serverSocket

David M. Heintz (dheintz@sprintmail.com)
Sun, 01 Feb 1998 09:54:20 -0800

Date: Sun, 01 Feb 1998 09:54:20 -0800
From: "David M. Heintz" <dheintz@sprintmail.com>
To: java-security@web1.javasoft.com
Subject: serverSocket

In IE3 and Navigator 3, from within an unsigned/untrusted applet, I
used to be able to instantiate a
serverSocket on a specified port, and accept connections from the server
that hosted my applet. Attempted
connections from another server would cause the applet to throw a
security exception, as expected.
This behavior is reasonable, and consistent with the rule "Applets may
only make connections to the
server from which they were loaded".

Now, in IE4 and Communicator 4.x which use JDK 1.1, an exception is
thrown when I attempt
to instantiate the serverSocket. I understand that these browsers
implement their own unique
security managers, but that these are based on rules developed by Sun

Please tell me the following:
1) Where can I find complete, unambiguous documentation on the
rules for valid
and invalid operations that an unsigned/untrusted applet
can perform for JDK 1.1?
2) Have these rules changed from JDK 1.0? If so, what are the
specific changes?
3) Is it your belief that IE4 and Communicator 4.x are
implementing these rules correctly?
If not, where are these browsers non-compliant--be specific
please! Are these non-
compliances bugs, or misinterpretations of the rules?

Thanks for your help.