One of the properties you may want to set in the admin properties file is trustProxy, which is set to true by default. This means that HotJavaTM Browser will trust your proxy server to safely contact a host outside the firewall using a DNS (Domain Name Service) lookup. In certain circumstances, you may want to set the trustProxy property to false for security reasons, as described below.
This document describes the following:
The trustProxy property is set to true by default. To set it to false, add or modify the following line in your admin properties file:
trustProxy=false
For information on how to edit your admin properties file, see HotJava Browser Property Files.
Read on if you're interested in the technical details.
This circumvents a small security risk where an applet might, under rare circumstances, be able to connect to hosts other than the one from which it originated. (This is the "DNS attack" problem from Feb. 96, described in the chronology section of the Applet Security FAQ.)
The problem with setting the trustProxy property to false occurs when:
Note: Most networks behind firewalls let the browser find the IP address from a host name directly, without going through the firewall. For these sites, there is no security risk, and you will always see full applet behavior, regardless of the trustProxy setting. Talk to your system administrator to find out if you can find IP addresses for external host names, and if not, to find out if this feature can be implemented for your network.
If the above three items are true for your system, and trustProxy is set to false, HotJava Browser cannot resolve the host name to an IP address because proxy servers do not cache the mapping between host names and IP addresses for future reference. Therefore, if you try to access a Web page on a site outside your firewall that has applets on it, you'll find that the applets won't load.
Copyright © Sun Microsystems, Inc.