-
Bug
-
Resolution: Fixed
-
P4
-
5.0
-
b04
-
b03
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2141530 | 6u1 | Shannon Hickey | P4 | Resolved | Fixed | b01 |
| JDK-2141531 | 5.0u11 | Shannon Hickey | P4 | Resolved | Fixed | b01 |
FULL PRODUCT VERSION :
java version "1.5.0_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_08-b03)
Java HotSpot(TM) Client VM (build 1.5.0_08-b03, mixed mode, sharing)
java version "1.6.0-rc"
Java(TM) SE Runtime Environment (build 1.6.0-rc-b92)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b92, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When serializing Swing components (tested with JFrame and JPanel) with the Ocean theme, classes from sun.swing.* are serialised. sun.* classes cannot be deserialised. This will cause an AccessControlException in untrusted code.
Examining the serializer data, the class sun.swing.PrintColorUIResource appears to be present. This class appears in javax.swing.plaf.metal.OceanTheme.CONTROL_TEXT_COLOR and OCEAN_BLACK. Using the -Dswing.metalTheme=steel command line option switches to the Steel theme and prevents the exception. I believe Component.doSwingSerialization should remove PL&F artifacts during serialization.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The program below set a security manager, serialises a JPanel and then desrialises it. Run as:
java OceanSun
To run without Ocean (and hence the exception):
java -Dswing.metalTheme=steel OceanSun
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should run and exit without error.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.swing)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at java.io.ObjectInputStream.resolveClass(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at java.awt.Component.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at OceanSun.main(OceanSun.java:15)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.*;
import javax.swing.*;
class OceanSun {
public static void main(String[] args) throws Exception {
System.setSecurityManager(new SecurityManager());
ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteOut);
JPanel frame = new JPanel();
out.writeObject(frame);
out.close();
ObjectInputStream in = new ObjectInputStream(
new ByteArrayInputStream(byteOut.toByteArray())
);
JPanel readFrame = (JPanel)in.readObject();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use Ocean when serializing components. It may be possible to overwrite the relevant Color properties on the Component.
java version "1.5.0_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_08-b03)
Java HotSpot(TM) Client VM (build 1.5.0_08-b03, mixed mode, sharing)
java version "1.6.0-rc"
Java(TM) SE Runtime Environment (build 1.6.0-rc-b92)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b92, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When serializing Swing components (tested with JFrame and JPanel) with the Ocean theme, classes from sun.swing.* are serialised. sun.* classes cannot be deserialised. This will cause an AccessControlException in untrusted code.
Examining the serializer data, the class sun.swing.PrintColorUIResource appears to be present. This class appears in javax.swing.plaf.metal.OceanTheme.CONTROL_TEXT_COLOR and OCEAN_BLACK. Using the -Dswing.metalTheme=steel command line option switches to the Steel theme and prevents the exception. I believe Component.doSwingSerialization should remove PL&F artifacts during serialization.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The program below set a security manager, serialises a JPanel and then desrialises it. Run as:
java OceanSun
To run without Ocean (and hence the exception):
java -Dswing.metalTheme=steel OceanSun
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should run and exit without error.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.swing)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at java.io.ObjectInputStream.resolveClass(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at java.awt.Component.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at OceanSun.main(OceanSun.java:15)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.*;
import javax.swing.*;
class OceanSun {
public static void main(String[] args) throws Exception {
System.setSecurityManager(new SecurityManager());
ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteOut);
JPanel frame = new JPanel();
out.writeObject(frame);
out.close();
ObjectInputStream in = new ObjectInputStream(
new ByteArrayInputStream(byteOut.toByteArray())
);
JPanel readFrame = (JPanel)in.readObject();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use Ocean when serializing components. It may be possible to overwrite the relevant Color properties on the Component.
- backported by
-
JDK-2141530 OceanTheme causes swing components to serialize with sun.* classes
-
- Resolved
-
-
-
- Resolved
-