1

I'm going to develope some Applets, And I was wondering What an Applet can and cannot do.

I know that an Applet can't write in the Registry or Windows folders.

Do you know other things ?

Thanks

Wassim AZIRAR
  • 10,823
  • 38
  • 121
  • 174
  • 1
    did you really mean *apple* in your tag? :) – ascanio Jul 22 '11 at 12:51
  • 1
    Now, it was Applet I corrected it, °_° – Wassim AZIRAR Jul 22 '11 at 12:53
  • 1
    I heavily advice against embedding applets in web pages and only web pages – Raynos Jul 22 '11 at 12:54
  • Feels like 1995 all over again. – duffymo Jul 22 '11 at 13:51
  • Applets? An easier option is to launch a frame direct from a link using [tag:java-web-start]. A JWS app. would still need full trust to use natives or edit the registry, but it is significantly easier to deploy and maintain than an applet. – Andrew Thompson Jul 22 '11 at 13:52
  • @duffymo Applets (fortunately or otherwise) gained a huge boost in recent times with more control over the JRE, access to the services of JWS, and becoming 'draggable' off the web page. There are some good links in the [info. on the applet tag](http://stackoverflow.com/tags/applet/info) related to the new functionality. That and some beginner books are *still* rushing into teaching applets.. – Andrew Thompson Jul 22 '11 at 13:57

2 Answers2

3

Official docs http://download.oracle.com/javase/tutorial/deployment/applet/security.html

Much of it depends on whether you signed it or not.

There is one omission i know of in that....

Java AWT Robots are tricky since they give keyboard/mouse access to the applet. You can do it, but trust from the user alone doesnt cut it. In this case you need to set your own custom security manager to grant permission to create a Robot

Edited for correctness based on comments, thanks guys

celem
  • 404
  • 3
  • 10
  • 2
    Please don't call `System.setSecurityManager(null);`. You'll remove security protection from other applets. In fact, don't mess with "global state" in applets. – Tom Hawtin - tackline Jul 22 '11 at 13:04
  • @Tom Yeah its not pretty. However this seems to be the only way to launch an AWTRobot from an applet, that was my point. Its not documented anywhere, but i've hit this before, even with trust you get exceptions creating the robot – celem Jul 22 '11 at 13:06
  • Not pretty? The signer's signature opens up the machine of anyone who trusts the certificate to full access by anyone's code. – Tom Hawtin - tackline Jul 22 '11 at 13:08
  • I understand thats the intention. however as you can see from http://stackoverflow.com/questions/5313672/setting-up-policies-for-an-applet-embedded-in-html that was not true for me. It simply would not allow my robot to capture the screen until i axed the security manager (AWTPermission createRobot exceptions) – celem Jul 22 '11 at 13:10
  • 1
    @celem *"..this seems to be the only way to launch an AWTRobot from an applet.."* That is incorrect. Once an applet is trusted, it can set a **custom** security manager that will allow its *own classes* to access & use the `Robot` (or replace the security manager). Note also that I said to you in that thread *"There is one other thing you might try if the applet is trusted, _just as an experiment_.* I emphasized the last part to underline that I expected you to ask further questions about how to do it in a production environment. – Andrew Thompson Jul 22 '11 at 13:18
  • hmm misinterpreted your previous comment. yes doing this makes the machine massively vulnerable, i was using it on a secure LAN. @Andrew thanks for clearing that up, that applet never went to full deployment so i dropped the issue :) – celem Jul 22 '11 at 13:18
  • @Tom Was that you that voted down my answer on the other thread? – Andrew Thompson Jul 22 '11 at 13:26
  • @Andrew Thompson Yup. Switched the vote since you edited your answer to be more clear. – Tom Hawtin - tackline Jul 22 '11 at 13:41
  • Cool, Thanks for the prompt (and the words I could copy/paste) – Andrew Thompson Jul 22 '11 at 13:43
  • @celem Another omission (or caveat) is `System.exit(int)`. An applet ending the VM, is like a guest burning the guest-house down. The VM should be shut down at the time the *browser* chooses. I have the console pop-up automatically for applets, and it seems it stays running for at least 30 seconds after pages with applets are closed (using a recent FF and the Oracle 1.6.0_26 JRE). – Andrew Thompson Jul 22 '11 at 14:08
1

Actually a signed applet can access the Windows registry through JNI calls.

For more info on the applet capabilities get a look at http://en.wikipedia.org/wiki/Java_applet

Emmanuel Bourg
  • 9,601
  • 3
  • 48
  • 76