Local file access change with new Java update
Joshua Smith
jesmith at kaon.com
Mon Jul 8 08:16:07 PDT 2013
One of my users likes to test their applets locally by just opening the HTML file from the file system (instead of running a local web server). This worked before the most recent update:
Java Plug-in 10.25.2.15
Using JRE version 1.7.0_25-b15 Java HotSpot(TM) 64-Bit Server VM
It appears that there are two issues. One is that getCodeBase(), when running from the local filesystem, is returning an empty string. getDocumentBase() still gives the right result.
If I work around that by using getDocumentBase instead of getCodeBase (which, in this particular case is OK because they should be the same), then I get:
java.security.AccessControlException: access denied ("java.io.FilePermission" "/Other/download/etc..." "read")
So it appears that with "Medium" security (the lowest available setting), applets will run but they cannot read from the file system, even if that's how they ran.
Note that I do have the "Disable Local File Restrictions" checkbox set in the Safari Developer Menu, but I'm guessing that Safari doesn't tell Java about that.
Obviously, the user can just run a local web server, which is what I've told them to do. However, I wanted to make sure that these are both "as designed" security changes, and if not, figure out who I should report the bug to.
-Joshua
More information about the macosx-port-dev
mailing list