Java Kit Gets Better Security
- 11 January, 1998 22:00
Users are anxious to find out if the security advances in Sun Microsystems Inc.’s latest Java Development Kit (JDK) live up to their billing.
Sun released the beta version of its JDK 1.2 about two weeks ago, highly touting its new and improved security features. Aside from giving users Java Foundation Classes and new JavaBean components, Version 1.2 was designed to let developers customize the security in their applications to give different users different privileges, depending on their role in the organization and their ability to use the software.
JDK 1.2 also was designed to give applets access to more system resources while still keeping them away from integral areas of the system where a rogue applet could do serious damage, such as shutting down systems and deleting or changing files.
"I’m very capable, so the chances of me screwing up a file or downloading a bad applet are slim," said Tom Obrey, chief operating officer at PixelMedia Inc., a multimedia development company in Portsmouth, New Hampshire. "But there are other people here who shouldn’t have full access. Before this modification, customizing access accurately was impossible."
Li Gong, a Java security architect at JavaSoft, the Java-focused arm of Sun, said the company rewrote Java’s security model for the new version of the JDK.
Under the previous model, the Java-enabled system would identify an applet being downloaded and automatically give it very limited access to the system. The new version of the JDK, which would be built in to a browser, would be able to identify the applet and the resources it requires, then approve that access if it meets criteria set by the user.
"An applet may just want to display a Web page," Gong said. "And it may only need to get into the font file, and that’s OK. Before, it wouldn’t have been let into any files."
"The programmers will go nuts over this," said Frank Manci, network technical manager at Colonial Savings F.A. in Fort Worth, Texas. "It gives them more control. That’s what they need."
Obrey added that he also needs his applets to be more powerful, and he said that is what he believes developers will get with JDK 1.2.
"It gives you options other than yes or no," he said. "Instead of giving blanket instructions for every applet that comes in, access can be more tailored to what it needs to do."
Jack Grimes, a senior vice president at San Francisco-based Visa International Inc., said he is looking forward to getting better control with JDK 1.2.
"Right now, there’s no way to download an applet and store information locally," Grimes said. "That provides protection, but it’s not all black-and-white. Sometimes, operators want to download something and change their machine. This allows them to do that in a secure way."
JDK 1.2 is expected to be generally available by midyear.