Applet Instrumentation Settings

HTTP > Applets and ActiveX > Policies | Java Applet Security Rules

Applet instrumentation settings—IWSVA can restrict Java applet behavior by inserting "instrumentation" code that dynamically monitors applet execution in the client browser and applies behavioral restrictions as directed by the policy.

Depending on how you have it configured, IWSVA can identify certain types of applet operations and insert its own code to execute both before and after those operations. If an operation is not allowed by policy, IWSVA can display a warning dialog to the requesting client (Notification > Applets and ActiveX Instrumentation), and then prevent the operation from occurring.

• Note: You can globally Enable or Disable a particular behavior and then create an Exception to that behavior for all but a specified directory on the client machines. For example, you could choose to Disable destructive applet operations for all computers on the LAN, unless they are run in from a particular directory on client machines.

• Allow applets to perform following file operations:

• Destructive operations—Disable this option to prevent applets that are capable of creating, moving, and deleting files from being downloaded to clients on your LAN.
  
  A "destructive" operation is considered to be any command that can change the state of a file or directory. Potentially destructive operations include:

• delete

• mkdir

• deleteOnExit

• mkdirs

• createNewFile

• createTempFile

• setLastModified

• renameTo
  

• Non-destructive operations—Disable this option to prevent applets that are capable of passive behaviors such as information gathering from being downloaded to clients on your LAN.
  
  A "nondestructive" operation is considered to be any command that leaves the state of a file or directory as-is:

• canRead

• canWrite

• exists

• isDirectory

• isFile

• lastModified

• length

• isHidden

• getCanonicalPath

• getCanonicalFile

• listRoots

• listFiles

• list
  

• Write—Disable this option to prevent applets from performing any Write operations on the LAN client's machine.

• Read—Disable this option to prevent applets from performing any Read operations on the LAN client's machine.

• Allows applets to perform the following network operations:

• Bind local ports—Disable this option to prevent applets downloaded to your LAN clients from being able to bind to those clients' local ports.

• Connect to their originating servers—Disable this option to prevent applets downloaded to your LAN clients from being able to contact the server from which the applet was downloaded.  

• Host connections—Disable this option to prevent applets downloaded to your LAN clients from being able to create a host connection to those client machines.

• Allows applets to perform the following thread and windows operations:

• Create new thread groups—Clear this option to prevent any malicious applets downloaded to your LAN clients from being able to start multiple threads and lock up the browser.

• Create active threads, maximum threads—Clear this option to prevent applets downloaded to your LAN clients from being able to create active process threads, or select it and enter the limit.

• Create active windows, maximum windows—Clear this option to prevent applets downloaded to your LAN clients from being able to open, or pop-up new browser windows, or select it and enter the limit. This trick of a "browser storm" is fairly common.
  

See also:

• Java Applet Security Rules

• ActiveX Security Rules