Re: Java Sockets and Firewalls

From: Justin Mason (jmasonat_private)
Date: Mon May 11 1998 - 04:32:43 PDT

  • Next message: Safier, Adam (GEIS): "RE: Blitzkrieg Server -- For Real?!"

    Aleph One said:
    >On Thu, 7 May 1998, Kirkilis, John wrote:
    >> I'm trying to understand the whole issue about Java applets and
    >> Firewalls and have a few questions. [...]
    >> *	If the Java applet is loaded from an SSL-secured web page are
    >> all communications via Java socket calls also protected by this sleeve
    >> ... or ... must the java applet itself establish itself as an SSL client
    >> and use java security APIs.
    >The applet will be downloaded over HTTPS (HTTP + SSL) but any 
    >connections made by the Applet will not be (unless its uses some
    >functions that takes a URL object that starts with "https://" to download
    Only Netscape 4.0 or higher support using https from a java applet's URL
    or URLConnection objects, by the way.  I have not tested IE4 but I've been
    told it doesn't support this.
    >> *	If a java applet is retrieved through a proxy server, does the
    >> browser consider it downloaded from the proxy or the actual server? Are
    >> there any problems given the network security sandbox and issues such as
    >> proxy servers or routers which perform network address translation?
    The browser considers it downloaded from the actual server. This means
    that the applet will only be able to connect to the same server hostname
    (note: stringwise comparison, so connecting to "" will
    not be allowed if the applet was downloaded from "").
    This raises an issue: if there are proxy servers the applet will not be
    able to connect via them, unless they are transparent (a la NAT) or the
    applet is signed (in which case it can connect to any host).
    This is why so many java applets use HTTP, and the built-in HTTP support
    classes and, to communicate with their
    servers; the built-in classes can generally use the browser's HTTP layer
    and will therefore use the appropriate HTTP proxies.
    >> *	Must the server which is serving up the applet have reverse DNS
    >> capability over the internet to conform to the sandbox restrictions? I
    >> recall some mention of this a while back.
    >Dont sure it needs to have a hostname at all but if it does
    >the forward and reverse lookups probably need to match.
    IP addresses can be used, so DNS is not strictly required.
    --j. (with my java hat on),
    Justin Mason                 Jon Snow:  "In a sense, Deng Xiaoping's death
    jmasonat_private                          was inevitable, wasn't it?"   Expert:    "Er, yes."
    Send spam to abanspamat_private or zbanspamat_private -- go on, make my day!

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:00 PDT