Lunch in JavaWorld

If you didn't lose your appetite after searching through the innards of a visible human, take a lunch break with JavaWorld, an online magazine for Java programmers and other Internet developers. The JavaWorld website is available at http://www.javaworld.com.

JavaWorld offers how-to articles, news stories related to Java development, and other regular features. One of the advantages of the publication's web format is that it can display functional Java programs in conjunction with articles. Figure 3.3 shows a Java "poetry magnet board" in a tutorial that describes how it is written.

Figure 3.3. A JavaWorld how-to article on how to create a "poetry magnet board" includes a working example of the program.

[View full size image]

By the Way JavaWorld occasionally moves things around, but at the time of this writing, you can go directly to the poetry magnet board tutorial at http://www.javaworld.com/ jw-04-1998/step/poetry.html. If that page is unavailable, use the site's search engine to look for the word "poetry."

In addition to offering information of benefit to Java programmers, JavaWorld publishes articles and commentary about the language and its development. One issue that has been hotly debated since Java's introduction is whether the language is secure.

Security is important because of the way Java programs work when they are placed on a web page. The Java programs you have tried during this hour were downloaded to your computer. When the program was finished downloading, it ran on your computer. It was as though someone sat down at your computer, popped in a disc, and ran his or her own program.

Unless you know a whole lot of people, most of the web pages you visit will be published by strangers. In terms of security, running their programs isn't a lot different than letting the general public borrow your computer on alternate weekends. If the Java language did not have safeguards to prevent abuse, its programs could introduce viruses onto your system, delete files, play the collected works of Ashlee Simpson, and do other undesirable things. Java includes several different kinds of security to make sure that its programs are safe when run from web pages.

The main security is provided by the following general restrictions on Java programs running over the Web:

• No program can open, read, write, or delete files on the user's system.

• No program can run other programs on the user's system.

• All windows created by the program will be identified clearly as Java windows. This identification prevents someone from creating a fake window asking for the user's name and password.

• Programs cannot make connections to websites other than the one from which they came.

• All programs will be verified to make sure that nothing was modified after they were compiled.

The general consensus among Java developers is that the language has enough safeguards in place to be usable over the Web. Several security holes have been found, often by programming security experts, and these holes have been dealt with quickly by Sun or the web browser programmers.

Did you Know? None of the safeguards in place are a complete block against malicious programs. Just as loopholes have been found in the past, more will undoubtedly be found in the future. If you are concerned about running Java programs through your web browser, you can turn off Java support in browsers, though you will be missing a lot of interactive content on the Web.

The Java language also offers a more flexible security policy for programs that run in a browser. You can designate some companies and programmers as "trusted developers," which enables their Java programs to run in your browser without the restrictions that normally would be in place.

This system of trust is established through the use of digital signatures, files that clearly identify the author of a Java program. These signatures are created in collaboration with independent verification groups like VeriSign, which has a World Wide Website at http://www.verisign.com.

If you have ever authorized an ActiveX control to run in Internet Explorer, you have worked with a similar system of trust and identity verification.