8 Replies Latest reply: Nov 11, 2011 2:09 PM by 806962 RSS

    Signed Applet gives AccessControlException when doing XSLT

    806962
      Hi All,

      I have a signed applet that performs XSL transformation where the input XML, the XSL and the output is read/written
      on the local file system. The XSL transormation is called inside a AccessController.doPrivileged() block.
      It's running in JRE 1.5.0.

      When my XSL file contains a reference to an external XML document:
      *<xsl:variable name="extXML" select="document('/tmp/A.XML')"/>*
      the transformation fails:

      com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
           at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(Unknown Source)
           at GEN.topLevel()
           at GEN.transform()
           at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(Unknown Source)
           at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
           at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
           at myxsltapplet.MyXSLTApplet$5.run(MyXSLTApplet.java:173)
           at java.security.AccessController.doPrivileged(Native Method)
           at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:162)

      If this reference to external XML document is commented out everything work just fine.


      Does somebody know why do I get it if my applet is signed?
      Using a policy file solves this problem but unfortunately this is not an option for me.

      Thanks for any idea,

      Edited by: athox on Oct 19, 2011 12:08 PM
        • 1. Re: Signed Applet gives AccessControlException when doing XSLT
          817264
          If you can post link to the test applet then it will be best.

          Otherwise get a detailed trace log and post it here
          (see http://download.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf)

          Also explain how your applet is deployed. How many jars (yours and libs), which jars are signed.

          E.g. where
          GEN.transform()
          comes from?
          • 2. Re: Signed Applet gives AccessControlException when doing XSLT
            806962
            Hi,

            After I posted this problem I have tried my applet with Java 1.6.0_29 and the XSLT works fine
            with the reference to an external XML document. I assume this is a Java 1.5 bug...
            it would be interesting to know the bug number if there is any.


            My applet is deployed in a simple jar file and the start HTML page is like:
            <HTML>
            <HEAD>
            </HEAD>
            <BODY>

            <!-- This part is for IE -->
            <!-- Use the same ARCHIVE parameter for both applet to have the same plug-in class loader -->
            <OBJECT
            ...
            <COMMENT>

            <!-- This part is for Netscape -->
            <!-- Use the same ARCHIVE parameter for both applet to have the same plug-in class loader -->
            <EMBED
            type = "application/x-java-applet;version=1.5"
            CODE = "myxsltapplet.MyXSLTApplet.class"
            JAVA_CODEBASE = "JARS"
            ARCHIVE = "myxsltapplet.jar"
            NAME = "MyXSLTApplet"
            WIDTH = "100%"
            HEIGHT = "100%"
            ALIGN = middle
            VSPACE = 0
            HSPACE = 0
            progressbar = true
            scriptable = true
            pluginspage = "http://java.sun.com/products/plugin/index.html#download">
            <NOEMBED>

            </NOEMBED>
            </EMBED>
            </COMMENT>
            </OBJECT>

            </BODY>
            </HTML>


            I have switched trace on but it didn't help for me.
            I guess "GEN.transform()" should come from JRE (rt.jar) somewhere:

            Java Plug-in 1.5.0_22
            Using JRE version 1.5.0_22 Java HotSpot(TM) Client VM
            User home directory = /home/testuser
            network: Loading user-defined proxy configuration ...
            network: Done.
            network: Loading proxy configuration from Netscape Navigator ...
            network: Reading user preference file from /home/testuser/.mozilla/myxsltapplet/s1b4t7re.slt/prefs.js
            network: Done.
            network: Loading browser proxy configuration ...
            network: Done.
            network: Proxy Configuration: Browser Proxy Configuration

