P1
To avoid DNS spoofing (see #4155463), any connection made by applets/applications are required to perform reverse DNS lookup to obtain both the host name and IP address, so security is checked properly in Java 2. However. this causes a lot of problems to most users because some of them don't have DNS setup properly. Even worse, if they try to connect to external web server through the proxy, Java will require their applets/applications to be able to resolve the external hostname through their internal DNS server, and it will fail in most cases.
To workaround this problem, a Java property "trustProxy" was introduced to avoid this problem if enabled, so applets/applications will work with external web servers. However in JDK 1.2/1.3, the trustProxy setting no longer works. The problem is in the java.net.SocketPermission's impliesIgnoreMask method.
boolean impliesIgnoreMask(SocketPermission that) {
int i,j;
if ((that.mask & RESOLVE) != that.mask) {
// check port range
if ((that.portrange[0] < this.portrange[0]) ||
(that.portrange[1] > this.portrange[1])) {
return false;
}
}
// allow a "*" wildcard to always match anything
if (this.wildcard && this.getName().equals("*"))
return true;
// return if either one of these NetPerm objects are invalid...
if (this.invalid || that.invalid) {
if (!trustProxy)
return false;
// if we trust the proxy, we see if the original names/IPs passed
// in were equal.
String thisHost = getName();
String thatHost = that.getName();
int sep = thisHost.indexOf(':');
if (sep != -1)
thisHost = thisHost.substring(0, sep);
sep = thatHost.indexOf(':');
if (sep != -1)
thatHost = thatHost.substring(0, sep);
if (thisHost == null)
return false;
else
return thisHost.equalsIgnoreCase(thatHost);
}
...............
The field "invalid" is used to determine if the host name cannot be resolved through DNS lookup. However, because of the way SocketPermission works, it will perform delay DNS lookup if possible. Therefore, by the time impliesIgnoreMask is called, DNS lookup may have been delayed, so the "invalid" field doesn't reflect the proper state, and it remains to be false by default. As a result, the trustProxy check will not be executed, so trustProxy property doesn't work in SocketPermission.
Supporting trustProxy setting is extremely important to Java Plug-in. As Java Plug-in will be bundled with Communicator 6.0, we will probably enable the trustProxy settting for Communicator. Without fixing this problem,. any Internet users may see this problem with the APPLET tag in the browser, and it will prevent them to use Java 2 in the browsers.
To workaround this problem, a Java property "trustProxy" was introduced to avoid this problem if enabled, so applets/applications will work with external web servers. However in JDK 1.2/1.3, the trustProxy setting no longer works. The problem is in the java.net.SocketPermission's impliesIgnoreMask method.
boolean impliesIgnoreMask(SocketPermission that) {
int i,j;
if ((that.mask & RESOLVE) != that.mask) {
// check port range
if ((that.portrange[0] < this.portrange[0]) ||
(that.portrange[1] > this.portrange[1])) {
return false;
}
}
// allow a "*" wildcard to always match anything
if (this.wildcard && this.getName().equals("*"))
return true;
// return if either one of these NetPerm objects are invalid...
if (this.invalid || that.invalid) {
if (!trustProxy)
return false;
// if we trust the proxy, we see if the original names/IPs passed
// in were equal.
String thisHost = getName();
String thatHost = that.getName();
int sep = thisHost.indexOf(':');
if (sep != -1)
thisHost = thisHost.substring(0, sep);
sep = thatHost.indexOf(':');
if (sep != -1)
thatHost = thatHost.substring(0, sep);
if (thisHost == null)
return false;
else
return thisHost.equalsIgnoreCase(thatHost);
}
...............
The field "invalid" is used to determine if the host name cannot be resolved through DNS lookup. However, because of the way SocketPermission works, it will perform delay DNS lookup if possible. Therefore, by the time impliesIgnoreMask is called, DNS lookup may have been delayed, so the "invalid" field doesn't reflect the proper state, and it remains to be false by default. As a result, the trustProxy check will not be executed, so trustProxy property doesn't work in SocketPermission.
Supporting trustProxy setting is extremely important to Java Plug-in. As Java Plug-in will be bundled with Communicator 6.0, we will probably enable the trustProxy settting for Communicator. Without fixing this problem,. any Internet users may see this problem with the APPLET tag in the browser, and it will prevent them to use Java 2 in the browsers.
- duplicates
-
JDK-4320895 SocketPermision.implies broken when IP not accessible
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-