Applet "codebase" to IP address resolution

Richard Maher wrote:

Can someone please tell me the strategy(ies) used by Java (the Security
Manager or whatever) to determine if a given IP address conforms to the
definition of the codebase from which an applet was retrieved?

For example, if an Applet was loaded from mycluster.mydomain.com, and
"mycluster" was a cluster alias that was using DNS load-balancing (or
round-robin or a.n.other distribution technique) to distribute client
connections among available nodes in the cluster, could such an unsigned
applet connect a socket to *any* of the available nodes or interface
addresses?

Is the DNS translation done only once when the Object/Applet tag is
encountered and, from then on, all "codebase" checks must match that same IP
address?

Is it just an ASCII string check, so that one relative -vs- one absolute URL
specification could point to the same address yet fail the check?

But then, when it comes to UDP messages arriving at an Applet's socket, when
only the IP address is available, what criteria is used to say "Hey, did
this message come from my codebase?

Is the equivalent a C gethostent() call performed, and *all* alias addresses
and names are checked to say "It's in there somewhere"? (This would be nice
:-)

http://java.sun.com/sfaq/#socketOrig

says whatever name or number that was used to get the applet.

But that doc is from Java 1.1, so I would suggest a little test to check
if it has been changed since 1997 !

Arne

Hi Arne,

Thanks once more for your replies over the many months/years!

>
http://java.sun.com/sfaq/#socketOrig

I doubt that's the definitive work on the subject :-)

says whatever name or number that was used to get the applet.

Yeah, but what about the incoming UDP message-source check that must be
comparing IP addresses? When is the applet codebase address resolution
performed? (Please see the Tier3Pager and Tier3Talk classes below) And what
about that DNS cluster/interface load balancing?

Someone must have the source somewhere? Called a "Policy Manager/enforcer"
or some such? I'm guessing that consistency in this grey-area of "rules"
(more like guidelines realy :-) may be worthwhile across JVM
implementations?

Cheers Richard Maher

/**
* Copyright Tier3 Software. All rights reserved.
*
* Author: Richard Maher
*
**/

import java.applet.Applet;
import java.awt.*;
import java.net.*;
import java.io.IOException;
import netscape.javascript.JSObject;
import netscape.javascript.JSException;

public class Tier3Pager extends Applet
{
private String hostName;
private JSObject browser;
private static MessageThread socketThread;
private static Tier3Talk chat;

public class MessageThread extends Thread
{
private DatagramSocket socket;
private DatagramPacket packet;
private String threadData;

public MessageThread(String name, String txt) throws Exception
{
super(name);

byte[] buffer;
threadData = txt;

String port = getParameter("PORT");
String maxBuf = getParameter("MAXBUF");
try
{
if (port == null)
socket = new DatagramSocket();
else
socket = new DatagramSocket(Integer.parseInt(port));

if (maxBuf == null)
buffer = new byte[512];
else
buffer = new byte[Integer.parseInt(maxBuf)];

packet = new DatagramPacket(buffer, buffer.length);
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Unable to create UDP Socket");
throw new Exception("Message thread could not be created");
}

setDaemon(true);
start();
}

public void shutdown()
{
socket.close();
}

public int getLocalPort()
{
return socket.getLocalPort();
}

public InetAddress getLocalAddress()
{
return socket.getLocalAddress();
}

public void run()
{
System.out.println("Started Message thread. ThreadData = " +
threadData);
String args[] = {"Started Message Thread " + threadData};
browser.call("alert", args);
boolean stopThread = false;

readLoop:
while (!stopThread)
{
try
{
socket.receive(packet);
String received = new String(packet.getData(), 0,
packet.getLength());
processMessage(received);
}
catch (SocketException e)
{
System.out.println("Shutting up shop");
stopThread = true;
continue readLoop;
}
catch (IOException e)
{
e.printStackTrace();
System.out.println("Unable to retrieve UDP message");
}
}