            basic: Cache is enabled
            basic: Location: /home/testuser/.java/deployment/cache/javapi/v1.0
            basic: Maximum size: unlimited
            basic: Compression level: 0
            basic: New window ID: 4c0012b
            basic: Value of xembed: 0
            basic: setWindow: call before applet exists:4c0012b
            basic: Referencing classloader: sun.plugin.ClassLoaderInfo@11c2b67, refcount=1
            basic: Added progress listener: sun.plugin.util.GrayBoxPainter@1b273cc
            basic: Loading applet ...
            basic: Initializing applet ...
            basic: Starting applet ...
            basic: Referencing classloader: sun.plugin.ClassLoaderInfo@11c2b67, refcount=2
            basic: Releasing classloader: sun.plugin.ClassLoaderInfo@11c2b67, refcount=1
            security: Accessing keys and certificate in Mozilla user profile: /home/testuser/.mozilla/myxsltapplet/s1b4t7re.slt
            security: JSS package is not found
            security: Loading Root CA certificates from /home/testuser/jre/lib/security/cacerts
            security: Loaded Root CA certificates from /home/testuser/jre/lib/security/cacerts
            security: Loading Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
            security: Loaded Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
            security: Loading certificates from Deployment session certificate store
            security: Loaded certificates from Deployment session certificate store
            security: Checking if certificate is in Deployment permanent certificate store
            com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
            at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(Unknown Source)
            at GEN.topLevel()
            at GEN.transform()
            at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(Unknown Source)
            at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
            at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
            at myxsltapplet.MyXSLTApplet$5.run(MyXSLTApplet.java:173)
            at java.security.AccessController.doPrivileged(Native Method)
            at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:162)
            +...+
            • 3. Re: Signed Applet gives AccessControlException when doing XSLT
              806962
              It seems my enthusiasm for Java 6 solving this problem was too early.

              Java 6 also throws java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
              not at
              *<xsl:variable name="extXML" select="document('/tmp/A.XML')"/>*

              but at the very 1st read from variable $extXML like:
              *<xsl:value-of select="$extXML/Child"/>*

              Just for completeness I have tried with Java 7 update 1 and it also throws the AccessControlException.


              So any more help is appreciated...

              Edited by: athox on Oct 24, 2011 1:35 PM
              • 4. Re: Signed Applet gives AccessControlException when doing XSLT
                817264
                AccessControlException means your code is not considered trusted.

                Do you see prompt to grant permissions to the applet when you run it?

                Do you have pointer to your application to try?

                Things to try:
                1) get a detailed log (make sure to add deployment.trace.level=all) and post everything related to loading/security/launch here.

                2) print out the content of your jar file. What files do you have in META-INF folder?
                Also, run jarsigner -verify on your application jar - does it work?

                BTW, in general if you do not expect your users to have really old JREs it is better to use JNLP applets.
                (http://download.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html)
                • 5. Re: Signed Applet gives AccessControlException when doing XSLT
                  806962
                  Hi igor,

                  My applet is definitely signed as if I remove the reference to the external XML document the XSL transformation works without any exception.
                  Yes the usual confirm dialog pops up with the
                  "+The application's digital signature cannot be verified. Do you want to run the application?+" message.

                  This is the content of the jar file that was signed with a key having MyXSLTApplet alias (created with keytool):
                  META-INF/MANIFEST.MF
                  META-INF/MYXSLTAP.SF
                  META-INF/MYXSLTAP.DSA
                  META-INF/
                  myxsltapplet/
                  myxsltapplet/MyURIResolver.class
                  myxsltapplet/MyXSLTApplet$1.class
                  myxsltapplet/MyXSLTApplet.class

                  jarsigner -verify myxsltapplet.jar gives: "jar verified."

                  Last time my XSL was called "GEN.XSL". Now I renamed it to "in.xsl".
                  From this I noticed that's where
                  at GEN.topLevel()
                  at GEN.transform()
                  come from in the stack trace...


                  _Full trace with deployment.trace.level=all_ (This time I was running with JRE 1.6 in Chrome.)

                  Java Plug-in 1.6.0_26
                  Using JRE version 1.6.0_26-b03 Java HotSpot(TM) Server VM
                  User home directory = /home/testuser

                  ----------------------------------------------------
                  c:   clear console window
                  f:   finalize objects on finalization queue
                  g:   garbage collect
                  h:   display this help message
                  l:   dump classloader list
                  m:   print memory usage
                  o:   trigger logging
                  q:   hide console
                  r:   reload policy configuration
                  s:   dump system and deployment properties
                  t:   dump thread list
                  v:   dump thread stack
                  x:   clear classloader cache
                  +0-5: set trace level to <n>+
                  ----------------------------------------------------

