java.security.AccessControlException Thrown In the Execution of java.beans.Introspector.setBeanInfoSearchPath() Method

Symptoms

When running an applet in a browser by using the Sun Java^TM Runtime Environment (JRE^TM) implementation, a java.security.AccessControlException is thrown in the execution of the java.beans.Introspector.setBeanInfoSearchPath() method as shown below:

java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertiesAccess(Unknown Source)
    at java.beans.Introspector.setBeanInfoSearchPath(Unknown Source)
    at ....

The same applet runs without any error with the Microsoft Virtual Machine (VM).

Cause

The Introspector.setBeanInfoSearchPath() method call can change the list of package names used for finding BeanInfo classes. If more than one applet is running in the VM, an untrusted applet could call this method to redirect other applets to look up BeanInfo in unexpected packages. This is a flaw in security.

A security check for java.util.PropertyPermission is added to Introspector.setBeanInfoSearchPath() method in the JRE to address the security concern. If the applet is unsigned and it calls this method, a java.security.AccessControlException is thrown.

Resolution

To fix the above causes:

• Sign the applet by using the Java Development Kit (JDK) jarsigner tool, so that the applet runs as a trusted applet and has permissions to call the Introspector.setBeanInfoSearchPath() method.
• Rearchitect the applet code to avoid the call to Introspector.setBeanInfoSearchPath(). For example, instead of relying on the BeanInfo class search path, use a fully qualified package name for searching the BeanInfo.

Related Information

        See jarsigner, which is the JAR Signing and Verification Tool.