-
Bug
-
Resolution: Fixed
-
P3
-
6
-
b38
-
b72
-
sparc
-
solaris_9
FULL PRODUCT VERSION :
java version "1.6.0-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-rc-b62)
Java HotSpot(TM) Server VM (build 1.6.0-rc-b62, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
SunOS ceti.umiacs.umd.edu 5.9 gspot:s9u2_beta:07/09/2003 sun4u sparc SUNW,Sun-Fire
A DESCRIPTION OF THE PROBLEM :
When ResourceBundle.getBundle is called from system code, it creates a
java.util.ResourceBundle$RBClassLoader, but doesn't do it
in a doPriviledged block.
As a result, if Java is running with a security manager in place, and unpriviledged
code calls a system class that invokes ResourceBundle.getBundle, a security exception
results.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
For example, with a security manager in place, run a method that creates a SAXParser and sets a non-existent property. This will force the SAX code to load a bundle containing localized error messages.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It throws org.xml.sax.SAXNotRecognizedException: Property 'foo' is not recognized.
ACTUAL -
It gets an AccessControlException (stack trace given in error msg field)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
> java -Djava.security.manager Foo
java.lang.ExceptionInInitializerError
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMessage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getProperty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.setProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAXParserImpl.java:263)
at Foo.main(Foo.java:13)
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:321)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:422)
... 7 more
java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:321)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:422)
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMessage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getProperty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.setProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAXParserImpl.java:263)
at Foo.main(Foo.java:13)
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)
> javac Foo.java
> java -Djava.security.manager Foo
org.xml.sax.SAXNotRecognizedException: Property 'foo' is not recognized.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.setPrope
rty(AbstractSAXParser.java:1849)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAX
ParserImpl.java:384)
at Foo.main(Foo.java:12)
Exception in thread "main" java.lang.NullPointerException
at Foo.main(Foo.java:15)
java version "1.6.0-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-rc-b62)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b62, mixed mode)
> javac Foo.java
> java -Djava.security.manager Foo
java.lang.ExceptionInInitializerError
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMes
sage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getPrope
rty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.s
etProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAX
ParserImpl.java:263)
at Foo.main(Foo.java:12)
Caused by: java.security.AccessControlException: access denied (java.lang.Runtim
ePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:321)
at java.security.AccessController.checkPermission(AccessController.java:
546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java
:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425
)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:4
22)
... 7 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
public class Foo {
public static void main(String[] args) throws Throwable {
try {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(true);
SAXParser sp = spf.newSAXParser();
sp.setProperty("foo", "bar");
} catch (Throwable e) {
e.printStackTrace();
e.getCause().printStackTrace();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Grant all code permission to create a classloader
Release Regression From : 5.0
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
java version "1.6.0-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-rc-b62)
Java HotSpot(TM) Server VM (build 1.6.0-rc-b62, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
SunOS ceti.umiacs.umd.edu 5.9 gspot:s9u2_beta:07/09/2003 sun4u sparc SUNW,Sun-Fire
A DESCRIPTION OF THE PROBLEM :
When ResourceBundle.getBundle is called from system code, it creates a
java.util.ResourceBundle$RBClassLoader, but doesn't do it
in a doPriviledged block.
As a result, if Java is running with a security manager in place, and unpriviledged
code calls a system class that invokes ResourceBundle.getBundle, a security exception
results.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
For example, with a security manager in place, run a method that creates a SAXParser and sets a non-existent property. This will force the SAX code to load a bundle containing localized error messages.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It throws org.xml.sax.SAXNotRecognizedException: Property 'foo' is not recognized.
ACTUAL -
It gets an AccessControlException (stack trace given in error msg field)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
> java -Djava.security.manager Foo
java.lang.ExceptionInInitializerError
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMessage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getProperty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.setProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAXParserImpl.java:263)
at Foo.main(Foo.java:13)
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:321)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:422)
... 7 more
java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:321)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:422)
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMessage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getProperty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.setProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAXParserImpl.java:263)
at Foo.main(Foo.java:13)
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)
> javac Foo.java
> java -Djava.security.manager Foo
org.xml.sax.SAXNotRecognizedException: Property 'foo' is not recognized.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.setPrope
rty(AbstractSAXParser.java:1849)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAX
ParserImpl.java:384)
at Foo.main(Foo.java:12)
Exception in thread "main" java.lang.NullPointerException
at Foo.main(Foo.java:15)
java version "1.6.0-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-rc-b62)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b62, mixed mode)
> javac Foo.java
> java -Djava.security.manager Foo
java.lang.ExceptionInInitializerError
at java.util.ResourceBundle.getLoader(ResourceBundle.java:411)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:771)
at com.sun.org.apache.xerces.internal.util.SAXMessageFormatter.formatMes
sage(SAXMessageFormatter.java:53)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.getPrope
rty(AbstractSAXParser.java:2060)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.s
etProperty(SAXParserImpl.java:467)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.setProperty(SAX
ParserImpl.java:263)
at Foo.main(Foo.java:12)
Caused by: java.security.AccessControlException: access denied (java.lang.Runtim
ePermission createClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:321)
at java.security.AccessController.checkPermission(AccessController.java:
546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java
:594)
at java.lang.ClassLoader.<init>(ClassLoader.java:225)
at java.util.ResourceBundle$RBClassLoader.<init>(ResourceBundle.java:425
)
at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:4
22)
... 7 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
public class Foo {
public static void main(String[] args) throws Throwable {
try {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(true);
SAXParser sp = spf.newSAXParser();
sp.setProperty("foo", "bar");
} catch (Throwable e) {
e.printStackTrace();
e.getCause().printStackTrace();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Grant all code permission to create a classloader
Release Regression From : 5.0
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.