                  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
                  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws
                  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws
                  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy
                  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy
                  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                  security: property package.definition value null
                  security: property package.definition new value com.sun.javaws
                  security: property package.definition value com.sun.javaws
                  security: property package.definition new value com.sun.javaws,com.sun.deploy
                  security: property package.definition value com.sun.javaws,com.sun.deploy
                  security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp
                  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
                  security: property package.definition value com.sun.javaws,com.sun.deploy,com.sun.jnlp
                  security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
                  basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@8046f4
                  basic: Plugin2ClassLoader.addURL parent called for file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar
                  +network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar, version: null]+
                  security: Accessing keys and certificate in Mozilla user profile: null
                  security: Loading Root CA certificates from /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts
                  security: Loaded Root CA certificates from /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts
                  security: Loading Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
                  security: Loaded Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
                  security: Loading certificates from Deployment session certificate store
                  security: Loaded certificates from Deployment session certificate store
                  security: Validate the certificate chain using CertPath API
                  security: Obtain certificate collection in Root CA certificate store
                  security: Obtain certificate collection in Root CA certificate store
                  security: Start to check whether root CA is replaced
                  security: The root CA hasnt been replaced
                  security: No timestamping info available
                  security: Found jurisdiction list file
                  security: No need to checking trusted extension for this certificate
                  security: The CRL support is disabled
                  security: The OCSP support is disabled
                  security: This OCSP End Entity validation is disabled
                  security: Checking if certificate is in Deployment denied certificate store
                  security: Checking if certificate is in Deployment permanent certificate store
                  security: Checking if certificate is in Deployment session certificate store
                  security: User has granted the priviledges to the code for this session only
                  security: Adding certificate in Deployment session certificate store
                  security: Added certificate in Deployment session certificate store
                  security: Saving certificates in Deployment session certificate store
                  security: Saved certificates in Deployment session certificate store
                  +network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar, version: null]+
                  security: Loading certificates from Deployment session certificate store
                  security: Loaded certificates from Deployment session certificate store
                  security: Validate the certificate chain using CertPath API
                  security: Obtain certificate collection in Root CA certificate store
                  security: Obtain certificate collection in Root CA certificate store
                  security: Start to check whether root CA is replaced
                  security: The root CA hasnt been replaced
                  security: No timestamping info available
                  security: Found jurisdiction list file
                  security: No need to checking trusted extension for this certificate
                  security: The CRL support is disabled
                  security: The OCSP support is disabled
                  security: This OCSP End Entity validation is disabled
                  security: Checking if certificate is in Deployment denied certificate store
                  security: Checking if certificate is in Deployment permanent certificate store
                  security: Checking if certificate is in Deployment session certificate store
                  basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
                  security: Loading certificates from Deployment session certificate store
                  security: Loaded certificates from Deployment session certificate store
                  security: Validate the certificate chain using CertPath API
                  security: Obtain certificate collection in Root CA certificate store
                  security: Obtain certificate collection in Root CA certificate store
                  security: Start to check whether root CA is replaced
                  security: The root CA hasnt been replaced
                  security: No timestamping info available
                  security: Found jurisdiction list file
                  security: No need to checking trusted extension for this certificate
                  security: The CRL support is disabled
                  security: The OCSP support is disabled
                  security: This OCSP End Entity validation is disabled
                  security: Checking if certificate is in Deployment denied certificate store
                  security: Checking if certificate is in Deployment permanent certificate store
                  security: Checking if certificate is in Deployment session certificate store
                  basic: Applet loaded.
                  basic: Applet resized and added to parent container
                  basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 135817 us, pluginInit dt 2342483 us, TotalTime: 2478300 us

                  rootPath: /home/testuser/MyXSLTApplet
                  codeBase: file:/home/testuser/MyXSLTApplet/JARS/
                  documentBase: file:/home/testuser/MyXSLTApplet/MyApplet.htm
                  xml: /home/testuser/MyXSLTApplet/in.xml, exists: true
                  xsl: /home/testuser/MyXSLTApplet/in.xsl, exists: true*
                  res: /home/testuser/MyXSLTApplet/res.xml, exists: true

                  basic: Applet initialized
                  basic: Removed progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@8046f4
                  basic: Applet made visible
                  basic: Starting applet
                  basic: completed perf rollup
                  basic: Applet started
                  basic: Told clients applet is started
                  +network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/, version: null]+

