We are facing a problem with lastest JRE 6 update 22 and 23. The problem is we are running a site which uses Java Applet to stores/retrieve datas by calling a PHP file. For last 7 years we never had a single issue but now with latest JRE are we having a problem. The Java applet is loaded fine but failed to connect our sever (unix server) which suppose to call the PHP file.

Note: We use Javascript to call a Java function to connect our server, to retrieve data from the PHP file.

Here is the error message found in Java console:

basic: Applet started
basic: Told clients applet is started
Retreiving cmi for sco=778 from ATutor server
network: Connecting http://www.example.com/training/scorm/read.php with proxy=DIRECT
network: Cache entry not found [url: http://xxx.xxx.xxx.xxx/crossdomain.xml, version: null]
network: Connecting http://xxx.xxx.xxx.xxx/crossdomain.xml with proxy=DIRECT
network: Connecting http://xxx.xxx.xxx.xxx:80/ with proxy=DIRECT
network: Server http://xxx.xxx.xxx.xxx/crossdomain.xml requesting to set-cookie with "SESSdba781ab68368f3b7b29ce28e33a2679=983ded5e21e40047871b1f3ce5c259d7; expires=Monday, 07-Mar-11 20:45:53 GMT; path=/"
ATutor cmi retrieval failed.
java.security.AccessControlException: access denied (java.net.SocketPermission xxx.xxx.xxx.xxx:80 connect,resolve)

Oracle has released a note and addressing this issue with a solution,
Website: http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html

The fix for CVE-2010-3560 could cause
certain Java applets running in the
new Java Plug-in to stop working if
they are embedded in web pages which
contain JavaScript that calls into
Java in order to perform actions which
require network security permissions.
These applets may fail with a network
security exception under some
circumstances if the name service
which resolved the original web page
URL host name does not return a
matching name as the result of a
reverse address lookup. This is most
likely to occur for the new Java
Plug-in running on Solaris and Linux
when configured to use NIS for host to
network address resolution with maps
containing host names which are in
short form (rather than as a fully
qualified domain name).

If an applet is suspected of failing
due to this change you can verify that
by setting the logging level of the
Java Console to 5 and looking for
logging strings beginning with “socket
access restriction” which will
describe the specific cause of the
mismatch and will help in identifying
the correct workaround to use as
described below:

Add a new host name forward map entry
(in /etc/hosts, NIS, or DNS) in a
special form which is recognized by
Java for the purpose of validating
IPv4 and IPv6 name service mappings.
The IPv4 general name form followed by
an /etc/hosts file fragment example
for IP address 10.11.12.13 is:

host.auth.ddd.ccc.bbb.aaa.in-addr.arpa

# /etc/hosts example
10.11.12.13    foo.bar.com.auth.13.12.11.10.in-addr.arpa

There is an equivalent form for IPv6
addresses which uses the IP6.ARPA
domain root format defined in RFC
3596.

For DNS, these would be A (IPv4) or
AAAA (IPv6) entries.

Pre-pend a fully qualified host name
before other mappings to the same
address. For example, in /etc/hosts
format:

#10.11.12.13   foo loghost
10.11.12.13    foo.bar.com foo loghost  

As an alternative to updating name
service records, it may be possible to
safely modify the applet to perform
the network action using only it’s own
permissions independent of the web
page which contains it by using the
doPrivileged() method of the
java.security.AccessController class.

I am PHP developer and I have very little knowledge on Java. I couldn’t understand the solution provided by the Oracle. They want to add new host name in /etc/hosts file, can anyone please explain with more clear example what to add in /etc/hosts.

Also I don’t know where to add doPrivileged() method, please help.

Thanks