-
Bug
-
Resolution: Won't Fix
-
P2
-
6u22
-
x86
-
windows_xp
FULL PRODUCT VERSION :
Java 6 plugin Version 6 Update 22 (build 1.6.0_22-b04)
ADDITIONAL OS VERSION INFORMATION :
Windows XP SP3
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer 8
A DESCRIPTION OF THE PROBLEM :
When we make a request on port 80 using a client-side java applet in Internet Explorer 8 and all previous we get the following error: java.security.AccessControlException: access denied (java.net.SocketPermission IPAddress:80 connect,resolve). Version 1.6.0_21 does not return this message, nor did any previous releases. The structure of our request has not changed.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Install Java 6 Plug-in Version 6 Update 22 (build 1.6.0_22-b04) on a Windows XP SP3 computer, with the latest Internet Explorer Browser IE 8 and go to http://elex.learnexact.com/demo.
Login as "java" with password of "java_10", click on "My courses", "java", "Launch", then it will open a new window.
Inside this popup window, click on "Call Initialize()", the following message will appear in the near textbox: "Initialize Failed! Error Code: 102 Error Description: Server is busy".
Click on "Call GetDiagnostic()",the following message will appear in the near textbox: "GetDiagnostic returned: [Internal Server Error] No Init Response - access denied (java.net.SocketPermission IPAdress:80 connect,resolve)".
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Clicking on "Call Initialize()", the following message will appear in the near textbox: "Initialize Successful!".
Clicking on "Call GetDiagnostic()", the following message will appear in the near textbox: "GetDiagnostic returned: No error found!".
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied (java.net.SocketPermission IPAddress:80 connect,resolve)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Reinstalling the 1.6.0_21 release fixes the problem. Also disabling the next-generation Java Plug-in fixes the problem.
Additional details from the submitter:
=====================
Environment:
1. IE8
2. JRE 6 Update 22, with "Enable the next-generation Java Plug-in" enabled
3. Tracing enabled in the java console
4. deployment.trace.level=all added in the deployment.properties file
Full trace log for failure:
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Cache entry not found [url: http://192.168.4.204/crossdomain.xml, version: null]
network: Connecting http://192.168.4.204/crossdomain.xml with proxy=DIRECT
network: Connecting http://192.168.4.204:80/ with proxy=DIRECT
Exception: java.security.AccessControlException: access denied (java.net.SocketPermission 192.168.4.204:80 connect,resolve)
Environment:
1. IE8
2. JRE 6 Update 22, with "Enable the next-generation Java Plug-in" disabled
3. Tracing enabled in the java console
4. deployment.trace.level=all added in the deployment.properties file
Full trace log for success:
liveconnect: Invoking method: public java.lang.String API.Initialize(java.lang.String)
liveconnect: Needs conversion: java.lang.String --> java.lang.String
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with cookie ".ELEXDATA=4BCB23D7FFED56772E315F8C23EDD93493AD67F6487ED2629571E998A24D3B8743DFA8CAB2799A0F305F0AA5E9FF776DB46E569811892373724F51F6476839EB4FE2C5E27F52796A95A435516A1497BB96E8F2ABB071359A0AC6F00D72F48517E30AD8297EB4D1D3EB8E2EFE28D5D593D160DF7EDC120C92706803B297764915FDCD49FE86547CB62DFB9DF3173D0D434F5768B9B92FFBD9A5F9DE348B24BD67443EE280A0763BC49D50EA02F6073285; elex_user_settings; ASP.NET_SessionId=ooutzb55c5w0vw45tdmvec3s; .ELEXAUTH=938ED345B6CE306299674A11C96A38659F7C7E95CA6C45927C9F7861452BCF43877912F78355C269CF69C2E63EC27338CB95BAD1999D3DC77095365BD1AAD190"
network: Connecting socket://elex.learnexact.com:80 with proxy=DIRECT
More data:
=========
We have analyzed in depth this issue and we have now clear the scenario and the root cause.
The problem arises once a Client PC (with JRE update 22 installed) tries (thru the Internet) to connect to a server that is behind an Internet Security and Accelerator Server (Microsoft ISA Server) on a private network. The ISA Server we are using is configured to concentrate in a unique public IP address several Hostnames of registered web sites (one of these being the Hostname to which the client PC is trying to connect). So when the Client types the URL, the public DNS resolves the public IP address of the ISA Server, that proxies it to a private IP address corresponding to the server on which the application is installed. The answer is then redirected to the Client, but if JRE Update 22 is installed, the new (and more restrictive) security settings require to make a reverse resolving of the IP to try to find a match with the original Hostname. The DNS server at this point returns one of the Hostname that are associated with the unique IP address, that cannot match with the expected Hostname, and so a cross-domain exception is invoked, blocking our client application.
