Access problem with applet - why is a POST to a servlet not allowed via applet?

I have a written a servlet, pretty standard, which provides a jsp file.

I have an applet embedded in the jsp file with applet which performs this code on a button press:

String data = "";
    	URL url2 = null;;
    	try {
    	    url2 = new URL("http://localhost:8080/chatserver/chat.jsp");
            data = URLEncoder.encode("register", "UTF-8") + "=" + URLEncoder.encode("3331", "UTF-8");
    	} catch(MalformedURLException ex) {
    		ex.printStackTrace();
    	}
        catch(UnsupportedEncodingException ex) {
        	ex.printStackTrace();
        }
        String charset = "UTF-8";
    	URLConnection connection = null;
	try {
             connection = url2.openConnection();
	} catch (IOException e) {
		e.printStackTrace();
	}

if(connection != null) {
    	     connection.setDoOutput(true); // Triggers POST.
    	     connection.setRequestProperty("Accept-Charset", charset);
    	     connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + charset);
    	     OutputStreamWriter output = null;
    	     try {
    		output = new OutputStreamWriter(connection.getOutputStream());
                output.write(data);
                output.flush();        
    	     } catch(IOException ex) {
    		   System.out.println("connection exception " + ex.getMessage() != null ? ex.getMessage() : "");
    	     } finally {
    	          if (output != null) try { output.close(); } catch (IOException logOrIgnore) {}
    	     } 	
        }

This code works fine if in a standard Java program but if in the applet I get this error:

appletviewer chat.jsp
Exception in thread "AWT-EventQueue-1" java.security.AccessControlException: access denied ("java.net.SocketPermission" "localhost:8080" "connect,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:555)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:456)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090)
at cubaapplet.DoIt(cubaapplet.java:92)
at cubaapplet.actionPerformed(cubaapplet.java:27)
at java.awt.Button.processActionEvent(Button.java:409)
at java.awt.Button.processEvent(Button.java:377)
at java.awt.Component.dispatchEventImpl(Component.java:4861)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:723)
at java.awt.EventQueue.access$200(EventQueue.java:103)
at java.awt.EventQueue$3.run(EventQueue.java:682)
at java.awt.EventQueue$3.run(EventQueue.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:696)
at java.awt.EventQueue$4.run(EventQueue.java:694)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:693)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:244)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:163)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:151)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:147)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:139)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:97)

Do I have to perform the POST differently in an applet?

Is there any way I can POST data to the servlet using an applet?

Applet security only allows unsigned applets to connect to the server where the applet was downloaded from.

Your code doesn't do that, it tries to post to a server running on localhost. You can find out the applet's host by starting with the URL returned from the getDocumentBase() method.

Paul Clapham wrote:Applet security only allows unsigned applets to connect to the server where the applet was downloaded from.

Your code doesn't do that, it tries to post to a server running on localhost. You can find out the applet's host by starting with the URL returned from the getDocumentBase() method.

The servlet is running on localhost - so it is the host that the applet came from.

Do you think if I get the url from getDocumentBase() I might get different behaviour?

If I change code to this:

I get in console printed:
url2: file:/C:/Users/angus/workspace/TestApplet/bin/cubaapplet1350599669053.html

I think eclipse generates this html file. But why file:// and not http:// - maybe I should try in a real browser - might be different?

Yes, I do. And I don't think you want "localhost" to be hard-coded in your applet anyway, in real life the applet is going to be loaded from some other machine.

Paul Clapham wrote:Yes, I do. And I don't think you want "localhost" to be hard-coded in your applet anyway, in real life the applet is going to be loaded from some other machine.

Yes of course. This is test code. I hope that as long as I POST to the web server which hosted the applet then I should not get security problems. After all if I was to do this in Javascript instead it would surely work?

I don't see what Javascript has to do with anything. The applet security model doesn't apply to Javascript.

(There are rules against cross-site scripting for Javascript, too, but as I said that's irrelevant to your present problem.)