java.security.AccessControlExceptionthrown when applet callsjava.beans.Introspector.setBeanInfoSearchPath()
SymptomsWhen running an applet in a browser using the Sun JRE, an
AccessControlExceptionis thrown in the execution ofIntrospector.setBeanInfoSearchPath():
java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertiesAccess(Unknown Source)
at java.beans.Introspector.setBeanInfoSearchPath(Unknown Source)
at ....The same applet runs under the Microsoft VM.
Cause
The
Introspector.setBeanInfoSearchPath()method call can change the list of package names used for findingBeanInfoclasses. If more than one applet is running in the VM, an untrusted applet could call this method to redirect other applets to look upBeanInfoin unexpected packages. This is a security hole.A security check for
java.util.PropertyPermissionwas added to this method in the JRE to address the security concern. If the applet is unsigned and it calls into this method, anAccessControlExceptionwill be thrown.Resolution
The workaround is to either:
- Sign the applet using the JDK
jarsignertool, so that the applet runs as a trusted applet and has permissions to call theIntrospector.setBeanInfoSearchPath()method.- Rearchitect the applet code to avoid the call to
Introspector.setBeanInfoSearchPath(). For example, instead of relying on theBeanInfosearch path, use a fully qualified package name for looking up theBeanInfo.Related Information
See jarsigner - JAR Signing and Verification Tool.