-
Bug
-
Resolution: Fixed
-
P2
-
6
-
b90
-
generic
-
generic
When using multiple jars (untrusted code), and code in the first jar access a resource (using this.getClass().getClassLoader().getResource()) in the second jar, the getResource will fail using the file protocol.
This is because url.openConnection("file:///foo.jar") will throw a security exception (in the URLClassLoader) whenever you don't have file permission to read file "/foo.jar".
The JNLPClassLoader grants the code file permission to read the jar the code is in, but not to read other listed jars in the jnlp file. On the otherhand, for http protocol, the JNLPClassLoader grants permission ot open any socket to the originating host, so the same problem is not there.
We can fix this just by adding a doPriviliged block in JNLPClassLoader.getResource().
This is because url.openConnection("file:///foo.jar") will throw a security exception (in the URLClassLoader) whenever you don't have file permission to read file "/foo.jar".
The JNLPClassLoader grants the code file permission to read the jar the code is in, but not to read other listed jars in the jnlp file. On the otherhand, for http protocol, the JNLPClassLoader grants permission ot open any socket to the originating host, so the same problem is not there.
We can fix this just by adding a doPriviliged block in JNLPClassLoader.getResource().