Name: gm110360 Date: 02/10/2003


FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)


FULL OPERATING SYSTEM VERSION :
Redhat 8.1

ADDITIONAL OPERATING SYSTEMS :
Windows XP

A DESCRIPTION OF THE PROBLEM :
When calling a public method of an signed applet, and the
method performs a "priviledged" operation, an exception is
thrown.
This happens on Mozilla, both on linux and windows. In
Internet Explorer 6 this problem does not occour.
I would guess that the privilages granted to the JS code
in IE, are not granted to it in Mozilla.
Furthermore, the initial call to a Java method from JS is
very time consuming; if you set the logging level to 5 in
the java console, then you will see _many_ lines of output
like this:
JavaScript: caller and callee have same origin
JavaScript: default security policy = file://

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This JS code calls a java method in the applet to print
the system property "java.io.tmpdir".
The applet has to be jar/signed first.
In IE the value is printed, in Mozilla it throws an
exception. Tested on Mozilla on linux (1.3a) and windows
(1.2.1).



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.swing.*;
public class Cred extends JApplet
{
public void printIt ()
{
try
{
System.err.println(System.getProperty
("java.io.tmpdir"));
}
catch (Exception e)
{
e.printStackTrace();
}
}
}

------------HTML----------------

<html>
<body>
<OBJECT
width="100"
height="100"
id="app"
classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
codebase="http://java.sun.com/products/plugin/autodl/jinstall-1_4-
windows-i586.cab#Version=1,4,0,0">
<PARAM NAME="code" VALUE="Cred.class" >
<PARAM NAME="archive" VALUE="Cred.jar" >
<PARAM NAME="type" VALUE="application/x-java-applet;version=1.4">
<PARAM NAME="scriptable" VALUE="true">
<COMMENT>
<EMBED
id="app" width="100" height="100"
type="application/x-java-applet;version=1.4"
CODE="Cred.class"
archive="Cred.jar"
scriptable="true"
pluginspage="http://java.sun.com/products/plugin/index.html#download">
<NOEMBED>need java</NOEMBED>
</EMBED>
</COMMENT>
</OBJECT>
<div>
<button onclick="document.embeds.app.printIt()">Mozilla Check</button>
<button onclick="document.getElementById(&quot;app&quot;).printIt()">IE
Check</button>
</body>
</html>

---------- END SOURCE ----------

CUSTOMER WORKAROUND :
It's possible to spawn a thread from init(), which runs
with all the privilages, and all the methods called from
JS will communicate with that thread to do the necessary
actions on their behalf. Although it could get messy.
(Review ID: 180075)
======================================================================