P4
FULL PRODUCT VERSION :
[haack@amsterdam ~]$ /usr/java/jdk1.7.0_04/bin/java -version
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b20)
Java HotSpot(TM) 64-Bit Server VM (build 23.0-b21, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
[haack@amsterdam ~]$ uname -a
Linux 2.6.35.14-106.fc14.x86_64 #1 SMP Wed Nov 23 13:07:52 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
In the attached example, a security check inside a custom socket factory implementation
passes unexpectedly. The problem is caused by the calls to AccesController.doPrivileged()
in the class sun.misc.URLClassPath (marked with 'XXX' in the stack trace below).
This seems to violate the contract of the class java.net.URLClassLoader, which says this:
"The AccessControlContext of the thread that created the instance of URLClassLoader will
be used when subsequently loading classes and resources."
[haack@amsterdam DoubtfulDoPrivileged]$ /usr/java/jdk1.7.0_04/bin/java -ea -cp initializer.jar:application.jar -Djava.security.manager -Djava.security.policy=test.policy application.DoubtfulDoPrivileged
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
XXX at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
XXX at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
In a fresh directory do the following:
[haack@amsterdam bug-report]$ mkdir src
[haack@amsterdam bug-report]$ ls
src
Then copy the attached sources to the src directory. Afterwards, the src-directory must have the following
contents:
[haack@amsterdam bug-report]$ ls -R src/
src/:
application initializer
src/application:
DoubtfulDoPrivileged.java
src/initializer:
CustomSocketFactory.java CustomSocketImpl.java Initializer.java
Create a target directory for the classes:
[haack@amsterdam bug-report]$ mkdir bin
[haack@amsterdam bug-report]$ ls
bin src
Create a build.xml with the attached content:
[haack@amsterdam bug-report]$ ls
bin build.xml src
Create a keystore:
[haack@amsterdam bug-report]$ keytool -genkeypair -alias tester -keystore keystore -storepass storepass
What is your first and last name?
[Unknown]: John
What is the name of your organizational unit?
[Unknown]: foo
What is the name of your organization?
[Unknown]: foo
What is the name of your City or Locality?
[Unknown]: foo
What is the name of your State or Province?
[Unknown]: foo
What is the two-letter country code for this unit?
[Unknown]: fo
Is CN=John, OU=foo, O=foo, L=foo, ST=foo, C=fo correct?
[no]: yes
Enter key password for <tester>
(RETURN if same as keystore password):
[haack@amsterdam bug-report]$ ls
bin build.xml keystore src
Copy the attached policy to the directory:
[haack@amsterdam bug-report]$ ls
bin build.xml keystore src test.policy
Build the application:
[haack@amsterdam bug-report]$ ant
Buildfile: build.xml
classes:
[javac] Compiling 4 source files to /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/bin
[javac] Note: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/src/initializer/CustomSocketImpl.java uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
initializer:
[jar] Building jar: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar
application:
[jar] Building jar: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/application.jar
jars:
[signjar] Signing JAR: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar to /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar as tester
[signjar]
[signjar] Warning:
[signjar] The signer certificate will expire within six months.
[signjar] Enter Passphrase for keystore:
BUILD SUCCESSFUL
Total time: 2 seconds
[haack@amsterdam bug-report]$ ls
application.jar bin build.xml initializer.jar keystore src test.policy
Execute the application in secure mode:
[haack@amsterdam bug-report]$ /usr/java/jdk1.7.0_04/bin/java -ea -cp initializer.jar:application.jar -Djava.security.manager -Djava.security.policy=test.policy application.DoubtfulDoPrivileged
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No AssertionError should occur. A SecurityException should be thrown.
ACTUAL -
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Same as above:
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
SOURCE FILE: application/DoubtfulDoPrivileged.java
package application;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.PrivilegedActionException;
import initializer.Initializer;
public class DoubtfulDoPrivileged
{
public static void main(String[] args) throws
MalformedURLException, ClassNotFoundException, PrivilegedActionException
{
new Initializer().init();
URL[] urls = { new URL("http://cryptyc.cs.depaul.edu/cryptyc.jar") };
URLClassLoader classloader = new URLClassLoader(urls);
classloader.loadClass("cryptyc.main.Main");
System.out.println("done");
}
}
SOURCE FILE: initializer/CustomSocketImpl.java
package initializer;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Meth
( This report has more than 16,000 characters and has been truncated. )
[haack@amsterdam ~]$ /usr/java/jdk1.7.0_04/bin/java -version
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b20)
Java HotSpot(TM) 64-Bit Server VM (build 23.0-b21, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
[haack@amsterdam ~]$ uname -a
Linux 2.6.35.14-106.fc14.x86_64 #1 SMP Wed Nov 23 13:07:52 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
In the attached example, a security check inside a custom socket factory implementation
passes unexpectedly. The problem is caused by the calls to AccesController.doPrivileged()
in the class sun.misc.URLClassPath (marked with 'XXX' in the stack trace below).
