Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

November 17, 1997, Section: News & Analysis

Sun Changes Security Framework For Java Development Kit

By David Joachim

Java is about to break out of its box.

Version 1.2 of Sun Microsystems' Java Development Kit (JDK) is being outfitted with a new security framework that gives Java applications greater access to local resources outside the so-called "sandbox" where Java code executes.

The sandbox architecture itself was a security mechanism designed to protect local files and applications from bad Java code by keeping them separate. In JDK 1.1, users were given a sort of "on-off" switch that let Java apps leverage local resources such as a resident user interface. But when the switch was turned on, Java code had a run of the drive, said Li Gong, a Java security architect in Sun's JavaSoft unit.

"It was very black and white," he said. "Either an application had full access or no access."

With JDK 1.2, developers can assign different permissions for different files, or even small portions of files, on a temporary or permanent basis. They can also govern whether Java code has read or write privileges.

"Everything is negotiable," said Gong, adding the result is a series of smaller sandboxes rather than the elimination of that concept.

That kind of tight access control is seen as especially important in E-commerce transactions, where buyers, sellers and middlemen require access to different kinds of data. For example, a consumer would want his credit card company to access different local data than the merchant he is paying.

JDK 1.2 is in limited pilot tests now and will enter beta testing next month. It is expected to be commercially available in the first quarter of next year.

J.P. Morgenthal, an analyst at NC.Focus, said the upgrade should enable more robust, multi-tier applications and obviate the need to use CGI scripting between Java apps running on separate servers.

"For enterprise applications you need this type of control," he said.

In other Java news, the International Standards Organization is expected to disclose this week the results of an international vote on Sun's application of Java as an ISO standard.

The American National Standards Institute, which is the U.S. arm of ISO, recently voted no, but as of last week was the only country to do so. Sun needs a majority among the 27 countries that make up ISO.

Such an approval would be a first, analysts said. Vendors are not ordinarily granted standard status while retaining control over patent and trademark rights.

If the vote goes in Sun's favor, it would amount to an approval to submit a specification. Upon submission, it goes to the ISO's Joint Technical Committee, where a vote takes six months, said Lisa Rajchel, secretariat of the committee.