Is Applet jar downloaded by browser or by JVM?
Assume I have below simple applet. I wonder if the http request to g开发者_开发知识库et the jar is made by the browser or by jvm. If it is made by jvm, are browser's cookies and sessions sent to server?
<APPLET
CODE="FieldTestF.class"
WIDTH="100%" HEIGHT="90"
ARCHIVE = "FieldTestF.jar"
>
This example uses an applet.
</APPLET>
The applet JAR is downloaded by the JVM. All applets are associated with an instance of a URLClassloader (or a subclass - the sun.applet.AppletClassLoader
in Sun JVMs) that is responsible for loading of all classes and resources required by an applet.
Apparently, most of the infrastructure required for loading of class files and resources is available in the Java runtime, and re-using the same would allow the Java plug-in to not worry about accessing browser internals for the most part.
I'll reproduce the salient parts of the OpenJDK codebase here, that performs this activity. You'll find the interesting stuff in the runLoader()
method of sun.applet.AppletPanel
:
/**
* Load the applet into memory.
* Runs in a seperate (and interruptible) thread from the rest of the
* applet event processing so that it can be gracefully interrupted from
* things like HotJava.
*/
private void runLoader() {
if (status != APPLET_DISPOSE) {
showAppletStatus("notdisposed");
return;
}
dispatchAppletEvent(APPLET_LOADING, null);
// REMIND -- might be cool to visually indicate loading here --
// maybe do animation?
status = APPLET_LOAD;
// Create a class loader
loader = getClassLoader(getCodeBase(), getClassLoaderCacheKey());
// Load the archives if present.
// REMIND - this probably should be done in a separate thread,
// or at least the additional archives (epll).
String code = getCode();
// setup applet AppContext
// this must be called before loadJarFiles
setupAppletAppContext();
try {
loadJarFiles(loader); // <-- this is what loads the JAR files
applet = createApplet(loader);
...
Also, getting the browser to fetch the resources would complicate matters for the Java security model. This is in part, due to the fact that applets use their own AccessControlContext
that has been setup for them. This context has a default set of permissions that are added to it when the applet is being initialized; the set includes the SocketPermission
to connect to the server hosting the codebase, or the FilePermission
allowing read access to the filesystem containing the codebase. If resource loading were to be done by the browser, then depending on how the plug-in is implemented the checks might simply not be performed leading to a possible break-down of the security model.
You can confirm the resource loading behavior of the JVM by looking at the network traffic, as indicated in the other answer. I'll post the screenshot from Fiddler as confirmation. The process column indicates which OS process is responsible for sending out the request (in this case it happens to be the Java application launcher java.exe
). Apologies for the apparent poor quality of the image - you'll need to resize the image or open it in a new window.
I suppose I could have looked it up, but it seemed much more fun to sniff the connection between the browser and the server to find an answer.
It turns out the request is done by the JVM. This is observable because:
- The user agent is
Mozilla/4.0 ([OS here]) Java/[Java version here]
instead of whatever your browser sends; - The applet file request does not originate from the same port the browser requests come from;
- The browser does not acknowledge the requests in the request logs & developer tools.
However, the browser seems to pass cookies along to the JVM when it issues the HTTP request, which means your session data should be available.
精彩评论