This seems to violate the contract of the class java.net.URLClassLoader, which says this:
"The AccessControlContext of the thread that created the instance of URLClassLoader will
be used when subsequently loading classes and resources."
[haack@amsterdam DoubtfulDoPrivileged]$ /usr/java/jdk1.7.0_04/bin/java -ea -cp initializer.jar:application.jar -Djava.security.manager -Djava.security.policy=test.policy application.DoubtfulDoPrivileged
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
XXX at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
XXX at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
In a fresh directory do the following:
[haack@amsterdam bug-report]$ mkdir src
[haack@amsterdam bug-report]$ ls
src
Then copy the attached sources to the src directory. Afterwards, the src-directory must have the following
contents:
[haack@amsterdam bug-report]$ ls -R src/
src/:
application initializer
src/application:
DoubtfulDoPrivileged.java
src/initializer:
CustomSocketFactory.java CustomSocketImpl.java Initializer.java
Create a target directory for the classes:
[haack@amsterdam bug-report]$ mkdir bin
[haack@amsterdam bug-report]$ ls
bin src
Create a build.xml with the attached content:
[haack@amsterdam bug-report]$ ls
bin build.xml src
Create a keystore:
[haack@amsterdam bug-report]$ keytool -genkeypair -alias tester -keystore keystore -storepass storepass
What is your first and last name?
[Unknown]: John
What is the name of your organizational unit?
[Unknown]: foo
What is the name of your organization?
[Unknown]: foo
What is the name of your City or Locality?
[Unknown]: foo
What is the name of your State or Province?
[Unknown]: foo
What is the two-letter country code for this unit?
[Unknown]: fo
Is CN=John, OU=foo, O=foo, L=foo, ST=foo, C=fo correct?
[no]: yes
Enter key password for <tester>
(RETURN if same as keystore password):
[haack@amsterdam bug-report]$ ls
bin build.xml keystore src
Copy the attached policy to the directory:
[haack@amsterdam bug-report]$ ls
bin build.xml keystore src test.policy
Build the application:
[haack@amsterdam bug-report]$ ant
Buildfile: build.xml
classes:
[javac] Compiling 4 source files to /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/bin
[javac] Note: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/src/initializer/CustomSocketImpl.java uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
initializer:
[jar] Building jar: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar
application:
[jar] Building jar: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/application.jar
jars:
[signjar] Signing JAR: /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar to /home/haack/Eclipse/Workspaces/Jamaica-Car/jdk-bug-reports/bug-report/initializer.jar as tester
[signjar]
[signjar] Warning:
[signjar] The signer certificate will expire within six months.
[signjar] Enter Passphrase for keystore:
BUILD SUCCESSFUL
Total time: 2 seconds
[haack@amsterdam bug-report]$ ls
application.jar bin build.xml initializer.jar keystore src test.policy
Execute the application in secure mode:
[haack@amsterdam bug-report]$ /usr/java/jdk1.7.0_04/bin/java -ea -cp initializer.jar:application.jar -Djava.security.manager -Djava.security.policy=test.policy application.DoubtfulDoPrivileged
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No AssertionError should occur. A SecurityException should be thrown.
ACTUAL -
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Same as above:
Security check passed unexpectedly!!!
Exception in thread "main" java.lang.AssertionError
at initializer.CustomSocketImpl.checkPermission(CustomSocketImpl.java:204)
at initializer.CustomSocketImpl.connect(CustomSocketImpl.java:88)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:378)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:473)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:203)
at sun.net.www.http.HttpClient.New(HttpClient.java:290)
at sun.net.www.http.HttpClient.New(HttpClient.java:306)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:931)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:849)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:214)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:73)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.net.www.protocol.jar.JarURLConnection.getJarFile(JarURLConnection.java:89)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:710)
at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:587)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:667)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:660)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:659)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:610)
at sun.misc.URLClassPath$3.run(URLClassPath.java:362)
at sun.misc.URLClassPath$3.run(URLClassPath.java:352)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:351)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:328)
at sun.misc.URLClassPath.getResource(URLClassPath.java:194)
at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at application.DoubtfulDoPrivileged.main(DoubtfulDoPrivileged.java:19)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
SOURCE FILE: application/DoubtfulDoPrivileged.java
package application;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.PrivilegedActionException;
import initializer.Initializer;
public class DoubtfulDoPrivileged
{
public static void main(String[] args) throws
MalformedURLException, ClassNotFoundException, PrivilegedActionException
{
new Initializer().init();
URL[] urls = { new URL("http://cryptyc.cs.depaul.edu/cryptyc.jar") };
URLClassLoader classloader = new URLClassLoader(urls);
classloader.loadClass("cryptyc.main.Main");
System.out.println("done");
}
}
SOURCE FILE: initializer/CustomSocketImpl.java
package initializer;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Meth
( This report has more than 16,000 characters and has been truncated. )