Tests for PR1592

11 files changed, 835 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index b06d766..555934a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,29 @@
 2013-12-03  Andrew Azores  <[email protected]>
 
+	Tests for PR1592.
+	* tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java:
+	new tests for per-JAR applet security
+	* tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html:
+	same
+	* tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java:
+	same 
+
+2013-12-03  Andrew Azores  <[email protected]>
+
 	Fix/new feature for PR1592. Each JAR in partially signed applets is
 	assigned its own security level, rather than forcing the entire applet to
 	run sandboxed.
diff --git a/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java b/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java
new file mode 100644
index 0000000..1c55f19
--- /dev/null
+++ b/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java
@@ -0,0 +1,145 @@
+/* MixedSigningAppletSigned.java
+Copyright (C) 2013 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+package com.redhat.mixedsigning.signed;
+import java.applet.Applet;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.ArrayList;
+import java.util.List;
+
+/* See also simple/MixedSigningApplet */
+public class MixedSigningAppletSigned extends Applet {
+
+    @Override
+    public void init() {
+        System.out.println("MixedSigningAppletSigned applet started. testName: " + getParameter("testName"));
+        Method m = null;
+        try {
+            m = this.getClass().getMethod(getParameter("testName"));
+            final String result = (String) m.invoke(this);
+            System.out.println(result);
+        } catch (Exception e) {
+            e.printStackTrace();
+        } finally {
+            System.out.println("*** APPLET FINISHED ***");
+        }
+    }
+
+    public String testNonPrivilegedAction() {
+        return new HelperMethodCall<String>().method("help").call();
+    }
+
+    // Should succeed
+    public String testSignedReadProperties() {
+        return System.getProperty("user.home");
+    }
+
+    // Should result in AccessControlException
+    public String testUnsignedReadProperties() {
+        return new HelperMethodCall<String>().type(String.class).method("getProperty").arg("user.home").call();
+    }
+
+    // Should result in AccessControlException
+    public String testSignedExportPropertiesToUnsigned() {
+        return new HelperMethodCall<String>().type(String.class).method("getPropertyFromSignedJar").arg("user.home").call();
+    }
+
+    // Should result in AccessControlException
+    public String testUnsignedAttacksSigned() {
+        return new HelperMethodCall<String>().method("attack").call();
+    }
+
+    // Should result in InvocationTargetException (due to AccessControlException)
+    public String testUnsignedReflectionAttack() {
+        return new HelperMethodCall<String>().method("reflectiveAttack").call();
+    }
+
+    public String calledByReflection() {
+        return System.getProperty("user.home");
+    }
+
+    public static String getProperty(String prop) {
+        return System.getProperty(prop);
+    }
+
+    private static class HelperMethodCall<T> {
+
+        private String methodName;
+        private final List<Class<?>> methodSignature;
+        private final List<String> args;
+
+        public HelperMethodCall() {
+            methodSignature = new ArrayList<Class<?>>();
+            args = new ArrayList<String>();
+        }
+
+        public HelperMethodCall<T> method(String methodName) {
+            this.methodName = methodName;
+            return this;
+        }
+
+        public HelperMethodCall<T> type(Class<?> methodSignature) {
+            this.methodSignature.add(methodSignature);
+            return this;
+        }
+
+        public HelperMethodCall<T> arg(String arg) {
+            this.args.add(arg);
+            return this;
+        }
+
+        public T call() {
+            try {
+                Class<?> helper = Class.forName("com.redhat.mixedsigning.helper.MixedSigningAppletHelper");
+                Method m;
+                if (this.methodSignature == null) {
+                    m = helper.getMethod(this.methodName);
+                } else {
+                    m = helper.getMethod(this.methodName, this.methodSignature.toArray(new Class<?>[methodSignature.size()]));
+                }
+                Object[] params = args.toArray(new String[args.size()]);
+                @SuppressWarnings("unchecked")
+                T result = (T) m.invoke(null, params);
+                return result;
+            } catch (Exception e) {
+                e.printStackTrace();
+                return null;
+            }
+        }
+    }
+}
diff --git a/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java b/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java
new file mode 100644
index 0000000..f5c8bf0
--- /dev/null
+++ b/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java
@@ -0,0 +1,159 @@
+/* MixedSigningAppletSignedTests.java
+Copyright (C) 2013 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+import net.sourceforge.jnlp.ProcessResult;
+import net.sourceforge.jnlp.ServerAccess.AutoClose;
+import net.sourceforge.jnlp.annotations.KnownToFail;
+import net.sourceforge.jnlp.annotations.NeedsDisplay;
+import net.sourceforge.jnlp.annotations.TestInBrowsers;
+import net.sourceforge.jnlp.browsertesting.BrowserTest;
+import net.sourceforge.jnlp.browsertesting.Browsers;
+import net.sourceforge.jnlp.closinglisteners.AutoOkClosingListener;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+
+/* See also simple/MixedSigningApplet */
+public class MixedSigningAppletSignedTests extends BrowserTest {
+
+    private static final String appletCloseString = AutoOkClosingListener.MAGICAL_OK_CLOSING_STRING;
+    private static final String userHome = System.getProperty("user.home");
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testNonPrivilegedAction() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testNonPrivilegedAction", AutoClose.CLOSE_ON_CORRECT_END);
+        assertTrue("stdout should contain MixedSigningApplet Applet Running but did not", pr.stdout.contains("MixedSigningApplet Applet Running"));
+        assertCloseString(pr);
+    }
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testUnsignedReadProperties() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedReadProperties", AutoClose.CLOSE_ON_CORRECT_END);
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testSignedReadProperties() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testSignedReadProperties", AutoClose.CLOSE_ON_CORRECT_END);
+        assertTrue("stdout should contain " + userHome + " but did not", pr.stdout.contains(userHome));
+        assertCloseString(pr);
+    }
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testSignedExportPropertiesToUnsigned() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testSignedExportPropertiesToUnsigned", AutoClose.CLOSE_ON_CORRECT_END);
