-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
b50
-
generic
-
generic
The following captures a discussion between Dennis/Stanley/myself
about a bug that was reported to webbugs and java-security.
Dennis asked that I file the bug.
###@###.### 2004-04-15
>> This is webbug incident 239640, which was deleted as "Incomplete bug
>> submission".
>>
>> If you file a bug, can you let the cu know, or if you want, I can
>> respond to the cu.
>>
>> Brad
>>
>> Stanley Man-Kit Ho wrote:
>
>>> >
>>> > This looks like a doPrivileged() block is missing from DialogFactory
>>> > code path. Dennis, could you look into it?
>>> >
>>> > Stanley
>>> >
>>> >
>>> > Brad Wetmore wrote:
>>> >
>>
>>>> >> This just came over the java-security feedback alias, I told him I
>>>> >> would make sure the Web Start team gets it.
>>>> >>
>>>> >> Brad
>>>> >>
>>>> >>
>>>> >>
>>>> >> -------- Original Message --------
>>>> >>
>>>> >> Date: Mon, 12 Apr 2004 07:58:16 -0400
>>>> >> From: ###@###.### (John D. Ramsdell)
>>>> >> Subject: JAVASEC -- No key store access for SSL in Java Web Start
>>>> >> applications
>>>> >> To: ###@###.###
>>>> >>
>>>> >>
>>>> >> I'm trying to integrate a Java Web Start client for instant messaging
>>>> >> <http://simp.mitre.org> with my company's PKI. This note describes
>>>> >> the problems I having with the integration using a stripped down
>>>> >> system called TLS Test to model the real system.
>>>> >>
>>>> >> I'm running the TLS Test client using Java Web Start on 1.5.0-beta on
> >> Windows 2000. The client is being downloaded using HTTPS on port
> >> 8443, and the client is attempting to make an SSL connection back to
> >> the same host on 7468. I'm using the SSL socket factory from the
> >> HttpsURLConnection class. The problem occurs when both servers are
> >> using only server-side authentication, but the intended configuration
> >> requires client-side authentication for all SSL connections.
> >>
> >> Java Web Start is able to use the server certificate installed into
> >> IE's key store to download the client. This certificate does not
> >> appear to be available for use by the SSL socket factory given to the
> >> Java Web Start application, or rather, attempts by the application to
> >> create a dialog to ask permission to trust some key appears to be
> >> blocked. Furthermore, both attempts to start the application and open
> >> the socket are interrupted by a weird JScript runtime error. Where is
> >> that coming from?
> >>
> >> The sources to the program that generates this error are enclosed.
> >>
> >> Here is a step-by-step description of the problem:
> >>
> >> 1. Click and download Java Web Start Client.
> >>
> >> 2. Microsoft JScript runtime error pop up says: Object expected
> >>
> >> 3. Clicking OK allows the Java Web Start console to pop up and then
> >> the application's login window.
> >>
> >> 4. The last line in the console at this time is:
> >>
> >> Ignored exception: java.lang.IllegalArgumentException
> >>
> >> 5. Entering information into the login panel invokes the same pop up:
> >>
> >> Microsoft JScript runtime error pop up says: Object expected.
> >>
> >> 6. Clicking OK creates an SSL connection derived from the following
> >> factory:
> >>
> >> HttpsURLConnection.getDefaultSSLSocketFactory()
> >>
> >> 7. Console contains a permission exception, that seems to be
> >> associated with getting to IE's key store.
> >>
> >> -------------- console panel running on Windows 2000 ---------------
> >> javaws-1.5.0-beta
> >> Using JRE version 1.5.0-beta Java HotSpot(TM) Client VM
> >> User home directory = C:\Documents and Settings\Administrator
> >> ----------------------------------------------------
> >> c: clear console window
> >> f: finalize objects on finalization queue
> >> g: garbage collect
> >> h: display this help message
> >> m: print memory usage
> >> o: trigger logging
> >> p: reload proxy configuration
> >> q: hide console
> >> r: reload policy configuration
> >> s: dump system and deployment properties
> >> t: dump thread list
> >> 0-5: set trace level to <n>
> >> ----------------------------------------------------
> >> Ignored exception: java.lang.IllegalArgumentException
> >> Connecting to divan.mitre.org:7997
> >> java.security.AccessControlException: access denied
> >> (java.util.PropertyPermission javaplugin.version read)
> >> at java.security.AccessControlContext.checkPermission(Unknown
> >> Source)
> >> at java.security.AccessController.checkPermission(Unknown Source)
> >> at java.lang.SecurityManager.checkPermission(Unknown Source)
> >> at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
> >> at java.lang.System.getProperty(Unknown Source)
> >> at com.sun.deploy.util.DialogFactory.showDialog(Unknown Source)
> >> at com.sun.deploy.util.DialogFactory.showOptionDialogImpl(Unknown
> >> Source)
> >> at com.sun.deploy.util.DialogFactory.access$200(Unknown Source)
> >> at com.sun.deploy.util.DialogFactory$4.execute(Unknown Source)
> >> at com.sun.deploy.util.DeploySysRun.execute(Unknown Source)
> >> at com.sun.deploy.util.DialogFactory.showOptionDialog(Unknown
> >> Source)
> >> at com.sun.deploy.util.DialogFactory.showOptionDialog(Unknown
> >> Source)
> >> at com.sun.deploy.security.ClientCertDialog.DoModal(Unknown Source)
> >> at com.sun.deploy.security.X509DeployKeyManager$3.execute(Unknown
> >> Source)
> >> at com.sun.deploy.util.DeploySysRun.execute(Unknown Source)
> >> at> >> com.sun.deploy.security.X509DeployKeyManager.chooseClientAlias(Unknown
> >> Source)
> >> at
> >> com.sun.net.ssl.internal.ssl.JsseX509KeyManager.chooseClientAlias(Unknown
> >> Source)
> >> at
> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Unknown
> >> Source)
> >> at
> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> >> Source)
> >> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
> >> Source)
> >> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> >> Source)
> >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> >> Source)
> >> at
> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> >>
> >> Source)
> >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> >> Source)
> >> at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
> >> at java.io.BufferedInputStream.fill(Unknown Source)
> >> at java.io.BufferedInputStream.read(Unknown Source)
> >> at java.io.DataInputStream.readUnsignedShort(Unknown Source)
> >> at java.io.DataInputStream.readUTF(Unknown Source)
> >> at java.io.DataInputStream.readUTF(Unknown Source)
> >> at org.mitre.tlstest.Client.run(Client.java:123)
> >> at org.mitre.tlstest.App.main(App.java:64)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> >> at java.lang.reflect.Method.invoke(Unknown Source)
> >> at com.sun.javaws.Launcher.executeApplication(Unknown Source)
> >> at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
> >> at com.sun.javaws.Launcher.continueLaunch(Unknown Source)
> >> at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
> >> at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
> >> at com.sun.javaws.Launcher.run(Unknown Source)
> >> at java.lang.Thread.run(Unknown Source)
> >> Software caused connection abort: recv failed
-------------- end console panel running on Windows 2000 ---------------
> >>
> >> I submitted this report to the bug parade back in February, but for
> >> some reason, it never appeared.
> >>
> >> John