United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6684701 Security exception from unsigned applets on local disk
JDK-6684701 : Security exception from unsigned applets on local disk

Details
Type:
Bug
Submit Date:
2008-04-04
Status:
Closed
Updated Date:
2011-05-13
Project Name:
JDK
Resolved Date:
2008-05-20
Component:
deploy
OS:
generic
Sub-Component:
plugin
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u10
Fixed Versions:
6u10 (b23)

Related Reports

Sub Tasks

Description
###@###.### from the JavaFX team points out that the following SecurityException is raised when running an unsigned applet from the local disk which loads a class reflectively:

Exception in thread "AWT-EventQueue-2" java.security.AccessControlException: access denied (java.util.PropertyPermission java.home read)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
   at java.security.AccessController.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
   at java.lang.System.getProperty(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
   at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
   at java.security.SecureClassLoader.defineClass(Unknown Source)
   at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClassInternal(Unknown Source)
   at java.lang.Class.forName0(Native Method)
   at java.lang.Class.forName(Unknown Source)
   at javafx.gui.Applet.getAppletClass(Applet.fx:1)
   at javafx.gui.AppletRunner.run$impl(AppletRunner.fx:1)
   at javafx.gui.AppletRunner.run(AppletRunner.fx:39)
   at java.awt.event.InvocationEvent.dispatch(Unknown Source)
   at java.awt.EventQueue.dispatchEvent(Unknown Source)
   at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
   at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
   at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
   at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
   at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
   at java.awt.EventDispatchThread.run(Unknown Source)

                                    

Comments
SUGGESTED FIX

webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u10/6684701.0
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6684701
                                     
2008-04-06
EVALUATION

###@###.### from the JavaFX team found that some code
in the new plug-in which was brought over for potential ActiveX bridge
support in the future was causing SecurityExceptions for JavaFX
applets loaded from the local disk. The fix is to query the java.home
system property from a privileged context.
                                     
2008-04-06
EVALUATION

This fix did not fail. The applet runs correctly. The failure to query the system property "javafx.debug" is because the jar files are not signed, not because of a bug in the Java Plug-In. Marking the bug "Fix Delivered" again.
                                     
2008-05-19



Hardware and Software, Engineered to Work Together