United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-5011139 : REGRESSION: Methods called in Signed Applets from JS have incorrect permissions

Details
Type:
Bug
Submit Date:
2004-03-10
Status:
Closed
Updated Date:
2004-10-28
Project Name:
JDK
Resolved Date:
2004-10-28
Component:
deploy
OS:
windows_xp,windows_2000
Sub-Component:
plugin
CPU:
x86
Priority:
P3
Resolution:
Won't Fix
Affected Versions:
1.4.2,5.0
Fixed Versions:

Related Reports
Duplicate:
Duplicate:

Sub Tasks

Description
Name: gm110360			Date: 03/10/2004


FULL PRODUCT VERSION :
java version "1.4.2_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_03-b02)
Java HotSpot(TM) Client VM (build 1.4.2_03-b02, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
A signed JAR file is being used to allow Applets to be used with extra permissions (such as the ability to read and write to disc, read and write System Properties etc).

This functionality still works for methods called internal to the Applet but any methods called from JavaScript don't pick up the new permissions and as a result a  java.security.AccessControlException: access denied exception is thrown.

This problem is new to JRE 1.4.2 as there is no such problem in JRE 1.4.1_05

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run any signed Applet in a HTML page using Internet Explorer 6 and call a method that requires extra permissions such as System.getProperty("user.home").

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method should not throw an java.security.AccessControlException: access denied exception.
ACTUAL -
The following exception was thrown.
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)


ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)

	at java.security.AccessControlContext.checkPermission(Unknown Source)

	at java.security.AccessController.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

	at java.lang.System.getProperty(Unknown Source)

	at ScadaApplets.TestApplet.printUserHome(TestApplet.java:41)

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

	at java.lang.reflect.Method.invoke(Unknown Source)

	at sun.plugin.com.MethodDispatcher.invoke(Unknown Source)

	at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)

	at sun.plugin.com.DispatchImpl$2.run(Unknown Source)

	at java.security.AccessController.doPrivileged(Native Method)

	at sun.plugin.com.DispatchImpl.invoke(Unknown Source)

java.lang.Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)

	at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)

	at sun.plugin.com.DispatchImpl$2.run(Unknown Source)

	at java.security.AccessController.doPrivileged(Native Method)

	at sun.plugin.com.DispatchImpl.invoke(Unknown Source)



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Java Applet code:


package ScadaApplets;

import java.awt.*;
import java.applet.*;
import java.net.*;
import javax.swing.*;
import ScadaLib.*;

public class TestApplet extends JApplet
{
   public void init()
   	{
      System.out.println("Init");
   	}

   public void start()
   	{
      System.out.println("User Home from Start :" + System.getProperty("user.home")); // This works
    	}

   public void stop()
      {
      System.out.println("Stop");
      }

   public void destroy()
		{
      System.out.println("Destroy");
    	}
   
   public void printUserHome()
      {
      System.out.println("User Home from JS Call :" + System.getProperty("user.home")); // This doesn't work when called from JavaScript using JRE 1.4.2
      }
}

HTML used to embed Applet and test:

<HTML>
<HEAD>
<TITLE>Permissions Test</TITLE>

<script language="JavaScript">

function init()
   {
   document.TestApplet.printUserHome();
   }

</script>

<BODY onLoad="init()">
<APPLET code="ScadaApplets.TestApplet.class" archive="sScadaApplets.jar"
   width="5" height="5" name="TestApplet" MAYSCRIPT>
</APPLET>

</BODY>
</HTML>
---------- END SOURCE ----------

Release Regression From : 1.4.1_05
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Incident Review ID: 230584) 
======================================================================
###@###.### 10/27/04 19:23 GMT

                                    

Comments
EVALUATION

Java Plug-in cannot verify the origin of JavaScript, therefore we do not give full permissions to the applet code called from JavaScript even when the applet is signed. Otherwise there is a possibility of security risk.
###@###.### 2004-03-10
                                     
2004-03-10



Hardware and Software, Engineered to Work Together