2 Replies Latest reply: Aug 1, 2011 7:43 PM by EJP RSS

    Applet accidentally requests Java Core API classes from network

    875478
      Hi,

      starting an applet from a customers client machine (IE7, Windows XP, Standard JRE Installation of Java 1.6.0_26), I see in the tomcat access log entries signalizing that core java api classes are accidentally requested from the server:

      ...
      "GET /mywebapp/applet/java/lang/StringBuilder.class HTTP/1.1" 404 1156 0
      "GET /mywebapp/applet/javax/swing/JPanel.class HTTP/1.1" 404 1141 0
      "GET /mywebapp/applet/java/net/JarURLConnection.class HTTP/1.1" 404 1162 0
      "GET /mywebapp/applet/java/util/jar/JarEntry.class HTTP/1.1" 404 1153 0
      "GET /mywebapp/applet/java/util/jar/JarFile.class HTTP/1.1" 404 1150 0
      ...

      Although tomcat responses with HTTP 404, the applet works fine.

      Questions:
      1. For me, it looks like a security risk when the browser tries to load system classes from the network instead of using the local files from the jre dir, doesn't it?
      2. When starting the applet from my local machine (different network), no tomcat logfile entries are generated. An interesting fact is, that in the customer network, the applet "codebase" parameter in the HTML source gets modifed by a proxy server for whatever reason like the following:

      <applet codebase="http://mydomain.org/mywebapp/applet">

      becomes some kind of:

      <applet codebase="http://mydomain.org/mywebapp/applet/+sgrkjkrlgjklJKLjekrr4jewlkfjkerlkrelkjgregkjerlkgljkeglkjgjelkLKJLKefjei55435ijjkl=+">

      It seems that such codebases confuse the classloader. Any ideas about that?

      Thank you so much for any hints!