Java applets are loaded on a client when the user visits a page containing an applet. The security model behind Java applets has been designed with the goal of protecting the user from malicious applets.
Applets that are not signed using a security certificate are considered to be untrusted and referred to as unsigned applets. When running on a client, unsigned applets operate within a security sandbox that allows only a set of safe operations.
Applets can be signed using a security certificate to indicate that they come from a trusted source. Signed applets operate outside the security sandbox and have extensive capabilities to access the client. A signed applet will run outside the security sandbox only if the user accepts the applet's security certificate. If the user refuses to accept the certificate, the applet will run within the security sandbox similar to an unsigned applet.
With recent improvements to the Java Plug-in software, unsigned applets launched using Java Network Launch Protocol (JNLP) can safely access the client with the user's permission. It is recommended that you launch your applet using JNLP to leverage expanded capabilities and improve user experience. See Deploying an Applet for step by step instructions on applet deployment.
In this, topic we will discuss the security restrictions and capabilities of applets.
Unsigned applets can perform the following operations:
showDocument
method of the java.applet.AppletContext
class.CLASSPATH
) have none of the restrictions that applets loaded over the network do.Unsigned applets cannot perform the following operations:
Signed applets do not have the security restrictions that are imposed on unsigned applets and can run outside the security sandbox.
JavaScript code is treated like unsigned code. When a signed applet is accessed from JavaScript code in an HTML page, the applet is executed within the security sandbox. This implies that the signed applet essentially behaves likes an unsigned applet.
See Security in Rich Internet Applications for information on how to work with signed and unsigned code.
For more information about applet security dialog boxes, see Exploring Security Warning Functionality (article on oracle.com/technetwork)