An applet, a Java program that runs in a browser, often has to access the client resources. However, the security manager prevents an applet from accessing client resources. To access client resources, the applet has to have the proper permission. With this permission the applet can then access the client system resources by way of the security manager. This phenomenon is called stepping out of the sandbox. The sandbox is the security manager.

To achieve this phenomenon the applet needs to be signed and the client user has to grant the applet permission. Signing the applet ensures that the bytecode isn't tampered with, and the client user can be assured that the contents of the applet are coming from a trusted source as stated by the certificate.

Microsoft Internet Explorer and Netscape no longer support their own JVMs, the ones they use to ship with their browsers. This makes life easier because now we don't have to maintain two different code-signing certificates and two different ways of signing the cab files and .jar files. This used to be the case when you wanted your applet to run in both Netscape and IE.

Applet: What, Where, and How
Applets run using a Java Virtual Machine (JVM) either built into the browser or by a Java plug-in. Applets are written in a special way by extending the base applet class in the Java SDK. The applets run in the sandbox of the JVM, i.e, the applets are restricted by the JVM's security manager in terms of what they can and cannot do when running in the client system. This restriction is maintained because applets are remotely downloaded programs that run in the browser.

Applets are normally used in situations where you'd like to have your application run as an applet rather than a traditional HTML-based application. The applet enables access to client file system resources in the client system. This is when the applet has to step out of the sandbox.

To use an applet in your application you have to do two things: write your applet in Java code and have a JavaServer Pages (JSP) page where you invoke the applet. To simplify JSP development, the JSP spec has a <jsp:plugin... directive that executes the applet. This methodology isolates the developer from browser-specific HTML tags to execute an applet.

See Listings 1 and 2 for a sample applet and a sample JSP, respectively. Figure 1 shows how an applet looks in a browser.