233546 - Java (security-)applet won't load when opening page

Status: RESOLVED WORKSFORME

(Core Graveyard :: Java: OJI, defect)

Description

[frits van veeningen]

User-Agent:       
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124

Postbank, one of the largest Dutch banks, uses a Java-applet for security at
logon on their internet banking application. It seems it is used for encryption. 

Reproducible: Always
Steps to Reproduce:
1. Go to https://www.p3.postbank.nl/sesam/SesamLoginServlet
2. Fill in anything in 'Gebruikersnaam' (=username)
3. Fill in anything in 'Wachtwoord' (=password)
4. Hit <Enter>

Actual Results:  
If the applet failed to load, you'll get a pop-up saying something like this:

"Inloggen Mijn Postbank.nl
U kunt niet inloggen op Mijn Postbank.nl
Om gebruik te maken van Mijn Postbank.nl, moet u beschikken over:
– Windows 95, 98, ME, 2000, NT en XP in combinatie met Internet Explorer 4.01 of
hoger of MAC OS 10 in combinatie met Netscape 7.0.

[...]" 


Expected Results:  
In case the applet is loaded, you'll probably will get some error message on the
same page, or get logged on if you managed to enter a correct combination of
user-id and password.

The applet is loaded using the following code:

<applet code="CA.class" codebase="/sesam" name="CryptoApplet" id="CryptoApplet"
archive="ca.jar" align="bottom" width="0" height="0" id="CryptoApplet">
<param name="CABBASE" value="ca.cab">
</applet>

Apparently, there is an option to use ActiveX as well, but obviously, that is
not something a Linux user needs. 

Strange thing is that it seems to work with some distro's (i.e. Red Hat 9, Moz
1.2.1 and Sun Java 1.4.2), but on my Fedora Core 1 box, it has never worked, no
matter which version or vendor i use for the Java plugin. From this thread at
Webwereld.nl ( http://webwereld.nl/nieuws/reactie_compleet.phtml?id=17697 ) i
gather i'm not the only one, though. 

<speculation>I think it has something to do with the plugin size being zero
height and zero width, but i can imagine the applet is supposed to be
invisible.</speculation>

The only workaround i found, is using Opera. Now, that's not what we want, is it?

Comment 1

[frits van veeningen]

Attachment: Pop-up window

Attachment shows the pop-up window one gets when trying to log on when the
applet is not loaded.

Comment 2

[WD]

WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206
Firefox/0.8
Java Plug-in 1.5.0

After a couple of seconds, I get a java security dialog.  After I accept that,
the page seems to work fine, with an error message at the top saying that my
username/pass is incorrect.

Comment 3

[frits van veeningen]

I tried to compare the behavior of Mozilla in Fedora to that in RedHat 9, using
the Java Console. When the trace level is set to 5, in RedHat, at loading the
page, the console starts printing stuff like:

Trace level set to 5: basic, net, security, ext, liveconnect ... completed.
setWindow: call before applet exists:37750421
Referencing classloader: sun.plugin.ClassLoaderInfo@e2291, refcount=1
Loading applet ...
Initializing applet ...
Starting applet ...
Connecting https://www.p3.postbank.nl/sesam/ca.jar with no proxy
Connecting https://www.p3.postbank.nl/sesam/ca.jar with cookie "AppletType=java;
ns_cookietest=true; ns_session=true; ACSpeed=42055;
sesessionid=0002E0NCRXABTNVY3XO2NXKZ0DQ"
Loading Root CA certificates from
/usr/lib/jvm/java-1.4.2-sun-1.4.2.01/jre/lib/security/cacerts
[...]

Whereas with Fedora, also with trace level set to 5, the console prints _nothing
at all_:
Trace level set to 5: basic, net, security, ext, liveconnect ... completed.

<nothing>

So it seems the browser doesn't even attempt to load the applet.
(Before anyone asks: 

Java(TM) Plug-in 1.4.2_02-b03

    File name: libjavaplugin_oji.so
    Java(TM) Plug-in 1.4.2_02
)

Comment 4

[frits van veeningen]

One of the differences between my RedHat-box and Fedora turned out to be the
java-vm version. On the first one 1.4.2_01-b06 is installed, on the latter it
was 1.4.2_02-b03. So i de-installed 1.4.2_02-b03, and installed 1.4.2_01-b06.
And now it works. 

