A class loaded through the AppletClassLoader can get the contents of a .class file located in a JAR file (cf. in a directory) in CLASSPATH through getSystemResourceAsStream(). This could be used by a malicious applet to read .class information and decompile algorithms it should not have access to.

Replicate as follows:

Get the attachement tar file, untar it first, then follow the instructions in GetResourceTests.java in the attachment. The failure says:

calterra% setenv CLASSPATH /home/pelegri/tst/getresource/new/data.jar

calterra% appletviewer OnJarFromApplet.html
Tests failed java.lang.Exception: could read foo.class using getResourceAsStream