-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
7u45
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8029521 | 6u85 | Mikhail Cherkasov | P4 | Closed | Won't Fix |
FULL PRODUCT VERSION :
java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
enumerating resources returned by classloader.getResources() produces a mixed signed/unsigned code warning as of 7u45. jstack output while the security warning is up shows this stack:
"javawsApplicationMain" prio=6 tid=0x06463000 nid=0x2630 runnable [0x0998d000]
java.lang.Thread.State: RUNNABLE
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog._show(Native Method)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.access$000(Unknown Source)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.showImmediately(Unknown Source)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.show(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.showMixedTrustDialog(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.access$1100(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.checkAllowed(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
- locked <0x29db79f8> (a com.sun.deploy.security.CPCallbackHandler$ParentCallback)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1700(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.findResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$1.next(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$1.hasMoreElements(Unknown Source)
at java.net.URLClassLoader$3$1.run(Unknown Source)
at java.net.URLClassLoader$3$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader$3.next(Unknown Source)
at java.net.URLClassLoader$3.hasMoreElements(Unknown Source)
at sun.misc.CompoundEnumeration.next(Unknown Source)
at sun.misc.CompoundEnumeration.hasMoreElements(Unknown Source)
at testcase.TestCase.main(Unknown Source)
this testcase is launched from a single signed jar via webstart.
This is not a mixed signed/unsigned environment. It's a single jar, that's signed.
REGRESSION. Last worked in version 7u40
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
build the class, sign and deploy with the jnlp file. run with java console shown.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
no mixed code dialog, output of jars on the class path.
ACTUAL -
mixed signed/unsigned code dialog with block/dont-block prompt.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
If you press 5 in the console, and then choose 'Block' in the dialog, you get this error:
security: resource name "META-INF/MANIFEST.MF" in http://localhost/test/testcase.jar : java.lang.SecurityException: trusted loader attempted to load sandboxed resource from http://localhost/test/testcase.jar
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost/test" href="test.jnlp">
<information>
<title>test</title>
<vendor>test</vendor>
</information>
<security><all-permissions/></security>
<resources>
<jar href="testcase.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="testcase.TestCase"/>
</jnlp>
package testcase;
import java.io.*;
import java.net.*;
import java.util.Enumeration;
public class TestCase {
public static void main(String[] args) throws URISyntaxException, IOException {
final Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
while (mfUrls.hasMoreElements()) {
URL jarUrl = mfUrls.nextElement();
System.out.println(jarUrl.toURI());
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
The workaround is to add "Trusted-Library: true" to the manifest.
Which doesn't make sense unless the JNLPClassLoader doesn't trust webstart/jre itself since the whole test case is one class in one jar.
java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
enumerating resources returned by classloader.getResources() produces a mixed signed/unsigned code warning as of 7u45. jstack output while the security warning is up shows this stack:
"javawsApplicationMain" prio=6 tid=0x06463000 nid=0x2630 runnable [0x0998d000]
java.lang.Thread.State: RUNNABLE
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog._show(Native Method)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.access$000(Unknown Source)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.showImmediately(Unknown Source)
at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.show(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.showMixedTrustDialog(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.access$1100(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.checkAllowed(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
- locked <0x29db79f8> (a com.sun.deploy.security.CPCallbackHandler$ParentCallback)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1700(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.findResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$1.next(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$1.hasMoreElements(Unknown Source)
at java.net.URLClassLoader$3$1.run(Unknown Source)
at java.net.URLClassLoader$3$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader$3.next(Unknown Source)
at java.net.URLClassLoader$3.hasMoreElements(Unknown Source)
at sun.misc.CompoundEnumeration.next(Unknown Source)
at sun.misc.CompoundEnumeration.hasMoreElements(Unknown Source)
at testcase.TestCase.main(Unknown Source)
this testcase is launched from a single signed jar via webstart.
This is not a mixed signed/unsigned environment. It's a single jar, that's signed.
REGRESSION. Last worked in version 7u40
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
build the class, sign and deploy with the jnlp file. run with java console shown.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
no mixed code dialog, output of jars on the class path.
ACTUAL -
mixed signed/unsigned code dialog with block/dont-block prompt.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
If you press 5 in the console, and then choose 'Block' in the dialog, you get this error:
security: resource name "META-INF/MANIFEST.MF" in http://localhost/test/testcase.jar : java.lang.SecurityException: trusted loader attempted to load sandboxed resource from http://localhost/test/testcase.jar
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost/test" href="test.jnlp">
<information>
<title>test</title>
<vendor>test</vendor>
</information>
<security><all-permissions/></security>
<resources>
<jar href="testcase.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="testcase.TestCase"/>
</jnlp>
package testcase;
import java.io.*;
import java.net.*;
import java.util.Enumeration;
public class TestCase {
public static void main(String[] args) throws URISyntaxException, IOException {
final Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
while (mfUrls.hasMoreElements()) {
URL jarUrl = mfUrls.nextElement();
System.out.println(jarUrl.toURI());
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
The workaround is to add "Trusted-Library: true" to the manifest.
Which doesn't make sense unless the JNLPClassLoader doesn't trust webstart/jre itself since the whole test case is one class in one jar.
- backported by
-
JDK-8029521 getContextClassLoader().getResources() produces mix-code warning as of 7u45.
-
- Closed
-
- duplicates
-
-
- Closed
-
-
-
- Closed
-