-
Bug
-
Resolution: Fixed
-
P2
-
8
-
win7/x86/8
-
b114
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8034451 | 7u65 | Andy Herrick | P2 | Resolved | Fixed | b01 |
JDK-8027341 | 7u60 | Andy Herrick | P2 | Closed | Fixed |
According to https://bugs.openjdk.java.net/browse/JDK-8021231, when "server:port" is defined in Deployment Rule Set file, app loaded from "server:port" will be matched, e.g:
www.oracle.com:80 ==> any protocol, only port 80
This means app loaded from www.oracle.com with 80 port will match this rule.
But Local rules with server/port will be considered as invalid with jre8.
Steps to reproduce:
1) Install jre8-b108
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WithPort to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) If you see a dialog with title "Application Blocked" saying "invalid rule in Deployment Rule Set file", then this bug is reproduced. See attachment.
Expected behavior: app should be loaded successfully
Note:
1 Local rules with server/port works fine with 7u45
2 Local rules with protocol/server/port and protocol/server work fine with jre8
Steps to reproduce note1:
1) Install jre7u45
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WithPort to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) The app will be loaded successfully
Steps to reproduce note2:
1) Install jre8-b108
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WPWP to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="http://kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) The app will be loaded successfully
6) The same for DRS with protocol/server defined
<ruleset version="1.0">
<rule>
<id location="http://kgb.us.oracle.com"/>
<action permission="run"/>
</rule>
www.oracle.com:80 ==> any protocol, only port 80
This means app loaded from www.oracle.com with 80 port will match this rule.
But Local rules with server/port will be considered as invalid with jre8.
Steps to reproduce:
1) Install jre8-b108
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WithPort to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) If you see a dialog with title "Application Blocked" saying "invalid rule in Deployment Rule Set file", then this bug is reproduced. See attachment.
Expected behavior: app should be loaded successfully
Note:
1 Local rules with server/port works fine with 7u45
2 Local rules with protocol/server/port and protocol/server work fine with jre8
Steps to reproduce note1:
1) Install jre7u45
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WithPort to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) The app will be loaded successfully
Steps to reproduce note2:
1) Install jre8-b108
2) Make sure you can access to internet or disable OCSP/CRL check from JCP
3) Rename http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/lib/DeploymentRuleSet.jar.run-WPWP to DeploymentRuleSet.jar and copy it to deployment.system.home/.
To check whether DRS work, you can open JCP->Security->View the active Deployment Rule Set. You will see
<ruleset version="1.0">
<rule>
<id location="http://kgb.us.oracle.com:8080"/>
<action permission="run"/>
</rule>
<!-- block everything else -->
<rule>
<id/>
<action permission="block" message="we don't want to run anything else"/>
</rule>
</ruleset>
4) Load app: javaws http://kgb.us.oracle.com:8080/batJavaws/jnlp/testBAT.jnlp
5) The app will be loaded successfully
6) The same for DRS with protocol/server defined
<ruleset version="1.0">
<rule>
<id location="http://kgb.us.oracle.com"/>
<action permission="run"/>
</rule>
- backported by
-
JDK-8034451 DRS: Local rules with server/port will be considered as invalid with jre8
-
- Resolved
-
-
JDK-8027341 DRS: Local rules with server/port will be considered as invalid with jre8
-
- Closed
-