2 Replies Latest reply: Oct 15, 2012 3:37 PM by 968411 RSS

    in usigned applet: how to convert byte array to java.lang.Class

    968411
      Hi,

      In an unsigned applet: is there a way to convert a trusted byte array of Java byte code into a java.lang.Class?

      Java does not allow an unsigned applet to create a java.lang.ClassLoader [which is what I was using to do the conversion, when I ran this program locally] or alter the SecurityManager.

      I can always trust the byte array [since my program generates it from static data that I specify before runtime]. So I do not see any danger there.

      Is there some other technique besides ClassLoader that can do that conversion for me?

      In a nutshell: just want to know what is the proper way to do this conversion in an applet. (I was about to give up and just turn my applet into a signed one, but felt like it might be overkill, since I still do not see any security threat in this scenario.)

      Thank you in advance.
        • 1. Re: in usigned applet: how to convert byte array to java.lang.Class
          DrClap
          965408 wrote:
          I can always trust the byte array [since my program generates it from static data that I specify before runtime]. So I do not see any danger there.
          That's not the right way to look at security threat assessment. The right question is more like, given any unknown byte array, is it possible that creating a class from that byte array could generate a vulnerability?

          I have to say that I don't know the answer to that. But given that applet security doesn't let you create a ClassLoader to create a class in that way, it looks as if the answer might be "Yes".

          And you're asking if there's anything other than ClassLoader which can create a new Class? Go to the API docs for Class and click on the "Use" button at the top. Scan for the phrase "that return" to find methods in the standard API which return a Class object.
          • 2. Re: in usigned applet: how to convert byte array to java.lang.Class
            968411
            Thanks for the help, DrClap.

            DrClap wrote:
            965408 wrote:
            I can always trust the byte array [since my program generates it from static data that I specify before runtime]. So I do not see any danger there.
            That's not the right way to look at security threat assessment. The right question is more like, given any unknown byte array, is it possible that creating a class from that byte array could generate a vulnerability?

            I have to say that I don't know the answer to that. But given that applet security doesn't let you create a ClassLoader to create a class in that way, it looks as if the answer might be "Yes".
            Ok, I think I understand now why using the ClassLoader requires to me sign my applet: it is not about me trusting my own byte array, but rather the end-user needs to know that it can trust the Class I would be creating.

            And you're asking if there's anything other than ClassLoader which can create a new Class? Go to the API docs for Class and click on the "Use" button at the top. Scan for the phrase "that return" to find methods in the standard API which return a Class object.
            I appreciate the idea. I wasn't able to find anything else available though (e.g. like a "UnsignedClassLoader" or "UnsecureClassLoader" that saves you the trouble of having to sign your applet).

            Looks like signing my applet is the correct thing to do.

            Thanks again.