                  +> MyURIResolver.resolve(), href: /tmp/A.XML, base: file:/home/testuser/MyXSLTApplet/in.xsl+
                  Creating File object: '/tmp/A.XML
                  ERROR:  'java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)'
                  javax.xml.transform.TransformerException: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
                  at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:713)
                  at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
                  at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:66)
                  at myxsltapplet.MyXSLTApplet.access$000(MyXSLTApplet.java:17)
                  at myxsltapplet.MyXSLTApplet$1.actionPerformed(MyXSLTApplet.java:48)
                  at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
                  at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2318)
                  at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
                  at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
                  at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:236)
                  at java.awt.Component.processMouseEvent(Component.java:6288)
                  at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
                  at java.awt.Component.processEvent(Component.java:6053)
                  at java.awt.Container.processEvent(Container.java:2041)
                  at java.awt.Component.dispatchEventImpl(Component.java:4651)
                  at java.awt.Container.dispatchEventImpl(Container.java:2099)
                  at java.awt.Component.dispatchEvent(Component.java:4481)
                  at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4577)
                  at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4238)
                  at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
                  at java.awt.Container.dispatchEventImpl(Container.java:2085)
                  at java.awt.Component.dispatchEvent(Component.java:4481)
                  at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:643)
                  at java.awt.EventQueue.access$000(EventQueue.java:84)
                  at java.awt.EventQueue$1.run(EventQueue.java:602)
                  at java.awt.EventQueue$1.run(EventQueue.java:600)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:98)
                  at java.awt.EventQueue$2.run(EventQueue.java:616)
                  at java.awt.EventQueue$2.run(EventQueue.java:614)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
                  at java.awt.EventQueue.dispatchEvent(EventQueue.java:613)
                  at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
                  at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
                  at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
                  at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
                  at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
                  at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
                  Caused by: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
                  at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
                  at in.topLevel()*
                  at in.transform()*
                  at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
                  at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
                  +... 39 more+
                  --------
                  com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
                  at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
                  at in.topLevel()*
                  at in.transform()*
                  at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
                  at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
                  at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
                  at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:66)
                  at myxsltapplet.MyXSLTApplet.access$000(MyXSLTApplet.java:17)
                  at myxsltapplet.MyXSLTApplet$1.actionPerformed(MyXSLTApplet.java:48)
                  at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
                  at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2318)
                  at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
                  at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
                  at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:236)
                  at java.awt.Component.processMouseEvent(Component.java:6288)
                  at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
                  at java.awt.Component.processEvent(Component.java:6053)
                  at java.awt.Container.processEvent(Container.java:2041)
                  at java.awt.Component.dispatchEventImpl(Component.java:4651)
                  at java.awt.Container.dispatchEventImpl(Container.java:2099)
                  at java.awt.Component.dispatchEvent(Component.java:4481)
                  at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4577)
                  at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4238)
                  at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
                  at java.awt.Container.dispatchEventImpl(Container.java:2085)
                  at java.awt.Component.dispatchEvent(Component.java:4481)
                  at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:643)
                  at java.awt.EventQueue.access$000(EventQueue.java:84)
                  at java.awt.EventQueue$1.run(EventQueue.java:602)
                  at java.awt.EventQueue$1.run(EventQueue.java:600)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:98)
                  at java.awt.EventQueue$2.run(EventQueue.java:616)
                  at java.awt.EventQueue$2.run(EventQueue.java:614)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
                  at java.awt.EventQueue.dispatchEvent(EventQueue.java:613)
                  at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
                  at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
                  at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
                  at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
                  at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
                  at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)

                  I will try to find a public website to share the tar.gz package of the applet.

