Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8061643

JavaWS fails with proxy autoconfig due to missing "resolve" permission

XMLWordPrintable

    • b14
    • x86_64
    • windows_7

        FULL PRODUCT VERSION :
        java version "1.8.0_25"
        Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.1.7601]

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        Corporate Environment - No direct connection to the internet - only via http/socks-proxys

        A DESCRIPTION OF THE PROBLEM :
        When in an environment where proxy configuration is determined by an autoconfig-script and jars have to be downloaded via proxys, JavaWS fails because of java.security.AccessControlException: access denied ("java.net.SocketPermission" "docs.oracle.com" "resolve")

        Because of different proxys for different destinations a single proxy configuration isn't applicable.


        REGRESSION. Last worked in version 8u20

        ADDITIONAL REGRESSION INFORMATION:
        java version "1.8.0_25"
        Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)



        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Be in a corporate environment and only have access to the internet and other destinations via (multiple) proxies

        2. Deploy an autoconfig.conf like this:
        (actual content doesn't really matter here)
        ====================
        function FindProxyForURL(url, host)
        {
        if(dnsResolve(host) == '') {
        return "DIRECT"
        }
        if (!isResolvable(host) && dnsDomainIs(host, "some.domain.com"))
        {
        return "PROXY a.proxy.in.your.company:proxyport";
        }
        if (isInNet(host, "255.255.0.0", "255.255.0.0") && false)
        {
        return "DIRECT";
        }
        return "PROXY yourproxy:yourproxyport";
        }
        ====================

        3. Go to http://docs.oracle.com/javase/tutorial/uiswing/layout/gridbag.html
        and launch the demo:
        http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The jnlp should load and spawn a new java process launching the demo.
        ACTUAL -
        The Application could not be started because of com.sun.deploy.net.FailedDownloadException: Ressource konnte nicht geladen werden: http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        java.security.AccessControlException: access denied ("java.net.SocketPermission" "docs.oracle.com" "resolve")
        at java.security.AccessControlContext.checkPermission(Unknown Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkConnect(Unknown Source)
        at java.net.InetAddress.getAllByName0(Unknown Source)
        at java.net.InetAddress.getAllByName(Unknown Source)
        at java.net.InetAddress.getAllByName(Unknown Source)
        at java.net.InetAddress.getByName(Unknown Source)
        at com.sun.deploy.net.proxy.PACFunctionsImpl.dnsResolve(Unknown Source)
        at com.sun.deploy.net.proxy.PACFunctionsImpl.isResolvable(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler$9.apply(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler$9.apply(Unknown Source)
        at jdk.nashorn.internal.scripts.Script$\^eval\_.:scopeCall-6(<eval>)
        at jdk.nashorn.internal.scripts.Script$\^eval\_.FindProxyForURL(<eval>:155)
        at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:539)
        at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:209)
        at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:378)
        at jdk.nashorn.api.scripting.ScriptObjectMirror.callMember(ScriptObjectMirror.java:185)
        at jdk.nashorn.api.scripting.NashornScriptEngine.invokeImpl(NashornScriptEngine.java:505)
        at jdk.nashorn.api.scripting.NashornScriptEngine.invokeFunction(NashornScriptEngine.java:227)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler.jsGetProxyInfo(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler.access$100(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler$2.run(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler.jsGetProxyInfo(Unknown Source)
        at com.sun.deploy.net.proxy.SunAutoProxyHandler.getProxyInfo(Unknown Source)
        at com.sun.deploy.net.proxy.DynamicProxyManager.getProxyList(Unknown Source)
        at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
        at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.launch(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)


        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        When you must use an autoconfig-script in your environment - there's no workaround except sticking to Java 8u20 or Java 7u67; but those have critical security advirories.

        SUPPORT :
        YES

              dcherepanov Dmitry Cherepanov
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: