As you may be aware, there is a problem with the latest 1.6 update (1.6.0_03) of the java plugin in Firefox.

When the applet tries to communicate back with the originating server, a security exception is thrown.

I logged a bug earlier about this and it just went through:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6622150

Please vote for it if this bug affects your site.

 

 

I am seeing the exact same thing in Firefox on my site. It doesn't seem to happen in IE. Our company mandates IE for this site so it is not a major problem yet. I would like to see it fixed because I develop the site in Firefox.

 

 

We haven't been able to reproduce this problem in-house. I just tested with 1.6.0_03 inside of Firefox 2.0.0.9 and the applets at the reported site work fine. Have you changed your proxy or DNS settings recently? At this point we don't have an idea of what is causing the problem.

 

 

I created a small test case that fails consistently on my machine: Windows XP Pro SP 2, Firefox 2.0.0.9, java 1.6.0_03.

Below are two html files (test.html and applet.html) and an Applet file. Loading test.html in my browser causes the following trace:

Java Plug-in 1.6.0_03
Using JRE version 1.6.0_03 Java HotSpot(TM) Client VM
...
basic: Referencing classloader: sun.plugin.ClassLoaderInfo@10e18ba, refcount=1
basic: Added progress listener: sun.plugin.util.GrayBoxPainter@343bb6
basic: Loading applet ...
basic: Initializing applet ...
basic: Starting applet ...
basic: completed perf rollup
java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkConnect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at java.net.Socket.<init>(Unknown Source)
	at java.net.Socket.<init>(Unknown Source)
	at test.SocketApplet.init(SocketApplet.java:16)
	at sun.applet.AppletPanel.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
basic: Exception: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)
java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:80 connect,resolve)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkConnect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at java.net.Socket.<init>(Unknown Source)
	at java.net.Socket.<init>(Unknown Source)
	at test.SocketApplet.init(SocketApplet.java:16)
	at sun.applet.AppletPanel.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Note: I am testing on a local network and have mapped the ip address for the web server in my hosts file to 192.168.0.3. However, I have confirmed that the AccessControlException occurs for a user outside my local network.

test.html and applet.html should be placed in the same directory on your web server. My SocketApplet is in a "test" package, so is located at test/SocketApplet.class. From Firefox, load test.html. You should see the AccessControlException.

test.html

<HTML>
<HEAD>
<script language="javascript">
 
function generateBaseID() {
  var baseID = String(java.lang.System.currentTimeMillis());
  return baseID;
}
 
function requestURL(baseID) {
  var request = window.XMLHttpRequest ? new XMLHttpRequest() : new ActiveXObject("MSXML2.XMLHTTP.3.0");
  request.open("GET", "http://www.seekspeak.com", true);
  request.onreadystatechange = function(){ 
    if (request.readyState == 4 && (request.status == 200 || request.status == 304)) {      
      loadPage();
    }    
  }
  request.send(null);
}
 
requestURL(generateBaseID());
 
function loadPage() {
  document.location.href="/applet.html"; 
}
 
</script>
</HEAD>
<body>
 
</body>
</HTML>

applet.html

<html>
<body>
<applet code="test.SocketApplet.class" width="100" height="100"></applet>
</body>
</html>

SocketApplet.java

package test;
 
import java.applet.Applet;
import java.io.IOException;
import java.net.Socket;
import java.net.URL;
 
public class SocketApplet extends Applet {
 
    private Socket socket;
 
    public void init() {
        try {
            String host = this.getCodeBase().getHost().toString();
            URL url = new URL("http://" + host + ":80");
            socket = new Socket(url.getHost(), url.getPort());
            System.out.println("setting keep alive");
            socket.setKeepAlive(true);
        } catch (IOException ioe) {
            ioe.printStackTrace();
        }
    }
 
    public void start() {
        // do nothing
    }
 
    public void stop() {
        if (socket != null) {
            try {
                socket.close();
            } catch (IOException ioe) {
                ioe.printStackTrace();
            }
        }
    }
}

For a short time I'll leave the test up at: http://www.seekspeak.com/test.html.

One final interesting note: in test.html if I change the line that says:

requestURL(generateBaseID());

to:

requestURL("test");

the AccessControlException goes away.

Hope this helps,
Peter

 

 

It appears that an AccessControlException is generated if javascript calls any Java code before the applet tries to initiate its connection back to the server. See the simple test case below:

test.html

<HTML>
<HEAD>
<script language="javascript">
 
var test = java.lang.System.currentTimeMillis();
 
</script>
</HEAD>
<body>
 
<applet code="test.HttpConnectionApplet.class" width="100" height="100"></applet>
 
</body>
</HTML>

HttpConnectionApplet.java

package test;
 
import java.applet.Applet;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
 
public class HttpConnectionApplet extends Applet {
    private HttpURLConnection urlConnection;
 
    public void init() {
        try {
            URL url = this.getCodeBase();
            urlConnection = (HttpURLConnection) url.openConnection();
        } catch (IOException ioe) {
            ioe.printStackTrace();
        }
    }
 
    public void start() {
        try {
            urlConnection.connect();
        } catch (IOException ioe) {
            ioe.printStackTrace();
        }
    }
 
    public void stop() {
        if (urlConnection != null) {
            urlConnection.disconnect();
        }
    }
}

As is, an AccessControlException is generated. Comment out the JavaScript line that calls java.lang.System.currentTimeMillis() and no ACE is thrown.

