United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4876235 : SocketService - Allow user to grant app "connect" permission to hosts other than the download host.

Details
Type:
Enhancement
Submit Date:
2003-06-09
Status:
Resolved
Updated Date:
2005-06-13
Project Name:
JDK
Resolved Date:
2005-06-13
Component:
deploy
OS:
linux
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
1.4.2
Fixed Versions:

Related Reports
Relates:

Sub Tasks

Description

Name: nt126004			Date: 06/09/2003


A DESCRIPTION OF THE REQUEST :
JWS is missing a SocketService that works the same way the PersistenceService, PrintService, ClipboardService, etc.. work.

JUSTIFICATION :
There is a clear need to interoperate with and leverage existing corporate services. Currently secure Java applications (unsigned) are unable to interoperate with existing corporate services solely because of a lack of a SocketService. Examples of Java's inability to interoperate:
1. Web Services (SOAP)
2. WebDAV
3. Access to financial systems (ACCPAC, QuickBooks, etc... which use TCP/XML to communicate)

Signing applications is a step backwards to the virus and spyware ridden world of the 1990's. A SocketService gives the user total control over when a TCP connection is made and where it is made to. I believe that this is the last missing service and that fine-grained security manager would be unnecessary if a SocketService were available.

I have written a short paper on why signing applications is a non-starter here:
http://www.scheduleworld.com/itsYourLife.html

Running unsigned applications is the perfect secure system and a special edge that .NET does not have.

However, obviously the inability to work together with other services over the network (doesn't McNealy state the N in SUN stands for Network?) is a serious oversight. Please correct it.

Thank you.
(Review ID: 187392) 
======================================================================

                                    

Comments
SUGGESTED FIX

see webrev at: http://web-east.east/www/webrevs/andy/1.6.0/4876235/
###@###.### 2005-2-04 15:39:23 GMT
                                     
2005-02-04
EVALUATION

This sounds like a very usefull rfe, unfortunately, we have just finished our proposed specification changes for tiger, and may not be able to implement this untill mustang, unless it is escallated.
###@###.### 2003-06-16

It may be possible to implement this w/o an API or a spec change, similar to how printing is now handled through the security manager.
If we override checkPermission in JavaWebStartSecurity, we can catch a security exception and just re-throw if not asking for a socket permission, or if configuration dosn't allow or user doesn't accept a security dialog.

###@###.### 2005-1-06 16:51:37 GMT
                                     
2005-01-06



Hardware and Software, Engineered to Work Together