One of the workarounds we have found is to use a Proxy between the Client PC and the ISA Server: in this case the Proxy statically associates the IP to the URL and so there is no possibility to encounter this cross-domain issue.
So our preliminary conclusion is that this is a deployment issue, but the new Update 22 security restrictions in our opinion introduce some limits to certain network configurations like the one we are using (multiple sites managed by Virtual Hosting through one IP address with several PTR entries, one for each site. Shortly: a possible HTTP 1.1 deployment). So our hope is that you can, in some way, mitigate the Update 22 security restrictions in order to better support such kind of deployments. Thanks in advance for your attention and collaboration.
Mode data from the submitter:
=======
Yes, 192.168.4.204 is the alternative IP of elex.learnexact.com in our internal network.
Using IP (192.168.4.204) instead of domain name (elex.learnexact.com), the problem does not occur:
network: Connecting http://192.168.4.204/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Connecting http://192.168.4.204/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with cookie "elex_user_settings=SearchControllerUserDisplayMode=None; .ELEXDATA=B336F9BBEB1C35733DDBB64DBB548F54D03A32854EBE758B16EDB0EA34344FE1C2864E21A449ED6642DD68AED6F05F32E1D0BFB469C2BC2160C83C310F0E10B1CE6FFDE8E01A9B6A959E0E6F7620892CB7F314D9D8BA53CB8B319F8C9D241CEAAB207DE085F857040BB3BBAB687495274683FA2A879DC5EB1E14B5AC3E27C8887202E4BDD04A401BCCA329283528FDE126CB039E14A6A89520B9DCB1DD88A2A3147CCC272230DEE4FACC58E9075129E3; ASP.NET_SessionId=cjarm255kd0nksjk5alwjrmr; .ELEXAUTH=197460619D5B739FCB36E564061D4A43A1F58E25D5360D146DD59964A563227B63ED0CB9CF9AE8A7B0D8CF5C6DCC2F2A9B26FE565007CB3326A78707A2E5FE82"
network: Connecting http://192.168.4.204:80/ with proxy=DIRECT
Java 6 plugin Version 6 Update 22 (build 1.6.0_22-b04)
ADDITIONAL OS VERSION INFORMATION :
Windows XP SP3
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer 8
A DESCRIPTION OF THE PROBLEM :
When we make a request on port 80 using a client-side java applet in Internet Explorer 8 and all previous we get the following error: java.security.AccessControlException: access denied (java.net.SocketPermission IPAddress:80 connect,resolve). Version 1.6.0_21 does not return this message, nor did any previous releases. The structure of our request has not changed.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Install Java 6 Plug-in Version 6 Update 22 (build 1.6.0_22-b04) on a Windows XP SP3 computer, with the latest Internet Explorer Browser IE 8 and go to http://elex.learnexact.com/demo.
Login as "java" with password of "java_10", click on "My courses", "java", "Launch", then it will open a new window.
Inside this popup window, click on "Call Initialize()", the following message will appear in the near textbox: "Initialize Failed! Error Code: 102 Error Description: Server is busy".
Click on "Call GetDiagnostic()",the following message will appear in the near textbox: "GetDiagnostic returned: [Internal Server Error] No Init Response - access denied (java.net.SocketPermission IPAdress:80 connect,resolve)".
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Clicking on "Call Initialize()", the following message will appear in the near textbox: "Initialize Successful!".
Clicking on "Call GetDiagnostic()", the following message will appear in the near textbox: "GetDiagnostic returned: No error found!".
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied (java.net.SocketPermission IPAddress:80 connect,resolve)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Reinstalling the 1.6.0_21 release fixes the problem. Also disabling the next-generation Java Plug-in fixes the problem.
