Name: gm110360 Date: 01/22/2003 FULL PRODUCT VERSION : java version "1.4.1_01" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01) Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode) FULL OPERATING SYSTEM VERSION : Microsoft Windows XP [Version 5.1.2600] EXTRA RELEVANT SYSTEM CONFIGURATION : Mozilla 1.2b A DESCRIPTION OF THE PROBLEM : When an applet method is called via JavaScript/LiveConnect, that method invokation loses the accessDeclaredMembers RuntimePermission even if the applet has AllPermission. STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : 1. Go to http://turadg.ucdev.org/accessTest/test.html 2. Click on Test permission 3. View the Java console for permission report EXPECTED VERSUS ACTUAL BEHAVIOR : The applet's init() method calls testPerm() which prints to System.out "true" or "false" whether RuntimePermission ("accessDeclaredMembers") is available. Because the applet is RSA signed, it outputs "true". When the testPerm() method is called via JavaScript, the permission check reports "false" under Mozilla. (Though it reports "true" under IE6 running JPI.) ERROR MESSAGES/STACK TRACES THAT OCCUR : js-button has accessDeclaredMembers permission: false java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMember) at java.security.AccessControlContext.checkPermission (AccessControlContext.java:270) at java.security.AccessController.checkPermission (AccessController.java:401) at JSPermTest.testPerm(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0 (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run (SecureInvocation.java:497) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation$2.run(SecureInvocation.java:141) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod (SecureInvocation.java:120) REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- -------------------------------------------------- JSPermTest.java -------------------------------------------------- import java.applet.*; import java.security.*; public class JSPermTest extends Applet { public void init () { testPerm("init"); } public void testPerm (String caller) { try { System.out.print(caller + " has accessDeclaredMembers permission: "); Permission perm = new RuntimePermission("accessDeclaredMembers"); AccessController.checkPermission(perm); System.out.println("true"); } catch (AccessControlException ex) { System.out.println("false"); ex.printStackTrace(); } } } -------------------------------------------------- test.html -------------------------------------------------- <html> <head> <title>Test RuntimePermission</title> <head> <body> <applet name="theApplet" codebase="." archive="test.jar" code="JSPermTest.class" mayscript="true" width="80" height="40"> </applet> <input type="button" value="Test permission" onClick='document.theApplet.testPerm("js-button");'> </body> </html> ---------- END SOURCE ---------- (Review ID: 166648) ======================================================================
|