为什么在缺少Java权限的情况下会有NPE？ 以及如何找出哪个权限？

Question

I have a Java Applet, that runs fine when permission java.security.AllPermission; is granted in the java.policy file.

But I really just want to set the one permission needed for my Application - so I deleted the line permission java.security.AllPermission; in the policy file, expecting an Access Denied Exception or something along those lines, but all I get is a NullPointerException at the following Code:

protected Object[] __ObjectArrayResult;

(...)

final Container c = (Container) container;

        InvocationWrapper.invokeAndWait(new Runnable() {
            public void run() {
                __ObjectArrayResult = c.getComponents();
            }
        });

        Object[] components = __ObjectArrayResult;

        Vector componentVector = Utils.convertArrayToVector(components);

What I am trying here, is to get all the Conponents of a AWT Container, but c.getComponents(); returns Null, and the Utils.convertArrayToVector(components); throws the NPE.

So why does the getComponents method (if it needs some special Permission) not throw an exception and just return Null? I looked through the Documentation, but no case is mentioned, which would return Null.

---

The next thing I've tried is to Debug the Permissions. Using that approach, I found this: http://docs.oracle.com/javase/7/docs/technotes/guides/security/troubleshooting-security.html

Where it states that -Djava.security.debug=access could be used to see all the Results of AccessController.checkPermission

But running that just gave me the following:

access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
access: access allowed ("java.util.PropertyPermission" "line.separator" "read")
access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
Exception in thread "Thread-19" access: access allowed ("java.lang.RuntimePermission" "modifyThread")
access: access allowed ("java.io.SerializablePermission" "enableSubstitution")
java.lang.NullPointerException: Utils::convertArrayToVector - Array is NULL!

I have no clue what to make of this. It says that AllPermissions is denied, does this mean that some Method Asks the AccessController for all the Permissions? or is it trying to get "java.lang.RuntimePermission" "modifyThread" by first trying to get the more general permission allPermission ?

---

So to summarize: Why is getComponents() returning Null? Why does it not throw an Exception and tell me which Permission is needed? Why is AllPermission requested instead of a more specific permission?

Thanks!

Answer 1

Fix your invocations of the EDT not to swallow exceptions:

    final Container c = (Container) container;
    final AtomicReference<Object[]> result = new AtomicReference<>();
    try {
        SwingUtilities.invokeAndWait(new Runnable() {
            @Override
            public void run() {
                result.set(c.getComponents());
            }
        });
    } catch (Exception e) {
         throw new RuntimeException(e.getMessage(), e);
    }
    Object[] components = result.get();
    Vector componentVector = Utils.convertArrayToVector(components);

You will now be able to see where your code fails missing a permission.

You also note that exchanging a value between Runnable and invoking thread is done safely using a local reference (result). Doing this through an instance member is extremely bad style, and outright broken if used in a context where more than one thread could execute the runnable concurrently.

Its also notable that Vector is almost never what you want to use (because Vector is synchronized). Switch to ArrayList when you don't need synchronized access (and you almost never need that).