Additional details from the submitter:
=====================
Environment:
1. IE8
2. JRE 6 Update 22, with "Enable the next-generation Java Plug-in" enabled
3. Tracing enabled in the java console
4. deployment.trace.level=all added in the deployment.properties file
Full trace log for failure:
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Cache entry not found [url: http://192.168.4.204/crossdomain.xml, version: null]
network: Connecting http://192.168.4.204/crossdomain.xml with proxy=DIRECT
network: Connecting http://192.168.4.204:80/ with proxy=DIRECT
Exception: java.security.AccessControlException: access denied (java.net.SocketPermission 192.168.4.204:80 connect,resolve)
Environment:
1. IE8
2. JRE 6 Update 22, with "Enable the next-generation Java Plug-in" disabled
3. Tracing enabled in the java console
4. deployment.trace.level=all added in the deployment.properties file
Full trace log for success:
liveconnect: Invoking method: public java.lang.String API.Initialize(java.lang.String)
liveconnect: Needs conversion: java.lang.String --> java.lang.String
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Connecting http://elex.learnexact.com/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with cookie ".ELEXDATA=4BCB23D7FFED56772E315F8C23EDD93493AD67F6487ED2629571E998A24D3B8743DFA8CAB2799A0F305F0AA5E9FF776DB46E569811892373724F51F6476839EB4FE2C5E27F52796A95A435516A1497BB96E8F2ABB071359A0AC6F00D72F48517E30AD8297EB4D1D3EB8E2EFE28D5D593D160DF7EDC120C92706803B297764915FDCD49FE86547CB62DFB9DF3173D0D434F5768B9B92FFBD9A5F9DE348B24BD67443EE280A0763BC49D50EA02F6073285; elex_user_settings; ASP.NET_SessionId=ooutzb55c5w0vw45tdmvec3s; .ELEXAUTH=938ED345B6CE306299674A11C96A38659F7C7E95CA6C45927C9F7861452BCF43877912F78355C269CF69C2E63EC27338CB95BAD1999D3DC77095365BD1AAD190"
network: Connecting socket://elex.learnexact.com:80 with proxy=DIRECT
More data:
=========
We have analyzed in depth this issue and we have now clear the scenario and the root cause.
The problem arises once a Client PC (with JRE update 22 installed) tries (thru the Internet) to connect to a server that is behind an Internet Security and Accelerator Server (Microsoft ISA Server) on a private network. The ISA Server we are using is configured to concentrate in a unique public IP address several Hostnames of registered web sites (one of these being the Hostname to which the client PC is trying to connect). So when the Client types the URL, the public DNS resolves the public IP address of the ISA Server, that proxies it to a private IP address corresponding to the server on which the application is installed. The answer is then redirected to the Client, but if JRE Update 22 is installed, the new (and more restrictive) security settings require to make a reverse resolving of the IP to try to find a match with the original Hostname. The DNS server at this point returns one of the Hostname that are associated with the unique IP address, that cannot match with the expected Hostname, and so a cross-domain exception is invoked, blocking our client application.
One of the workarounds we have found is to use a Proxy between the Client PC and the ISA Server: in this case the Proxy statically associates the IP to the URL and so there is no possibility to encounter this cross-domain issue.
So our preliminary conclusion is that this is a deployment issue, but the new Update 22 security restrictions in our opinion introduce some limits to certain network configurations like the one we are using (multiple sites managed by Virtual Hosting through one IP address with several PTR entries, one for each site. Shortly: a possible HTTP 1.1 deployment). So our hope is that you can, in some way, mitigate the Update 22 security restrictions in order to better support such kind of deployments. Thanks in advance for your attention and collaboration.
Mode data from the submitter:
=======
Yes, 192.168.4.204 is the alternative IP of elex.learnexact.com in our internal network.
Using IP (192.168.4.204) instead of domain name (elex.learnexact.com), the problem does not occur:
network: Connecting http://192.168.4.204/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with proxy=DIRECT
network: Connecting http://192.168.4.204/demo/X-Tracer/LMSAPI_1484_11.ashx?action=init&CID=sun-java-CVE-2010-3560&SID=activity_1&UID=145 with cookie "elex_user_settings=SearchControllerUserDisplayMode=None; .ELEXDATA=B336F9BBEB1C35733DDBB64DBB548F54D03A32854EBE758B16EDB0EA34344FE1C2864E21A449ED6642DD68AED6F05F32E1D0BFB469C2BC2160C83C310F0E10B1CE6FFDE8E01A9B6A959E0E6F7620892CB7F314D9D8BA53CB8B319F8C9D241CEAAB207DE085F857040BB3BBAB687495274683FA2A879DC5EB1E14B5AC3E27C8887202E4BDD04A401BCCA329283528FDE126CB039E14A6A89520B9DCB1DD88A2A3147CCC272230DEE4FACC58E9075129E3; ASP.NET_SessionId=cjarm255kd0nksjk5alwjrmr; .ELEXAUTH=197460619D5B739FCB36E564061D4A43A1F58E25D5360D146DD59964A563227B63ED0CB9CF9AE8A7B0D8CF5C6DCC2F2A9B26FE565007CB3326A78707A2E5FE82"
network: Connecting http://192.168.4.204:80/ with proxy=DIRECT