JDK-6684701 : Security exception from unsigned applets on local disk
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u10
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-04-04
  • Updated: 2011-05-13
  • Resolved: 2008-05-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u10 b23Fixed
###@###.### from the JavaFX team points out that the following SecurityException is raised when running an unsigned applet from the local disk which loads a class reflectively:

Exception in thread "AWT-EventQueue-2" java.security.AccessControlException: access denied (java.util.PropertyPermission java.home read)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
   at java.security.AccessController.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
   at java.lang.System.getProperty(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
   at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
   at java.security.SecureClassLoader.defineClass(Unknown Source)
   at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClassInternal(Unknown Source)
   at java.lang.Class.forName0(Native Method)
   at java.lang.Class.forName(Unknown Source)
   at javafx.gui.Applet.getAppletClass(Applet.fx:1)
   at javafx.gui.AppletRunner.run$impl(AppletRunner.fx:1)
   at javafx.gui.AppletRunner.run(AppletRunner.fx:39)
   at java.awt.event.InvocationEvent.dispatch(Unknown Source)
   at java.awt.EventQueue.dispatchEvent(Unknown Source)
   at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
   at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
   at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
   at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
   at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
   at java.awt.EventDispatchThread.run(Unknown Source)

EVALUATION This fix did not fail. The applet runs correctly. The failure to query the system property "javafx.debug" is because the jar files are not signed, not because of a bug in the Java Plug-In. Marking the bug "Fix Delivered" again.

SUGGESTED FIX webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u10/6684701.0 testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6684701

EVALUATION ###@###.### from the JavaFX team found that some code in the new plug-in which was brought over for potential ActiveX bridge support in the future was causing SecurityExceptions for JavaFX applets loaded from the local disk. The fix is to query the java.home system property from a privileged context.