Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Applet parameters

3 posts in General Discussion (old) Last posting was on 2000-03-30 02:31:23.0Z
Alistair Black Posted on 2000-03-29 13:23:52.0Z
Newsgroups: sybase.public.easerver
From: "Alistair Black" <ablack@investech-solutions.com>
Subject: Applet parameters
Date: Wed, 29 Mar 2000 14:23:52 +0100
Lines: 27
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
NNTP-Posting-Host: host212-140-157-108.host.btclick.com 212.140.157.108
Message-ID: <347_eqMWMLYm$GA.52@forums.sybase.com>
Path: forums-1-dub!forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.easerver:25392
Article PK: 155481

Hi,

What are my options (if any) for running client specific processes from
within an Applet securely?

My Applet, or the Jaguar components it utilises, needs to know the ID of the
user. We could pass this in via an Applet PARAM, but worry that it will be
exposed within the page. This "public" Applet parameter could be protected
from eavesdropping etc. via SSL, when the page is transmitted, but it is
still visible within the page source is viewed on the client. I'm concerned
that users on a LAN could browse the contents of other users temporary
internet files folder, pick up the userid and run the cached applet from a
local web server etc. and the rest is history.

For non Applet (pure HTML) page implementations we are relying on
PowerDynamo session variables when making server side component calls, so as
far as I know, this poses no security risk.

Can anyone help?

Many thanks

Alistair Black


Dave Wolf [Sybase] Posted on 2000-03-29 14:26:43.0Z
Newsgroups: sybase.public.easerver
From: "Dave Wolf [Sybase]" <dwolf@sybase.com>
Subject: Re: Applet parameters
Date: Wed, 29 Mar 2000 09:26:43 -0500
Lines: 47
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
NNTP-Posting-Host: dwolf-nt.sybase.com 157.133.41.61
Message-ID: <347_1RdiytYm$GA.290@forums.sybase.com>
References: <347_eqMWMLYm$GA.52@forums.sybase.com>
Path: forums-1-dub!forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.easerver:25385
Article PK: 155477

I think you have two options.

1) Sign the applet and request permission to make native method calls. Then
call the appropriate WIN32 call to get the username and password
2) Encrypt the username and password you put in the param tag so even if you
found it it would be useless. Also mark the HTML page with a <META PRAGMA>
tag asking that it not be cached.

Dave Wolf
Internet Applications Division

"Alistair Black" <ablack@investech-solutions.com> wrote in message
news:eqMWMLYm$GA.52@forums.sybase.com...
> Hi,
>
> What are my options (if any) for running client specific processes from
> within an Applet securely?
>
> My Applet, or the Jaguar components it utilises, needs to know the ID of
the
> user. We could pass this in via an Applet PARAM, but worry that it will
be
> exposed within the page. This "public" Applet parameter could be
protected
> from eavesdropping etc. via SSL, when the page is transmitted, but it is
> still visible within the page source is viewed on the client. I'm
concerned
> that users on a LAN could browse the contents of other users temporary
> internet files folder, pick up the userid and run the cached applet from a
> local web server etc. and the rest is history.
>
> For non Applet (pure HTML) page implementations we are relying on
> PowerDynamo session variables when making server side component calls, so
as
> far as I know, this poses no security risk.
>
> Can anyone help?
>
> Many thanks
>
> Alistair Black
>
>
>
>


James Stansell Posted on 2000-03-30 02:31:23.0Z
Newsgroups: sybase.public.easerver
Date: Wed, 29 Mar 2000 20:31:23 -0600
From: James Stansell <stansell@wcg.net>
Organization: Williams Network <URL: http://www.williams.com/>
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
Subject: Re: Applet parameters
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 49
NNTP-Posting-Host: securit-v1.twc.com 151.142.252.11
Message-ID: <347_38E2BC7B.8611F4DB@wcg.net>
References: <347_eqMWMLYm$GA.52@forums.sybase.com> <347_1RdiytYm$GA.290@forums.sybase.com>
Path: forums-1-dub!forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.easerver:25272
Article PK: 155396

I don't know that this is the best choice, but we've addressed this question by
creating a "session cookie" component that takes a userid and returns a unique
string, which we pass to the applet. The applet then includes this string as
one of the parameters for method on the business components, and they query the
session component to retrieve the userid, or an error if the cookie has
timed-out or is otherwise invalid.

Regards,

-james.

"Dave Wolf [Sybase]" wrote:

> I think you have two options.
>
> 1) Sign the applet and request permission to make native method calls. Then
> call the appropriate WIN32 call to get the username and password
> 2) Encrypt the username and password you put in the param tag so even if you
> found it it would be useless. Also mark the HTML page with a <META PRAGMA>
> tag asking that it not be cached.
>
> "Alistair Black" <ablack@investech-solutions.com> wrote in message
> news:eqMWMLYm$GA.52@forums.sybase.com...
> > What are my options (if any) for running client specific processes from
> > within an Applet securely?
> >
> > My Applet, or the Jaguar components it utilises, needs to know the ID of
> the
> > user. We could pass this in via an Applet PARAM, but worry that it will
> be
> > exposed within the page. This "public" Applet parameter could be
> protected
> > from eavesdropping etc. via SSL, when the page is transmitted, but it is
> > still visible within the page source is viewed on the client. I'm
> concerned
> > that users on a LAN could browse the contents of other users temporary
> > internet files folder, pick up the userid and run the cached applet from a
> > local web server etc. and the rest is history.
> >
> > For non Applet (pure HTML) page implementations we are relying on
> > PowerDynamo session variables when making server side component calls, so
> as
> > far as I know, this poses no security risk.