gcjwebplugin is a Firefox plugin for running Java applets.  It is now
included in the libgcj sub-package, though it is not enabled by
default.

GNU Classpath and libgcj's security implementation is under active
development, but it is not ready to be declared secure.  Specifically,
it cannot run untrusted applets safely.

When gcjwebplugin is enabled, it prompts you with a dialog before
loading an applet.  The dialog tells you that a certain URL would like
to load an applet, and asks if you trust the applet.  Be aware though
that this dialog is mostly informative and doesn't provide much
protection:

- http and DNS can be spoofed meaning that the URL named in the
  warning dialog cannot be trusted

- someone could create a browser denial-of-service attack by creating a
  page with hundreds of applet tags, causing gcjwebplugin to create
  warning dialog after warning dialog.  The browser would have to be
  closed to eliminate the latest dialog

- the whitelist is provided as a convenience, but it is unsafe because a
  domain may change hands from a trusted owner to an untrusted owner.
  If that domain is in the whitelist then the warning dialog will not
  appear when loading the new malicious applet.

CURRENTLY GCJWEBPLUGIN RUNS WITH NO SECURITY MANAGER.  THIS MEANS THAT
APPLETS CAN DO ANYTHING A JAVA APPLICATION THAT YOU DOWNLOAD AND RUN
COULD DO.  BE *VERY* CAREFUL WHICH APPLETS YOU RUN.  DO NOT USE
GCJWEBPLUGIN ON YOUR SYSTEM IF YOUR SYSTEM STORES IMPORTANT DATA.
THIS DATA CAN BE DESTROYED OR STOLEN.

The same warning applies to gappletviewer, which also runs with no
security manager (in fact, gcjwebplugin spawns gappletviewer to do the
applet loading).  When run on the command line, gappletviewer issues a
warning on startup and asks you if you want to continue.

Even considering the risks involved, you may still want to try
gcjwebplugin.  GNU Classpath's AWT and Swing implementations are now
sufficiently mature that they're able to run many applets deployed on
the web.  If you're interested in trying gcjwebplugin, you can do so
by creating a symbolic link in ~/.mozilla/plugins like so:

ln -s /usr/lib/gcj-@VERSION@/libgcjwebplugin.so ~/.mozilla/plugins/

Type about:plugins in Firefox's URL bar to confirm that the plugin has
been loaded.  To see gcjwebplugin debugging output, run:

firefox -g

then at the GDB prompt, type

run

Please report bugs in Red Hat Bugzilla: http://bugzilla.redhat.com