Java: Using Gson in an Applet causes SecurityException

I'm trying to use Google Gson in my Java Applet, but when I do I get

Exception in thread "Thread-19" java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:74) at com.google.gson.MappedObjectConstructor.getNoArgsConstructor(MappedObjectConstructor.java:85) at com.google.gson.MappedObjectConstructor.constructWithNoArgConstructor(MappedObjectConstructor.java:62) at com.google.gson.MappedObjectConstructor.construct(MappedObjectConstructor.java:53) at com.google.gson.JsonObjectDeserializationVisitor.constructTarget(JsonObjectDeserializationVisitor.java:40) at com.google.gson.JsonDeserializationVisitor.getTarget(JsonDeserializationVisitor.java:56) at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:109) at com.google.gson.JsonDeserializationContextDefault.fromJsonObject(JsonDeserializationContextDefault.java:73) at com.google.gson.JsonDeserializationContextDefault.deserialize(JsonDeserializationContextDefault.java:51) at com.google.gson.Gson.fromJson(Gson.java:495) at com.google.gson.Gson.fromJson(Gson.java:444) at com.google.gson.Gson.fromJson(Gson.java:396) at com.google.gson.Gson.fromJson(Gson.java:372) at org.jblux.client.network.GsonParser$1.run(GsonParser.java:32) at java.security.AccessController.doPrivileged(Native Method) at org.jblux.client.network.GsonParser.parseJson(GsonParser.java:36) at org.jblux.client.network.PlayerDataFactory.getDataFromBase64(PlayerDataFactory.java:36) at org.jblux.client.states.MainMenuState.update(MainMenuState.java:155) at java.util.Observable.notifyObservers(Observable.java:142) at org.jblux.client.network.ResponseWaiter.responseReceived(ResponseWaiter.java:33) at org.jblux.client.network.ServerListener.notify_observers(ServerCommunicator.java:236) at org.jblux.client.network.ServerListener.doCommand(ServerCommunicator.java:252) at org.jblux.client.network.ServerListener.run(ServerCommunicator.java:218)

There were two other related questions I found here.

GSON on Google App Engine throws a Security Exception

Reflection Permission problems when using the GSON library in a applet

But neither of them had an answer for me. One just said to not use Gson.

Is there any way to grant Reflection permission to my applet?

Update: I'm in the process of switching my application to use JNLP file and Java Web Start because I haven't been able to figure out how to make the Applet work. I'll leave this question open in case anybody figures it out, but using a JNLP m开发者_如何学运维ay be the only option if you don't want to give up Gson.

I solved this problem using a custom deserializer.

I had a class with two members, a timestamp and a list of doubles. This is the code that worked for me.

GsonBuilder gsonBuilder = new GsonBuilder();
    gsonBuilder.registerTypeAdapter(TimestampedValueList.class, new JsonDeserializer<TimestampedValueList>() {
        @Override
        public TimestampedValueList deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
            long timestampMs = json.getAsJsonObject().get("timestampMs").getAsLong();
            double[] valueList = context.deserialize(json.getAsJsonObject().get("valueList"), double[].class);
            return new TimestampedValueList(timestampMs, valueList);
        }
    });
gson = gsonBuilder.create();

Hope this can help anyone!

I have found the answer here.

System.setSecurityManager(null);

Adding to static main helped me. Of course, all-permissions in jnlp and so on must be.

Further to @Chrizzz, I'm doing two way command object exchange between a Java web server and an unsigned applet. As such I am using both Gson toJson() and fromJson() within my applet code.

I've found that both deserialization and serialization in an unsigned applet throw security exceptions and that implementing custom serializers and deserializers can work-around those problems.

The biggest pain is not being able emulate the applet environment (SecurityManager) for Unit testing. It seems that there are no frameworks available to do this: see e.g. How to unit test Java code that is expected to run within an applet Security Manager