All geek questions in one place

Is the Apple applet a loaded browser or JVM?

Suppose I have a simple applet. I wonder if the http request to get the jar is made by the browser or jvm. If this is done by jvm, are browser cookies and sessions sent to the server?

<APPLET CODE="FieldTestF.class" WIDTH="100%" HEIGHT="90" ARCHIVE = "FieldTestF.jar" > This example uses an applet. </APPLET>
+6
source share
2 answers

The JAR applet is loaded by the JVM. All applets are associated with an instance of URLClassloader (or a subclass of sun.applet.AppletClassLoader in the Sun JVM), which is responsible for loading all the classes and resources needed for the applet.

Apparently, most of the infrastructure required to load class files and resources is available in the Java runtime, and reusing this file will allow the Java plugin not to worry about accessing the browser’s internal functions.

I will reproduce the essential parts of the OpenJDK code base here, which performs this operation. You will find interesting things in the runLoader() sun.applet.AppletPanel :

 /** * Load the applet into memory. * Runs in a seperate (and interruptible) thread from the rest of the * applet event processing so that it can be gracefully interrupted from * things like HotJava. */ private void runLoader() { if (status != APPLET_DISPOSE) { showAppletStatus("notdisposed"); return; } dispatchAppletEvent(APPLET_LOADING, null); // REMIND -- might be cool to visually indicate loading here -- // maybe do animation? status = APPLET_LOAD; // Create a class loader loader = getClassLoader(getCodeBase(), getClassLoaderCacheKey()); // Load the archives if present. // REMIND - this probably should be done in a separate thread, // or at least the additional archives (epll). String code = getCode(); // setup applet AppContext // this must be called before loadJarFiles setupAppletAppContext(); try { loadJarFiles(loader); // <-- this is what loads the JAR files applet = createApplet(loader); ...

In addition, getting a browser to retrieve resources will complicate matters for the Java security model. This is partly due to the fact that applets use their own AccessControlContext , which was configured for them. This context has a default permission set that is added to it when initializing the applet; the kit includes SocketPermission for connecting to the server on which the code base is located, or FilePermission , which allows you to read access to the file system containing the code base. If the loading of resources should be performed by the browser, then depending on how the plugin is implemented, checks may simply not be performed, which will lead to a possible collapse of the security model.

You can confirm the JVM resource load behavior by looking at network traffic as indicated in another answer. I will send a screenshot from Fiddler as a confirmation. The process column indicates which OS process is responsible for sending the request (in this case, it is the java.exe Java application launch application). Apologies for the seemingly poor image quality - you will need to resize the image or open it in a new window.

Fiddler capture of applet download

+6
source

I suppose I could watch this, but it would be much more interesting to sniff the connection between the browser and the server to find the answer.

It turned out that the request is being executed by the JVM. This can be observed because:

  • Mozilla/4.0 ([OS here]) Java/[Java version here] User Agent Mozilla/4.0 ([OS here]) Java/[Java version here] instead of sending your browser,
  • The request for the applet file does not come from the same port where the browser requests come from;
  • The browser does not acknowledge requests in the query logs and developer tools.

However, the browser seems to send cookies along with the JVM when it issues an HTTP request, which means your session data must be available.

+5
source

Source: https://habr.com/ru/post/891335/

More articles:


All Articles