScroller
symantec.itools.lang.Context.setApplet(this);


//{{INIT_CONTROLS
setLayout(null);
setSize(426,266);
add(list1);
list1.setBounds(24,12,276,216);
//}}

String msg = "";
String target = "";

QueryString query = new QueryString("search", target);
try
{
URL u = new URL("

http://search.dmoz.org/cgi-bin/search?"

+ query);
InputStream in = new BufferedInputStream(u.openStream());
InputStreamReader theHTML = new InputStreamReader(in);
int c;
while ((c = theHTML.read()) != -1)
{
msg += (char) c;

//System.out.print((char) c);
}
}
catch (MalformedURLException e)
{
System.err.println(e);
}
catch (IOException e)
{
System.err.println(e);
}

list1.add(msg);
}

//{{DECLARE_CONTROLS
java.awt.List list1 = new java.awt.List(0);
//}}

}
===========================================================
I have heard about the "Sandbox" security issues with regards applets, but this is rediculous. All I am trying to do is obtain raw HTML response from a CGI application (that I have written ,myself!) After all, is this not what brwosers do - obtain & display HTML responses ? Anyway I really hope someone can help me with this one .

Cheers..

email : oppenhiemer@supanet.com
ICQ : 85745637

 

[meadandale]

Applets cannot connect to any servers except the server from which the applet was fetched. There are valid reasons for this, such as an applet could get personal information from you and then send it to another machine via a CGI query:

http://www.passwordsniffers.com/cgi-bin/sniffer?Bobs.password.is.locoweed

which could then be retrieved through logfiles or a malicious cgi script.

To do what you propose generally requires a servlet to forward the request and get a response which it returns to you. Welcome to the sandbox.

Charles

 

[Oppenhiemer]

Ok Charles, thanks for the info. Personally, I think that the Sandbox is too restrictive and really kills Java for me. Maybe I should take a look at Microsofts c# as I see this has support for Database Applications. Its a real shame that Java offers so little out of the box for database applications.

My hope was to create a user-frendly wrapper to a remote database. I can produce solutions via standard CGI applications, but you are limited to the elegance and sophisticatiion of the front-end. The only time I have been able to use Java to create applets to communicate witha database - it using the JDBC-ODBC brindge. But of course you are limited to accessing a local ODBC source. If I was wanting to access a remote data source, I would have to pay for a commercial driver for Java. Very sad.

Anyway, thanks again..




Cheers..

 

[meadandale]

You will find that alot of drivers are available for free. I have downloaded the oracle thin JDBC drivers from Oracle for free.

Regarding Java or C#, I don't know much about C# but remember, Java is not platform limited like C# which is a serious limitation for a distributed applications.

Here's what you can try though. Create an AWT application to provide the front end that you need and then have the applet construct and display this GUI. The GUI will not have the same limitations as the applet. For example, I did this and the GUI was able to read from the local filesystem which is something that an applet cannot do. It probably can connect to a remote database as well. This way, the applet is simply a carrier for your tool.

Hope this helps. Feel free to email with questions.

Charles
meadandale@yahoo.com

 

[Oppenhiemer]

Hi Charles -

Yes, I agree with what you say regarding the non-spefic nature of Java - unfortunately, all that is undone if its crippled with security restrictions. I did go to the Sun web site to look for a free Database driver that would allow me to access remote data sources - but only found msql. Maybe I should look at using that ?


And if as meadandale suggests, the reason for not allowing applets to process URL info at a low level relates to a security issue. I could actually abuse this info by simply using standard form processing techniques and server-side script processing.

It just seams that one of JAva's main uses is for writing internet applets, and one of the main thing ppl want to share is data - JAva offers suprisingly little for the programmer in this area.

Thanks for your suggestion regarding the AWT approach though. I do think however that given the warnings that are displayed whenever users encounter AWT applications - they may feel unconfortable using it.

I would consider applying for a security certificate so that I could sign the application - however that mean parting with a chunk of money I cant really afford. It looks like I may have to look at using another approach altogether (shame though.) Thanks again for your help on this though.

Cheers..