Can my Applets be (mis)used offline?

[Jacob]

I've created an Applet. It is deployed on a site where users
sign in with id/password. The Applet is signed (in order for
the program to utilize java.util.Preferences).

Can the Applet somehow be used after the session has ended?
And in case it can: What whould be a simple approach to avoid
this?

Thanks.

 

[Tor Iver Wilhelmsen]

Can the Applet somehow be used after the session has ended?

Yes; it gets downloaded to the client's computer, and so will be
available to use by them.

And in case it can: What whould be a simple approach to avoid
this?

Send the jar file in a way that tells the browser not to cache it
could be one approach, but won't prevent someone from using something
else than a conforming browser to download it.

 

[Chris Uppal]

Can the Applet somehow be used after the session has ended?

Think of it like this: if you put an applet on a web-page then you have /given/
the applet to anyone who visits that page.

Whether that applet (or the source potentially recovered by decompiling it) has
any value to anyone, independently of your webpage, is another matter -- that
depends on what the applet does.

And in case it can: What whould be a simple approach to avoid
this?

Not a lot. If you really think it's worthwhile then you could obfuscate the
applet.

An alternative approach would be to put the applet on a webpage which can only
be reached via a click-through license in which each user agrees not to
decompile the applet nor use it outside that webpage.

-- chris

 

[Jacob]

Not a lot. If you really think it's worthwhile then you could obfuscate the
applet.

I am not to concerned about those who really, really, really
want to steal the product. The applet is not of a kind which
makes this worthwhile.

It is more a question of wether a layman is able to pick up
the .jar from the browser cache (or wherever it is put when
you access it) and execute it after the specific HTTP session
is closed?

And if there is some simple way of preventing this, typically
by verifying in the applet that certain HTTP parameters are
valid?

Thanks.

 

[Chris Uppal]

It is more a question of wether a layman is able to pick up
the .jar from the browser cache (or wherever it is put when
you access it) and execute it after the specific HTTP session
is closed?

Depends on the layman ;-)

I doubt if there are many people reading this newsgroup (if any) who couldn't
pull the applet out of the browser cache with ease, or who wouldn't know what
to do with it once they had done so. But that is not at all representative of
the general population.

I have absolutely no basis for quoting statistics, so I'll just invent a
number... I'd guess that fewer than 10%, probably fewer than 5%, of "ordinary"
users would have any idea how to pull an applet out of the cache (or otherwise
download it separately from the webpage), or any interest in doing so.

But that doesn't settle the question (or rather, it wouldn't even if I hadn't
just invented the numbers); since you may also need to consider whether that
minority of technically savvy users might copy your applet and make it
available to others who don't have the same skills themselves.

It occurs to me that one, moderately simple (but not totally reliable) way of
tying an applet to its intended host webpage would be to use the DOM API to
inspect the containing page, and see if it has the expected contents. There's
a simple example, and references to further documentation here:

http://www.javaworld.com/javaworld/jw-06-2005/jw-0627-plugin.html?page=3

I have never used this myself, so I don't know how many problems you'll
encounter. Google suggests that (a) Opera doesn't implement it at all, and (b)
the implementations in other browsers are incomplete. But, if you are writing
you applet for the Java plugin at all, it may give you some extra options.

-- chris