Java Security FAQ: Reading File Info

Here's an applet that tries to ...
  1. check for the existence of the file /var/mail/root
  2. check the file type
  3. check if that file is a directory
  4. check the timestamp when the file was last modified
  5. check the file's size
  6. create a directory
  7. rename the file
  8. list the files in this file (as if it were a directory)
  9. check to see if the file can be read
  10. check to see if the file can be written

All ten tests should raise security exceptions when this applet is loaded into Netscape Navigator 2.0.

In the appletviewer, unless acl.read and acl.write are set to specifically allow this sort of access, all ten tests should raise the security exception.

Here's the source.

If you add 

	acl.read=/var/mail/root
	acl.write=/var/mail
to your ~/.hotjava/properties file, and if you're using the appletviewer to view this page, then most of the above probes will get through to your file system.

Conclusion: Don't add files or directories to acl.read or acl.write in ~/.hotjava/properties, if you don't want applets to get information about files in those areas, or create directories on your system, or rename files on your system.

Back to the Java Security FAQ