Name: gm110360 Date: 03/10/2004
FULL PRODUCT VERSION :
java version "1.4.2_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_03-b02)
Java HotSpot(TM) Client VM (build 1.4.2_03-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
A signed JAR file is being used to allow Applets to be used with extra permissions (such as the ability to read and write to disc, read and write System Properties etc).
This functionality still works for methods called internal to the Applet but any methods called from JavaScript don't pick up the new permissions and as a result a java.security.AccessControlException: access denied exception is thrown.
This problem is new to JRE 1.4.2 as there is no such problem in JRE 1.4.1_05
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run any signed Applet in a HTML page using Internet Explorer 6 and call a method that requires extra permissions such as System.getProperty("user.home").
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method should not throw an java.security.AccessControlException: access denied exception.
ACTUAL -
The following exception was thrown.
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at ScadaApplets.TestApplet.printUserHome(TestApplet.java:41)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.com.MethodDispatcher.invoke(Unknown Source)
at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
at sun.plugin.com.DispatchImpl$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
java.lang.Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
at sun.plugin.com.DispatchImpl$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Java Applet code:
package ScadaApplets;
import java.awt.*;
import java.applet.*;
import java.net.*;
import javax.swing.*;
import ScadaLib.*;
public class TestApplet extends JApplet
{
public void init()
{
System.out.println("Init");
}
public void start()
{
System.out.println("User Home from Start :" + System.getProperty("user.home")); // This works
}
public void stop()
{
System.out.println("Stop");
}
public void destroy()
{
System.out.println("Destroy");
}
public void printUserHome()
{
System.out.println("User Home from JS Call :" + System.getProperty("user.home")); // This doesn't work when called from JavaScript using JRE 1.4.2
}
}
HTML used to embed Applet and test:
<HTML>
<HEAD>
<TITLE>Permissions Test</TITLE>
<script language="JavaScript">
function init()
{
document.TestApplet.printUserHome();
}
</script>
<BODY onLoad="init()">
<APPLET code="ScadaApplets.TestApplet.class" archive="sScadaApplets.jar"
width="5" height="5" name="TestApplet" MAYSCRIPT>
</APPLET>
</BODY>
</HTML>
---------- END SOURCE ----------
Release Regression From : 1.4.1_05
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
(Incident Review ID: 230584)
======================================================================
###@###.### 10/27/04 19:23 GMT