javascript classpath

[trpost]

I am using javascript to call a hidden applet and am getting a
javascript error "java.lang.Exception: java.lang.NoClassDefFoundError:
org/apache/commons/httpclient/HttpClient" If I comment out the alert
statement then the applet loads fine, but when I make a javascript call

it looks like it needs to be aware of the classpath. I have all my .jar

files in the right place for the applet (C:\Program
Files\Java\jre1.5.0_06\classes) because if I move them out of the
directory then the applet fails with a NoClassDefFoundError. Any ideas
where javascript is looking for a classpath??


<html>
<head>
<title>Http status code demo</title>
</head>


<body>
<script type="text/javascript">
function getStatusCode(uri)
{
return document.applets['statusApplet'].getStatusCode(uri);
}
</script>

<applet name="statusApplet" CODEBASE
="http://localhost/php/client/applet/Tst/"
code="StatusCodeApplet.class" width="0" height="0"
archive="commons-httpclient-3.0.jar;commons-codec-1.3.jar;commons-logging..j­­ar;commons-logging-api.jar"></applet>



<script type="text/javascript">
alert(getStatusCode("http://www.yahoo.com"));
</script>


</body>
</html>

 

[VK]

I am using javascript to call a hidden applet and am getting a
javascript error "java.lang.Exception: java.lang.NoClassDefFoundError:
org/apache/commons/httpclient/HttpClient" If I comment out the alert
statement then the applet loads fine, but when I make a javascript call

it looks like it needs to be aware of the classpath. I have all my .jar

files in the right place for the applet (C:\Program
Files\Java\jre1.5.0_06\classes) because if I move them out of the
directory then the applet fails with a NoClassDefFoundError. Any ideas
where javascript is looking for a classpath??


<html>
<head>
<title>Http status code demo</title>
</head>


<body>
<script type="text/javascript">
function getStatusCode(uri)
{
return document.applets['statusApplet'].getStatusCode(uri);
}
</script>

<applet name="statusApplet" CODEBASE
="http://localhost/php/client/applet/Tst/"
code="StatusCodeApplet.class" width="0" height="0"
archive="commons-httpclient-3.0.jar;commons-codec-1.3.jar;commons-logging.j­­ar;commons-logging-api.jar"></applet>



<script type="text/javascript">
alert(getStatusCode("http://www.yahoo.com"));
</script>


</body>
</html>

<applet> tag is deprecated in favor of <object> From the other side
<object> initialization is often disabled in IE6 because of a huge per
design security hole: thusly I don't dare to insist. But shouldn't be a
"mayscript" flag in your applet?
<applet .... mayscript>

 

[Randy Webb]

VK said the following on 5/11/2006 2:18 AM:

<applet> tag is deprecated in favor of <object> From the other side
<object> initialization is often disabled in IE6 because of a huge per
design security hole: thusly I don't dare to insist.

"because of a huge per design security hole"? You are implying that MS
intentionally - per design - put a security hole in IE? And, what is
that hole?

 

[Zif]

VK said the following on 5/11/2006 2:18 AM:



"because of a huge per design security hole"? You are implying that MS
intentionally - per design - put a security hole in IE?

Who knows what is implied? VK's answers are often so cryptic it's
either impossible to decipher the meaning, or so many are possible that
it's a lottery as to which was intended.

And, what is that hole?

Please don't offer encouragement! Perhaps your intention is to coax
more howlers, but I think you'll find more satisfaction in a crossword
puzzle or game of scrabble.

 

[Randy Webb]

Zif said the following on 5/11/2006 4:59 AM:

Who knows what is implied? VK's answers are often so cryptic it's
either impossible to decipher the meaning, or so many are possible that
it's a lottery as to which was intended.

Hence my request for clarification.

Please don't offer encouragement! Perhaps your intention is to coax
more howlers, but I think you'll find more satisfaction in a crossword
puzzle or game of scrabble.

It was curiosity and nothing more.

 

[trpost]

I tried using mayscript in the applet tag, but that made no difference.

 

[VK]

Zif said the following on 5/11/2006 4:59 AM:

Hence my request for clarification.


It was curiosity and nothing more.

If you are curious about software security, it's OT to c.l.j. IMHO.
slashdot.org and astalavista.com would be a place to start.

P.S. If you read ieblogs on MSDN, you may read out the main reason of
IE7 having XMLHttpRequest instead of ActiveXObject is "the ability to
use AJAX technics even with object activation disabled". I hope you
didn't think that Microsoft does it just because W3C just made the
first working draft of xmlhttp and they are in rush to compile with it?
Of course you did not.
The question you may ask yourselve why does Microsoft care of <object>
disabled customers. Is not it because there is too many of them? Yes it
is. And why so many of them?

