Name: gm110360 Date: 01/22/2003
FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
FULL OPERATING SYSTEM VERSION :
Microsoft Windows XP [Version 5.1.2600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Mozilla 1.2b
A DESCRIPTION OF THE PROBLEM :
When an applet method is called via
JavaScript/LiveConnect, that method invokation loses the
accessDeclaredMembers RuntimePermission even if the applet
has AllPermission.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Go to http://turadg.ucdev.org/accessTest/test.html
2. Click on Test permission
3. View the Java console for permission report
EXPECTED VERSUS ACTUAL BEHAVIOR :
The applet's init() method calls testPerm() which prints
to System.out "true" or "false" whether RuntimePermission
("accessDeclaredMembers") is available. Because the
applet is RSA signed, it outputs "true".
When the testPerm() method is called via JavaScript, the
permission check reports "false" under Mozilla. (Though
it reports "true" under IE6 running JPI.)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
js-button has accessDeclaredMembers permission: false
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessDeclaredMember)
at java.security.AccessControlContext.checkPermission
(AccessControlContext.java:270)
at java.security.AccessController.checkPermission
(AccessController.java:401)
at JSPermTest.testPerm(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0
(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.plugin.liveconnect.PrivilegedCallMethodAction.run
(SecureInvocation.java:497)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.liveconnect.SecureInvocation$2.run(SecureInvocation.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.liveconnect.SecureInvocation.CallMethod
(SecureInvocation.java:120)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
--------------------------------------------------
JSPermTest.java
--------------------------------------------------
import java.applet.*;
import java.security.*;
public class JSPermTest extends Applet {
public void init () {
testPerm("init");
}
public void testPerm (String caller) {
try {
System.out.print(caller + " has accessDeclaredMembers
permission: ");
Permission perm = new RuntimePermission("accessDeclaredMembers");
AccessController.checkPermission(perm);
System.out.println("true");
} catch (AccessControlException ex) {
System.out.println("false");
ex.printStackTrace();
}
}
}
--------------------------------------------------
test.html
--------------------------------------------------
<html>
<head>
<title>Test RuntimePermission</title>
<head>
<body>
<applet name="theApplet" codebase="." archive="test.jar"
code="JSPermTest.class" mayscript="true"
width="80" height="40">
</applet>
<input type="button" value="Test permission"
onClick='document.theApplet.testPerm("js-button");'>
</body>
</html>
---------- END SOURCE ----------
(Review ID: 166648)
======================================================================