It might have to do with the fact that the JavaScript call is executed via sun.plugin.liveconnect.SecureInvocation which flags the originating host as "proxied", even if the connection is direct.

from SecureInvocation.java:
...
// If script calls directly into Java apis (not through applet code)
// then treat the script as if it were an applet downloaded by the
// plugin itself via a web proxy.
if (direct) {
sun.net.www.URLConnection.setProxiedHost(host);
...

That combined with this line in java.net.SocketPermission creates the problem:
...
if (!trustNameService && sun.net.www.URLConnection.isProxiedHost(hostname)) {
...

There may be more reasons why ACEs are thrown in 1.6.0_03, but this is one of them.

Note: the source lines above are from java 6u10. I couldn't track down the source for 6u3 anywhere (it doesn't exist in the archives: http://download.java.net/jdk6/6u10/archive/).

Peter

 

 

At least in my case the issue is caused by calling from javascript to java or java to javascript before the applet initiates the http url connection back to the host. However, if the applet makes the connection before any liveconnect calls, it can successfully connect back to the server after liveconnect calls.

Specifically I'm pretty sure the problem is caused by the change in sun.plugin.liveconnect.SecureInvocation between 1.6.0_02 and 1.6.0_03 regarding the new "direct" flag. The following line inaccurately treats liveconnect calls into an applet as direct calls from javascript into the java apis, which sets the originating server as a proxied host:

// If script calls directly into Java apis (not through applet code) then treat
// the script as if it were an applet downloaded by the plugin itself via a web proxy.
if (direct) {	         
  sun.net.www.URLConnection.setProxiedHost(host);
...

Workaround: ensure that the applet makes at least one connection back to the originating host BEFORE any liveconnect calls are made... at least that works for me.

 

 

If you guys can't test new releases and be sure that it covers all applications, how about letting us vet your java releases before you release them?

It would save a lot of grief for everyone :-)

 

 

This is exactly what we are doing with 6uN and the next-generation Java Plug-In. Please see https://jdk6.dev.java.net/6uNea.html and https://jdk6.dev.java.net/testPlugIn.html .

 

 

This application was developed in 1998 and today we compile it for Java 1.4 support so that it supports are large variety of browsers...

http://www.artistscope.com/secure_image3/demo-text-image.htm

Our users have millions of pages out there!

 

 

1.6.0_04 is now available for download from java.sun.com (http://java.sun.com/javase/downloads/?intcmp=1281) although not yet available on www.java.com.

I looked at the release notes (http://java.sun.com/javase/6/webnotes/ReleaseNotes.html) and it appears the bug hasn't been fixed. I tried it and, indeed, the problem still occurs.

The bug has 42 votes so I wonder why it hasn't been fixed...

 

 

Please try the next-generation Java Plug-In in 6u10. The entire Java Plug-In team at Sun is focusing on delivering this product. This issue is no longer reproducible in the new plug-in. As a matter of fact, I also can't reproduce it in the current Java Plug-In from the 6u10 builds in Firefox 2 either.

 

 

What is the download link?

 

 

Hi Kenneth,

Thanks for replying. I'm able to reproduce the problem with 6u10. For example, when I load http://www.bestcrosswords.com/web-sandbox/appletsandbox/index.html with Firefox2/6u10, I get the error about 10% of the time. When I load http://www.bestcrosswords.com/web-sandbox/appletsandbox/liveconnect.html (same as the other one but with a live connect call) I get the error 100% of the time.

However, if I use 6u10 with Firefox3 and the "enable next gen plugin" checked, I don't get the error so it appears to not be an issue in the java plugin rewrite.

 

 

I managed to fix the problem on my site. The problem was due to a javascript liveconnect call being performed before any network calls by the applet. This was described in the comments of the bug report but I didn't think that was my problem since I never call Java from my javascript (or so I thought). It turns out that the following javascript makes liveconnect calls when there is a java applet on the page.

var a = document.getElementsByTagName("*");
for (var i = 0; i < a.length; i++) {
...
}

This processes all the DOM elements in the page and when it hits the "embed" element where the applet resides, it makes liveconnect calls.

Since I run this code on page load, liveconnect calls were being made and depending on whether they happened before any Java network calls, they would trigger the bug.

In order to find out if your javascript is making liveconnect calls, open the Java options in the control panel and in the Advanced tab under Debugging, check "Enable tracing". Load your applet and look at the output of the Java console. If you see lines "liveconnect: Javascript ...", your javascript is making liveconnect calls.

Hope that helps.

 

 

btw. the new plugin is only activated when using FireFox3, that may be the root cause why it does not work for you with FireFox2 all the time because it uses there the old plugin.

lg Clemens