To answer this question
1) get yourselve any Windows below XP SP2 with IE 5.x - 6.x installed.
Most probably you will have to reinstall it after, so backup well.
2) Install and activate any antivirus of your choice.
3) Go to Google and pretend to be a guy searching a crack for some
popular software: "X crack serial warez...."
4) Navigate to each page of search results one by one. Within 10-20
navigations max you will get a page-trap. A sign of it will be a
strangely long loading page with iframe-looking blank area in the
middle. It can be a a real virus or less harmful spyware or an adware -
that I cannot predict. I just predict that you'll get it - and that
your patented antivirus will be dead silent.

<http://secunia.com/advisories/16480>
If by some occasion you miss to find a "relevant" site, I can put a
harmless but working demo for you..

 

[VK]

I tried using mayscript in the applet tag, but that made no difference.

Actually it is *highly* unlikely that "java.lang.NoClassDefFoundError"
could be caused by Java <-> JavaScript interaction. This is a
compilation error, not a runtime error. Either your class name doesn't
match the .class file name, or you have a wrong MANIFEST, or something
like that. Please remove any JavaScript stuff, prepare a test case and
ask at <comp.lang.java.help>

I have a feeling that the actual Java error is too simple to bother
<comp.lang.java.programming> right now, but keep it as an option if the
first group will not be helpful.

 

[Randy Webb]

VK said the following on 5/12/2006 5:59 PM:

If you are curious about software security, it's OT to c.l.j. IMHO.
slashdot.org and astalavista.com would be a place to start.

Software security is off topic to c.l.j when it deals directly with HTML
and JS? Your thought processes amuse me sometimes.

P.S. If you read ieblogs on MSDN, you may read out the main reason of
IE7 having XMLHttpRequest instead of ActiveXObject is "the ability to
use AJAX technics even with object activation disabled". I hope you
didn't think that Microsoft does it just because W3C just made the
first working draft of xmlhttp and they are in rush to compile with it?
Of course you did not.

IE disabled the object activation as a result of EOLAS, it had nothing
to do with XMLHTTPRequest object. And I would fathom a guess that the
real reason they made XMLHTTPRequest a native Object in IE7 was the
ActiveX warning and nothing more. It works without ActiveX which can not
be said for IE6 and below.

The question you may ask yourselve why does Microsoft care of <object>
disabled customers. Is not it because there is too many of them? Yes it
is. And why so many of them?

MS disabled the EMBED tag recently, but only for ActiveX objects. The
reason was EOLAS but you won't find that anywhere on the MS site. The
page that explains the disabling also has a link to a page that explains
how to "defeat that security fix". So no, I don't trust a whole lot I
read on the MS site without testing it myself.

To answer this question
1) get yourselve any Windows below XP SP2 with IE 5.x - 6.x installed.

Why would I want an outdated antiquated non-patched IE? It has enough
holes in it patched.

<quote cite="VK THIS thread">
<object> initialization is often disabled in IE6 because of a huge per
design security hole: thusly I don't dare to insist.
</quote>

To which I replied:
<quote cite="Randy Webb THIS thread">
"because of a huge per design security hole"? You are implying that MS
intentionally - per design - put a security hole in IE?
</quote>

Which implies, to me anyway, that the security hole was by design. And I
asked you to back up that assumption. And to date, you have not done
anything remotely close to that other than to give me some scenario
about an outdated unpatched IE. I want to know what the security hole is
in IE6 XP SP2 that you are referring to, and nothing more.

 

[VK]

Software security is off topic to c.l.j when it deals directly with HTML
and JS? Your thought processes amuse me sometimes.

"deals directly with HTML and JS"? It deals with HTML as the initial
penetration point is marked by <object></object> tag. It has nothing to
do with JScript as it's not used for penetration and can be disabled
whatsoever. It is an exploration using binary coding. The topics even
if connected with HTML but not connected anyhow with JavaScript/JScript
are OT in c.l.j. IMHO

IE disabled the object activation as a result of EOLAS, it had nothing
to do with XMLHTTPRequest object.

As a result of EOLAS multimedia objects require initial user
interaction, but not disabled in the sense "not allowed to be
initialized". They are being initialized as before - if object
activation is not disabled all together in the current browser.

To which I replied:
<quote cite="Randy Webb THIS thread">
"because of a huge per design security hole"? You are implying that MS
intentionally - per design - put a security hole in IE?
</quote>

Which implies, to me anyway, that the security hole was by design. And I
asked you to back up that assumption. And to date, you have not done
anything remotely close to that other than to give me some scenario
about an outdated unpatched IE. I want to know what the security hole is
in IE6 XP SP2 that you are referring to, and nothing more.

I was repeatedly saying "if one has Windows **below** XP SP2". In SP2
the whole libraries were replaced to lock some known holes, so many
things work in an all new way. If you are willing to know about exploit
for XP SP2 or greater c.l.j. again is not a place to look for.