Still, it should work on the others as well. 

Comment 5

[Dick Streefland]

(In reply to comment #4)
> One of the differences between my RedHat-box and Fedora turned out to be the
> java-vm version. On the first one 1.4.2_01-b06 is installed, on the latter it
> was 1.4.2_02-b03. So i de-installed 1.4.2_02-b03, and installed 1.4.2_01-b06.
> And now it works. 

I tested a number of different java versions with Firebird 0.7, and
1.4.2_01-b06 seems to be the last version that works:

1.4.2-b28       OK
1.4.2_01-b06    OK
1.4.2_02-b03    NOK
1.4.2_03-b02    NOK
1.5.0-beta-b32c NOK

Comment 6

[Dick Streefland]

(In reply to comment #0)
> <speculation>I think it has something to do with the plugin size being zero
> height and zero width, but i can imagine the applet is supposed to be
> invisible.</speculation>

I think you are correct. I used a proxy script that changes
  width="0" height="0" id="CryptoApplet"
into:
  width="1" height="1" id="CryptoApplet"
and now the newer plugin version work as well! So, at least we have a workaround
for the Postbank.

When I look through the release notes of 1.4.2_02 at:

  http://java.sun.com/j2se/1.4.2/ReleaseNotes.html#PriorRels

there is one bug fix that is related to the applet size:

4798569 Mozilla cannot correctly display Java applet with relative "width"
attribute.

Perhaps the current problem was introduced in that fix?

Comment 7

[frits van veeningen]

Yep. I stumbled upon that bug earlier today. More details at 
http://developer.java.sun.com/developer/bugParade/bugs/4798569.html

Here's a quote:

"* Whether it is legal to call SetWindow with 0 width and 0 height"

Another:

"Since AWT does not allow width/height to be 0, we will add this restriction to
JPI code to filter that."

So basically, the bug was fixed by prohibiting zero sized applets. In other
words: an applet cannot be invisible anymore...

Comment 8

[Dick Streefland]

(In reply to comment #7)
> So basically, the bug was fixed by prohibiting zero sized applets. In other
> words: an applet cannot be invisible anymore...

The funny thing is that the previous online banking system of the Postbank
(Girotel Online, https://gto.postbank.nl/), uses a size of 2x2:

<applet NAME="g3" CODE="PBGN.class" WIDTH="2" HEIGHT="2" ALIGN="BOTTOM"
ARCHIVE="PBGN.jar">

Comment 9

[Kyle Yuan]

For the zero-size applet, please see bug 188454 comment 10.

Comment 10

[Reinout van Schouwen]

This is not a Mozilla problem, so setting Product to Tech Evangelism.

Comment 11

[Reinout van Schouwen]

Kyle, do you still wish to be the assignee for this bug?
Otherwise feel free to change assignment to dutch@evangelism.bugs.

Comment 12

[Kyle Yuan]

Actually, I don't think this belongs to Tech Evangelism. This is a regression of
mozilla and/or Java plugin. Zero-size applet should be supported and we are
trying to figure out a way to do that right now.

Comment 13

[Sander Goudswaard]

Would appreciate it if this bug could be nominated for 1.0, as this affects a
huge amount of Dutch Mozilla/Firefox users.

Comment 14

[Kyle Yuan]

> Would appreciate it if this bug could be nominated for 1.0, as this affects a
> huge amount of Dutch Mozilla/Firefox users.

This is not a mozilla/firefox bug. It has already been fixed in jre 1.5.

Comment 15

[frits van veeningen]

Moreover, Postbank changed the applet size a while ago into 1x1. So it's fixed
at all sides now. 

Comment 16

[Jason Bassford]

> Zero-size applet should be supported and we are
> trying to figure out a way to do that right now.

> This is not a mozilla/firefox bug. It has already
> been fixed in jre 1.5.

Confusing over whether this is Mozilla or Evangelism.  In any case, no bug/patch
has been referenced here as something (from a Mozilla standpoint) that caused
things to work again.  If it really WAS just fixed by the Web site this should
be moved back to Evangelism again...

->WORKSFORME