Details
-
Bug
-
Resolution: Fixed
-
P3
-
6u10
Description
FULL PRODUCT VERSION :
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows XP 32 bit
A DESCRIPTION OF THE PROBLEM :
Since I installed jre 6 update 10 my Java Web Start program cannot connect to an external URL to retreive settings.
From what I've read some security improvements has been made in JRE 6u10 including support for the crossdomain.xml but this should only be adressing UNsigned java web start applications.
My application is signed and I 've also added the following entry in my JNLP-file to prevent error like this:
<security>
<all-permissions/>
</security>
My application has been running without problems since jre 1.4.2 and suddenly the functionallity has changed.
If this change is considered permanent some documentation about the change and some workarounds would be appreciated. For example I can´t find anywhere how to publish this crossdomain.xml-file on a system not hosting a http-server on port 80.
Full stack trace:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Publish a java web start program, sign the jars and try to connect to an external (different from the source of webstart program) URL from withing the java web start program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception
ACTUAL -
Exception:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
ERROR MESSAGES/STACK TRACES THAT OCCUR :
host syntax error in crossdomain.xml check
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
URL url = new URL("http",host,port,file + "?source=" + URLEncoder.encode(sourceApp));
conn = url.openConnection();
bis = new BufferedInputStream(conn.getInputStream());
---------- END SOURCE ----------
Release Regression From : 6
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows XP 32 bit
A DESCRIPTION OF THE PROBLEM :
Since I installed jre 6 update 10 my Java Web Start program cannot connect to an external URL to retreive settings.
From what I've read some security improvements has been made in JRE 6u10 including support for the crossdomain.xml but this should only be adressing UNsigned java web start applications.
My application is signed and I 've also added the following entry in my JNLP-file to prevent error like this:
<security>
<all-permissions/>
</security>
My application has been running without problems since jre 1.4.2 and suddenly the functionallity has changed.
If this change is considered permanent some documentation about the change and some workarounds would be appreciated. For example I can´t find anywhere how to publish this crossdomain.xml-file on a system not hosting a http-server on port 80.
Full stack trace:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Publish a java web start program, sign the jars and try to connect to an external (different from the source of webstart program) URL from withing the java web start program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception
ACTUAL -
Exception:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
ERROR MESSAGES/STACK TRACES THAT OCCUR :
host syntax error in crossdomain.xml check
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
URL url = new URL("http",host,port,file + "?source=" + URLEncoder.encode(sourceApp));
conn = url.openConnection();
bis = new BufferedInputStream(conn.getInputStream());
---------- END SOURCE ----------
Release Regression From : 6
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-