FULL PRODUCT VERSION :
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
Java HotSpot(TM) Client VM (build 1.4.2_05-b04, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
BEA WebLogic has a protocol called thin client which makes use of SUN's IIOP implementation in JDK. If a component tries to send a java.security.Permissions object with the a null "allPermission" member field through SUN's IIOP implementation, it throws the NullPointerException:

java.lang.NullPointerException
        at java.util.Hashtable.put(Hashtable.java:393)
        at com.sun.corba.se.internal.io.OutputStreamHook$HookPutFields.put(Outpu
tStreamHook.java:97)
        at java.security.Permissions.writeObject(Permissions.java:359)
        at com.sun.corba.se.internal.io.IIOPOutputStream.writeObject(Native Meth
od)
        at com.sun.corba.se.internal.io.IIOPOutputStream.invokeObjectWriter(IIOP
OutputStream.java:560)
        at com.sun.corba.se.internal.io.IIOPOutputStream.outputObject(IIOPOutput
Stream.java:523)
        at com.sun.corba.se.internal.io.IIOPOutputStream.simpleWriteObject(IIOPO
utputStream.java:123)
        at com.sun.corba.se.internal.io.ValueHandlerImpl.writeValueInternal(Valu
eHandlerImpl.java:136)
        at com.sun.corba.se.internal.io.ValueHandlerImpl.writeValue(ValueHandler
Impl.java:116)
        at weblogic.iiop.IIOPOutputStream.write_value(IIOPOutputStream.java:1636
)
        at weblogic.iiop.IIOPOutputStream.write_value(IIOPOutputStream.java:1667
)
        at weblogic.iiop.RMIMsgOutput.writeObject(RMIMsgOutput.java:105)
        at examples.ejb20.basic.statelessSession.statelessSession_mt9oui_EOImpl_
WLSkel.invoke(Unknown Source)
        at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:477)
        at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerR
ef.java:108)
        at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:420)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:363)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
144)
        at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:415)
        at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:30)
        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

You only need to analyse the source code of these two classes to understand the problem:
java.security.Permissions
com.sun.corba.se.internal.io.OutputStreamHook

When Permissions.writeObject(ObjectOutputStreaM) is called, it tries to write the members by
        ObjectOutputStream.PutField pfields = out.putFields();
pfields.put("allPermission", allPermission);
        pfields.put("perms", perms);
        out.writeFields();

The variable "pfields" is an instance of com.sun.corba.se.internal.io.OutputStreamHook$HookPutFields. pfields.put(String, Object) calls java.util.Hashtable.put(String, Object) with a null "allPermission" memeber but Hashtable.put(String, Object) throws NullPointerException according to JDK javadoc http://java.sun.com/j2se/1.4.2/docs/api/java/util/Hashtable.html#put(java.lang.Object,%20java.lang.Object)



REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1) make sure the java.security.Permissions to send has a java.security.AllPermission member so the private member "allPermission" is not null. E.g. put a dummy AllPermission object
2) fall back to jdk 1.4.1_0x but 1.4.1 is already EOL.
(Incident Review ID: 311240)
======================================================================