I have an signed applet embedded in a web page.

The applet jar includes :
slf4j-api-1.7.1.jar
logback-classic-1.0.7.jar
logback-core-1.0.7.jar

This sample code is called from the javascript (without elevated privileged) :

public void foo() {
try

{ bar(); }

catch (Exception e)

{ LoggerFactory.getLogger("TestTraceApp").error("Exception caught", e); }

}

private void bar() throws Exception {
throw new Exception("text");
}

It creates a lot of "trash" in the java console (see attached javaconsole.txt).

The bug seems to be in :

ch.qos.logback.classic.spi.PackagingDataCalculator.bestEffortLoadClass() :

This method tries to call Class.forName() => which requires permissions which the applet does not have.
And in case of exception the code falls back to :

"240 e.printStackTrace(); // this is unexpected"

And the stack trace is displayed for each initial exception frame .

Solutions:
1. Catch AccessControlException and simply returning null as we have no rights to call Class.forName() => safest and simplest solution.
2. Call Class.forName() inside an AccessController.doPrivileged() call => but security impacts must be studied.