Date: Wed, 24 Mar 1999 18:22:35 -0500 (EST)
From: Nick Matsakis <matsakis@ai.mit.edu>
To: faqidea@afu.com
Subject: Netscape's Overzealous Security Manager
Last month, I solved a problem with Netscape Navigator's Security manager
which had been plaguing me for weeks. I had looked all over for the
solution, including the Java FAQ and the Java Security FAQ. When I did
find the answer, I posted the following message to comp.lang.java.help. I
believe this is a common problem, and should be addressed in either of
these FAQs. Please feel free to use or modify anything written below.
Regards,
Nick Matsakis
-----------------------
Subject: Netscape's Overzealous Security Manager
For a while now, I have been trying to get Netscape Navigator to run an
applet of mine. After figuring out what what was wrong, I realize that it
is a problem that some other people may run into, and so I thought I'd
share what I found.
The short answer is: Many versions of Navigator do not, by default, let
applets load resource files with arbitrary extentions. So, even if you
have a file in a jar file that came from *your* web server, Netscape
blindly throws a security exception unless your resource ends with an
appropriate extension. For more details see:
http://developer.netscape.com/docs/technote/java/getresource/getresource.html
A more detailed description of the oversight follows.
----------------
The problem occurs when using resource files. In Java 1.1 (and presumably
higher) a resource file for a class is a file that you should be able to
access no matter where your code was loaded from, the local file system,
via http, whatever. Typically a resource file is either in the same
directory as your class file or a directory below, though in principle it
can be anywhere. If you want to your code to be called by an unsigned
applet, though, you put your file in the same directory as the class.
There are a number of ways to get at the resource, including methods in
the java.lang.Class and java.lang.Classloader. Be aware, though that
Netscape does not implement the getResource() methods in those classes,
but only getResourceAsStream() methods. Personally, I prefer to get a
stream for a resource for a particular class Mypackage.MyClass as follows:
String path = "somefile.txt";
InputStream in = Mypackage.MyClass.class.getResourceAsStream(path);
When using resources with Netscape, there are two things to remember.
1) All resources must be in a Jar/archive file
2) They must have an approved extention, or you must call certain
functions before hand. See the URL referenced above for more details.
Internet Explorer does not seem to have these restrictions. Though they
are supposedly enforced in the name of security, they are a design flaw.
There is no malicious or sensitive data that could be included in the same
directory as the class that could not have been merely bundled with the
class in some way. Netscape ought to be able to tell the difference
between a file on the local computer and one bundled with the Applet.
Nick Matsakis