                  Thanks for your help
                  • 6. Re: Signed Applet gives AccessControlException when doing XSLT
                    806962
                    I have found an interesting point:

                    In the applet I have created a reference to the current SecurityManager and its AccessControlContext.

                    public static SecurityManager sm;
                    public static AccessControlContext acc;

                    @Override
                    public void init() {
                    ...
                    sm = System.getSecurityManager();
                    if (sm != null) {
                    System.out.println("SecurityManager: " + sm);
                    acc = (AccessControlContext) sm.getSecurityContext();
                    System.out.println("getSecurityContext(): " + acc);
                    acc.checkPermission(new FilePermission("/tmp/A.XML", "read"));
                    }
                    }

                    Here the checkPermission() runs without exception.
                    Output:
                    SecurityManager: sun.plugin2.applet.Applet2SecurityManager@103fcaa
                    getSecurityContext(): java.security.AccessControlContext@17b2b2


                    In the URIResolver implementation I also get the SecurityManager and its AccessControlContext.
                    The SecurityManager is the same but the AccessControlContext has changed, different hash codes are logged.
                    Output:
                    SecurityManager: sun.plugin2.applet.Applet2SecurityManager@103fcaa
                    getSecurityContext(): java.security.AccessControlContext@ede64c

                    Calling checkPermission on the start-up AccessControlContext
                    MyXSLTApplet.acc.checkPermission(new FilePermission("/tmp/A.XML", "read"));
                    runs without exception.

                    Calling checkPermission on the new AccessControlContext accessible in URIResolver
                    acc.checkPermission(new FilePermission("/tmp/A.XML", "read"));
                    throws:
                    ERROR:  'java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)'


                    Isn't it a Java bug?
                    • 7. Re: Signed Applet gives AccessControlException when doing XSLT
                      817264
                      How do you use URIResolver?
                      What will be stacktrace when you run checkPermission in the URIResolver?
                      Any chance you can share small testcase?

                      Yes, may be bug in Java. Although i need to see testcase to be sure.
                      • 8. Re: Signed Applet gives AccessControlException when doing XSLT
                        806962
                        I have put a zip package (16.5 KB) containing all files at http://www.MegaShare.com/3711733 - I hope you can grab that.
                        To sign the jar file with the ant build.xml you need to create a key with alias MyXSLTApplet, like:
                        keytool -genkey -alias MyXSLTApplet -validity 365 -dname "CN=MyXSLTApplet, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

                        The stack trace didn't really change.
                        In URIResolver the second checkPermission based on the new AccessControlContext fails.

                        +...+
                        rootPath: /home/testuser/MyXSLTApplet
                        codeBase: file:/home/testuser/MyXSLTApplet/JARS/
                        documentBase: file:/home/testuser/MyXSLTApplet/MyApplet.htm
                        xml: /home/testuser/MyXSLTApplet/in.xml, exists: true
                        xsl: /home/testuser/MyXSLTApplet/in.xsl, exists: true
                        out: /home/testuser/MyXSLTApplet/out.xml, exists: true
                        SecurityManager: sun.plugin2.applet.Applet2SecurityManager@1a8d460+
                        getSecurityContext(): java.security.AccessControlContext@10c6cfc+

                        init() - AccessControlContext.checkPermission('java.io.FilePermission', '/tmp/A.XML', 'read') DONE.
                        basic: Applet initialized
                        basic: Removed progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@8de462
                        basic: Applet made visible
                        basic: Starting applet
                        basic: completed perf rollup
                        basic: Applet started
                        basic: Told clients applet is started
                        +network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/, version: null]+

                        *> MyURIResolver.resolve(), href: /tmp/A.XML, base: file:/home/testuser/MyXSLTApplet/in.xsl*
                        Creating File object: /tmp/A.XML
                        SecurityManager: sun.plugin2.applet.Applet2SecurityManager@1a8d460+
                        getSecurityContext(): java.security.AccessControlContext@18f766d+
                        MyXSLTApplet.AccessControlContext.checkPermission() DONE.+
                        ERROR:  'java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)'+
                        javax.xml.transform.TransformerException: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
                        at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:713)
                        at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
                        at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:78)
                        +...+
                        Caused by: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
                        at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
                        at in.topLevel()
                        at in.transform()
                        at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
                        at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
                        at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
                        at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:78)
                        +...+

                        Edited by: athox on Nov 11, 2011 9:07 PM