System.out.println("Thread run() unit terminating");
}

public void processMessage(String msgText)
{
int msgType = Integer.parseInt(msgText.substring(0,2));
switch (msgType){
case 1:
chat.append(msgText.substring(2));
break;
case 2:
String args[] = {msgText.substring(2)};
try {browser.call("priceUpdate", args);}
catch (JSException e)
{
System.out.println("Error when calling JS
priceUpdate()");
}
break;
default:
System.out.println("Unknown rec type
"+msgText);
}
}
}

public void init()
{
System.out.println("Initializing. . .");
hostName = getCodeBase().getHost();

chat = new Tier3Talk("Tier3 Messages");
requestFocus();

browser = JSObject.getWindow(this);

if (socketThread == null)
{
try
{
socketThread = new MessageThread("MsgDaemon", "SomeData");
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Could not init Tier3Pager");
}
}
}

public void alert(String alertText)
{
String args[] = {alertText};
browser.call("alert", args);
}

public void destroy()
{
if (chat != null)
chat.dispose();

boolean stillDying;

if (socketThread != null){
socketThread.shutdown();
do
{
stillDying = false;
System.out.println("Joining MessageThread");
try {socketThread.join();}
catch (InterruptedException e){
System.out.println("Interrupted Join");
stillDying = true;
}
} while (stillDying);

socketThread = null;
}

System.out.println("Tier3Pager Applet Rundown complete");
super.destroy();
}
}

/**
* Copyright Tier3 Software. All rights reserved.
*
* Author: Richard Maher
*
**/

import java.awt.*;
import java.awt.event.*;

public class Tier3Talk extends Frame
implements WindowStateListener
{
TextArea chatPanel = new TextArea("Server messages will appear
below: -", 10, 50);
Toolkit toolkit = Toolkit.getDefaultToolkit();
boolean windowDown = true;

public Tier3Talk(String heading)
{
super(heading);
setBackground(Color.gray);

chatPanel.setEditable(false);

Panel panel = new Panel();
panel.setLayout(new FlowLayout(FlowLayout.CENTER));
panel.add(chatPanel);
add("Center", panel);

Dimension screenDim = toolkit.getScreenSize();
pack();
Dimension windowDim = getSize();
setLocation((screenDim.width - windowDim.width),(screenDim.height -
windowDim.height));

setResizable(false);
addWindowStateListener(this);
setExtendedState(Frame.ICONIFIED);
setVisible(true);
}

public void append(String newMsg)
{
chatPanel.append("\n" + newMsg);
if (windowDown)
setExtendedState(Frame.NORMAL);
toolkit.beep();
}

public void windowStateChanged(WindowEvent we)
{
switch (we.getNewState())
{
case Frame.ICONIFIED:
windowDown = true;
break;
case Frame.NORMAL:
windowDown = false;
break;
default:
System.out.println("Event of no interest" +
we.getNewState());
}
}
}
"Arne Vajhøj" <ar**@vajhoej.dkwrote in message
news:48***********************@news.sunsite.dk...

Richard Maher wrote:

Can someone please tell me the strategy(ies) used by Java (the Security
Manager or whatever) to determine if a given IP address conforms to the
definition of the codebase from which an applet was retrieved?

For example, if an Applet was loaded from mycluster.mydomain.com, and
"mycluster" was a cluster alias that was using DNS load-balancing (or
round-robin or a.n.other distribution technique) to distribute client
connections among available nodes in the cluster, could such an unsigned
applet connect a socket to *any* of the available nodes or interface
addresses?

Is the DNS translation done only once when the Object/Applet tag is
encountered and, from then on, all "codebase" checks must match that

same IP

address?

Is it just an ASCII string check, so that one relative -vs- one absolute

URL

specification could point to the same address yet fail the check?

But then, when it comes to UDP messages arriving at an Applet's socket,

when

only the IP address is available, what criteria is used to say "Hey, did
this message come from my codebase?

Is the equivalent a C gethostent() call performed, and *all* alias

addresses

and names are checked to say "It's in there somewhere"? (This would be

nice

:-)

http://java.sun.com/sfaq/#socketOrig

says whatever name or number that was used to get the applet.

But that doc is from Java 1.1, so I would suggest a little test to check
if it has been changed since 1997 !

Arne