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testUnsignedAttacksSigned() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedAttacksSigned", AutoClose.CLOSE_ON_CORRECT_END);
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @NeedsDisplay
+    // @Test
+    @TestInBrowsers(testIn={Browsers.one})
+    public void testUnsignedReflectionAttack() throws Exception {
+        ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedReflectionAttack", AutoClose.CLOSE_ON_CORRECT_END);
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testNonPrivilegedActionJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-1.jnlp");
+        assertTrue("stdout should contain MixedSigningApplet Applet Running but did not", pr.stdout.contains("MixedSigningApplet Applet Running"));
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testUnsignedReadPropertiesJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-2.jnlp");
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testSignedReadPropertiesJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-3.jnlp");
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testSignedExportPropertiesToUnsignedJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-4.jnlp");
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testUnsignedAttacksSignedJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-5.jnlp");
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    @Test
+    public void testUnsignedReflectionAttackJNLP() throws Exception {
+        ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-6.jnlp");
+        assertAccessControlException(pr);
+        assertCloseString(pr);
+    }
+
+    private static void assertAccessControlException(ProcessResult pr) {
+        assertTrue("stderr should contain AccessControlException but did not", pr.stderr.contains("AccessControlException"));
+    }
+
+    private static void assertCloseString(ProcessResult pr) {
+        assertTrue("stdout should contain " + appletCloseString + " but did not", pr.stdout.contains(appletCloseString));
+    }
+}
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp
new file mode 100644
index 0000000..e79de8d
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testNonPrivilegedAction"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp
new file mode 100644
index 0000000..0fb1c99
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testUnsignedReadProperties"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp
new file mode 100644
index 0000000..5799007
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testSignedReadProperties"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp
new file mode 100644
index 0000000..6975138
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testSignedExportPropertiesToUnsigned"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp
new file mode 100644
index 0000000..2c1f11c
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testUnsignedAttacksSigned"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp
new file mode 100644
index 0000000..789a3cc
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp
@@ -0,0 +1,61 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" href="MixedSigningApplet.jnlp" codebase=".">
+  <information>
+    <title>MixedSigningApplet</title>
+    <vendor>IcedTea</vendor>
+    <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/>
+    <description>Test per-JAR security assignment and permissions</description>
+    <offline/>
+  </information>
+  <resources>
+    <j2se version="1.4+"/>
+    <jar href="MixedSigningAppletSigned.jar"/>
+    <jar href="MixedSigningApplet.jar"/>
+  </resources>
+  <applet-desc
+    documentBase="."
+    name="AppletTest"
+    main-class="com.redhat.mixedsigning.signed.MixedSigningAppletSigned"
+    width="100"
+    height="100">
+      <param name="testName" value="testUnsignedReflectionAttack"/>
+  </applet-desc>
+  </application-desc>
+</jnlp>
diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html
new file mode 100644
index 0000000..6fe11d7
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html
@@ -0,0 +1,52 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<html>
+  <head></head>
+  <body>
+    <applet code="com.redhat.mixedsigning.signed.MixedSigningAppletSigned.class"
+            archive="MixedSigningAppletSigned.jar,MixedSigningApplet.jar"
+            codebase="."
+            width="640"
+            height="480">
+      <script language="javascript" type="text/javascript">
+          var testName = window.location.search.substring(1);
+          document.write("<param name='testName' value='" + testName + "'>");
+      </script>
+    </applet>
+  </body>
+</html>
diff --git a/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java b/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java
new file mode 100644
index 0000000..939205d
--- /dev/null
+++ b/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java
@@ -0,0 +1,89 @@
+/* MixedSigningAppletHelper.java
+Copyright (C) 2013 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING.  If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.
+ */
+
+package com.redhat.mixedsigning.helper;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+/* See also signed/MixedSigningAppletSigned */
+public class MixedSigningAppletHelper {
+
+    public static String help() {
+        return "MixedSigningApplet Applet Running";
+    }
+
+    public static String getProperty(String prop) {
+        return System.getProperty(prop);
+    }
+
+    public static String getPropertyFromSignedJar(String prop) {
+        try {
+            Class<?> signedAppletClass = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned");
+            Method m = signedAppletClass.getMethod("getProperty", String.class);
+            String result = (String) m.invoke(null, prop);
+            return result;
+        } catch (Exception e) {
+            e.printStackTrace();
+            return e.toString();
+        }
+    }
+
+    public static String attack() {
+        try {
+            Class<?> signedAppletClass = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned");
+            Method m = signedAppletClass.getMethod("getProperty", String.class);
+            String result = (String) m.invoke(signedAppletClass.newInstance(), "user.home");
+            return result;
+        } catch (Exception e) {
+            e.printStackTrace();
+            return e.toString();
+        }
+    }
+
+    public static String reflectiveAttack() {
+        String result = null;
+        try {
+            Object signedApplet = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned").newInstance();
+            Method getProp = signedApplet.getClass().getMethod("calledByReflection");
+            result = (String)getProp.invoke(signedApplet);
+        } catch (Exception e) {
+            e.printStackTrace();
+            result = e.toString();
+        }
+        return result;
+    }
+}