java.security.AccessControlException thrown
when applet calls java.beans.Introspector.setBeanInfoSearchPath()
Symptoms
When running an applet in a browser using the Sun JRE, an AccessControlException
is thrown in the execution of Introspector.setBeanInfoSearchPath():
java.security.AccessControlException: access denied (java.util.PropertyPermission
* read,write)
at java.security.AccessControlContext.checkPermission(Unknown
Source)
at java.security.AccessController.checkPermission(Unknown
Source)
at java.lang.SecurityManager.checkPermission(Unknown
Source)
at java.lang.SecurityManager.checkPropertiesAccess(Unknown
Source)
at java.beans.Introspector.setBeanInfoSearchPath(Unknown
Source)
at ....
The same applet runs under the Microsoft VM.
Cause
The Introspector.setBeanInfoSearchPath() method call can
change the list of package names used for finding BeanInfo
classes. If more than one applet is running in the VM, an untrusted applet
could call this method to redirect other applets to look up BeanInfo
in unexpected packages. This is a security hole.
A security check for java.util.PropertyPermission was added
to this method in the JRE to address the security concern. If the applet
is unsigned and it calls into this method, an AccessControlException
will be thrown.
Resolution
The workaround is to either:
Sign the applet using the JDK jarsigner tool, so
that the applet runs as a trusted applet and has permissions to call the
Introspector.setBeanInfoSearchPath() method.
Rearchitect the applet code to avoid the call to Introspector.setBeanInfoSearchPath().
For example, instead of relying on the BeanInfo search path,
use a fully qualified package name for looking up the BeanInfo.