Closed
Bug 59983
Opened 24 years ago
Closed 24 years ago
win.getMembers("document") gives access denied and a security violation
Categories
(Core Graveyard :: Java: Live Connect, defect, P3)
Tracking
(Not tracked)
People
(Reporter: gary.kind, Assigned: jeff.dyer)
Details
Attachments
(1 file)
3.62 KB,
application/zip
|
Details |
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0) BuildID: Using liveconnect, I can easily get the DOM window by calling JSObject.getWindow (this) in an Applet's method other than init(). However if I follow this up with the following statement: JSObject myDoc = (JSOBject) win.getMember("document"); I get an "access denied" and a security violation in the java console. Being able to do a getMember on any JSObject is critical for our Oracle products. I consider this a showstopper and it needs to be addressed as quickly as your schedule permits. Reproducible: Always Steps to Reproduce: 1.write a simple html file that contains the following <applet ID="App1" name="lcApplet" CODE="myclasses.liveConnect" MAYSCRIPT > </applet> <script> function showAlert() { alert ("JavaScript 'showAlert': called from applet.load() "); } document.lcApplet.load(); 2.Write a simple Applet called liveConnect.java in a "myclasses" folder below the folder that contains your html file. It should contain a public void method "load" with no args. 3.Of course, at the top, import netscape.javascript.*; to get the JSObject.class. 4. Put the following 3 lines in the load method: // Get the DOM window from JavaScript JSObject myWin = JSObject.getWindow(this); // Call the JavaScipt function ShowAlert myWin.call("ShowAlert", null); // Get the DOM document object from JavaScript JSObject myDoc = (JSObject) win.getMember("document"); 5. Compile the .java Applet file into a .class file 6. Bring up the Netscape 6 or Mozilla Browser and open the Java Console. 7. enter the URL to the simple html file you created in step 1. 8. You should see the access denied and security violation when the JSObject myDoc = (JSObject) win.getMember("document"); statement is executed Actual Results: The following is a dump of what came up in my Java Console: ******* textjava.security.AccessControlException: access denied (java.lang.RuntimePermission getProtectionDomain) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.Class.getProtectionDomain(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.ConstructObject(Unknown Source) at sun.plugin.javascript.navig5.JSObject.JSObjectGetMember(Native Method) at sun.plugin.javascript.navig5.JSObject.getMember(Unknown Source) at myclasses.liveConnect.setString(liveConnect.java:43) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source) java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException: java.security.AccessControlException: access denied (java.lang.RuntimePermission getProtectionDomain) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.Class.getProtectionDomain(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller(Unknown Source) at sun.plugin.liveconnect.SecureInvocation.ConstructObject(Unknown Source) at sun.plugin.javascript.navig5.JSObject.JSObjectGetMember(Native Method) at sun.plugin.javascript.navig5.JSObject.getMember(Unknown Source) at myclasses.liveConnect.setString(liveConnect.java:43) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source) Expected Results: I would have expected no errors and a valid DOM document returned to the applet's method as a JSObject.
Comment 1•24 years ago
|
||
Before I follow these instructions, you don't happen to have all this stuff that you can put together in a testcase, and attach to this bug, do you? Gerv
Comment 2•24 years ago
|
||
Comment 3•24 years ago
|
||
Unzip the test case, bring up the Java console, edit the text and click the button. The console shows an error. I'm happy to confirm this bug happens - whether it's a real bug or not, I'm not qualified to say :-) rogerl? Gerv P.S. Reporter - to attach a file to a bug, visit it and use the "Create New Attachment" link.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•24 years ago
|
||
cc'ing Patrick, Jeff, and Mitch. Is this the right component for this bug? Or should it be under the Security component? Also: gary.kind@oracle.com, has this testcase ever worked in Mozilla? If so, can you say how recently it stopped working? Thanks -
It is not clear where the fault is. The problem is that the applet is making liveconnect calls without a script running, and so the security manager can't find the principal to validate the call. Calling function getDocument() { return window.document; } works fine since a script is running when caps need to find a principal on the js stack. Keep it in LC, but reassign to me for further analysis.
The workaround function "getDocument()" returns a document to Java. However, nothing can be done with it, most likely for the same reason. If I turn around and call, in Java, document.call("write", <txt arg>); I get another security violation. How do I keep the "Principal" around? The point is that getMembers doesn't seem to be working on ANY JSObject! That's what needs to be fixed.
Comment 7•24 years ago
|
||
Reassigning to Jeff, as he requested above - (thanks!)
Assignee: rogerl → jeff.dyer
*** This bug has been marked as a duplicate of 59447 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•