13

Is there any interaction between applets and their hosting browser when making HTTP requests, or are requests made completely independently of native browser code?

Specifically, do Java applets running in a browser have some implicit way of sharing the browser's session state and cache?

I've read a few posts from non-authoritative sources saying that when an applet makes an HTTP request that it will use the browser's cache, and that it will also have access (somehow) to the browser's cookies.

Tests I've done using URLConnection suggest that this is not the case, and my gut feeling is that it sounds far too convenient to be true. I would assume that nothing in the JVM knows anything about the world outside of that JVM, meaning the only other way this could work would be if the JVM implementation is specific to the browser its implementation of the URL-related methods delegate to native browser code?

If cookie data is not implicitly shared or available, is best practice to pass a session ID in a param tag to the applet? Are there security concerns with this approach? If the applet doesn't use the browser's cache for requests, how does caching requests in an applet work?

DeejUK
  • 12,891
  • 19
  • 89
  • 169
  • [Possible duplicate](http://stackoverflow.com/questions/1962823/can-java-applets-not-signed-create-read-cookies) – npe Jun 20 '12 at 07:45
  • " I would assume that nothing in the JVM knows anything about the world outside of that JVM, meaning the only other way this could work would be if the JVM implementation is specific to the browser its implementation of the URL-related methods delegate to native browser code?" - I think your assumption is right. For your caching related query, see http://stackoverflow.com/questions/10103477/caching-in-java-applets – Suresh Kumar Jun 20 '12 at 08:53

5 Answers5

5

Applets are executed by the Java Plugin, which is a browser plugin. The applet is indeed part of an HTML page loaded by the browser, can communicate with the browser DOM and with JavaScript code in the page, and uses the browser to send requests to its originating server.

See http://docs.oracle.com/javase/tutorial/deployment/applet/appletExecutionEnv.html and http://docs.oracle.com/javase/tutorial/deployment/applet/server.html for more information.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
5

My testing with Windows 7, Java 1.6.23 and Firefox, Chrome and Internet Explorer is that HttpURLConnections from within an applet's JVM interact in no way with the browser. They don't use the cache, and don't have cookie headers added.

DeejUK
  • 12,891
  • 19
  • 89
  • 169
  • Confirmed - I recently added Spring Security to a site that which contains an applet that accesses secured resources on the site. The applet no longer works, since it's missing the authentication token in the cookie. – mdma Oct 22 '12 at 08:37
2

I think it depends on the Java plugin. My experience is that usually it uses the browser cache for network connections, and usually it transmits the cookies. I have had to empty the browser cache before to get a new file in an applet.

If you look at the Oracle Java 7 Plugin Control Panel, you will see an option in the network parameters to use direct connections for the applets, but the default is to use "browser parameters".

As for the cookies, I have seen in the past some Java plugins that did not transmit the session cookies, in particular on MacOS X (Apple even suggested a workaround). But most developers now assume that they are transmitted, and in practice it usually works.

Damien
  • 3,060
  • 1
  • 25
  • 29
  • Would you expect a session ID to get appended to the HTTP request when using Firefox/IE9 and a `URLConnection`? That didn't work in my case. – DeejUK Jun 20 '12 at 08:40
  • I would expect it if the session ID is in a cookie. If it's in the URL, well, the URL would just have to be complete. If it doesn't work for you, I don't know why. – Damien Jun 20 '12 at 09:12
1

Applets do not share the session information by default, but you can pass the session ID via Applet parameter while initializing. And use the session ID for each HTTP request.

18bytes
  • 5,951
  • 7
  • 42
  • 69
  • right now i am passing session id as a parameter of applet and using this session id for authentication when any request made via applet to server. after some searching i read your suggestion but my question to you is is there any security risk using this approach ? – Mihir May 25 '13 at 04:28
0

Applets can interact with the browser to make HTTP requests via JavaScript calls.

If you use any Java HTTP APIs e.g. UrlConnection, Apache HTTPClient, java.net.Socket these libraries will not interact with the browser. They behave as if they were in a standalone JVM. Caching id depenednt onthe API you use, Apache HttpClient has a cache. URLConnection lets you write your own cache easy enough.

You can not directly access the existing cache in JavaScript yet, its comming tho. https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

A param tag can not change once the page is rendered, e.g. OAuth tokens need refreshing periodically. You could fetch cookies from the browser via JavaScript and manually add them to a Java initiated HTTP request. This mechanism allows them to be updated.

There is not much added risk sharing a cookie. You would have to remove the HTTPOnly flag on the cookie if there is one.

If you are allowing Java in the browser your users are letting you do pretty much anything. Java inside the browser does have a sandbox but its worryingly easy to break out. If you can design apps without Java they will be much more secure for users.

From the point of view of the person writing the Applet, Java is secure and much more flexible than JavaScript in a Browser.

teknopaul
  • 6,505
  • 2
  • 30
  • 24