-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u25, 8u40
-
x86
-
windows_8
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
It was working fine with JDK 1.7 or earlier versions, but once we test with JDK 8 we are getting the following exception
Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at iyp.simplegameapplet.d.f.a(Unknown Source)
at iyp.b.a.b$c.run(Unknown Source)
We have an applet, which will open a socket connection to communicate with the server socket application here is the applet code which used to open the socket communication
Socket sock = new Socket();
InputStream is;
OutputStream os;
try {
sock.connect(serverAddr, timeoutMs);
} catch(SocketTimeoutException ex) {
return false;
}
is = sock.getInputStream();
os = sock.getOutputStream();
We are using signed applets, I tested with a java client program from eclipse, this works fine, only with Applet we have issue. may be Applet security need to use full permissions we try with MANIFEST.MF with Permissions: all-permissions and object parameters for applet which doesn't solve the problem.
When we grant in the client machine java.policy to full permissions it was worked fine, but this is not correct way to go ahead forcing to change client machine java.policy
REGRESSION. Last worked in version 7u72
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a signed applet and that will open a Socket to communicate the server.
http://www.cuesportz.com/
Go to this site and register yourself then you can play the pool game. We have designed an applet which can be launched to play the game and will communicate to game server with a socket from applet. You can play the multiplay with any opponent or can use speed pool to play alone.
As I review the source of JDK and JRE 8 changes here is my analysis let me know if am wrong.
1. JRE 8 has introduced the Java.net.URLPermission class before was using SocketPermissions, which will take care about the permissions to URL's in the applet security
2. As we review the java/net/Socket.java implementation for the connect method it has the following code
SecurityManager security = System.getSecurityManager();
if (security != null) {
if (epoint.isUnresolved())
security.checkConnect(epoint.getHostName(), port);
else
security.checkConnect(addr.getHostAddress(), port);
}
Then the checkConnect method of SecurityManager is using SocketPermission
if (port == -1) {
checkPermission(new SocketPermission(host,
SecurityConstants.SOCKET_RESOLVE_ACTION));
} else {
checkPermission(new SocketPermission(host+":"+port,
SecurityConstants.SOCKET_CONNECT_ACTION));
}
I think the Socket connection is referring to the SocketPermission where the security is giving only the URL permission
Here is another observation from JDK 7 and 8, In the Java console log from client browser, I find this difference
JRE 7 has the following entry in the log:
security: Grant socket perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@1ae5edf (
("java.net.SocketPermission" "cuesportz.net" "connect,accept,resolve")
)
JRE 8 has the following entry in the log:
security: Grant connect perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@e51286 (
("java.net.URLPermission" "http://cuesportz.net:80" "*:*")
("java.net.URLPermission" "http://cuesportz.net:80/-" "*:*")
)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Should connect to the ServerSocket for the communication
ACTUAL -
Is giving Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")
REPRODUCIBILITY :
This bug can be reproduced always.
A DESCRIPTION OF THE PROBLEM :
It was working fine with JDK 1.7 or earlier versions, but once we test with JDK 8 we are getting the following exception
Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at iyp.simplegameapplet.d.f.a(Unknown Source)
at iyp.b.a.b$c.run(Unknown Source)
We have an applet, which will open a socket connection to communicate with the server socket application here is the applet code which used to open the socket communication
Socket sock = new Socket();
InputStream is;
OutputStream os;
try {
sock.connect(serverAddr, timeoutMs);
} catch(SocketTimeoutException ex) {
return false;
}
is = sock.getInputStream();
os = sock.getOutputStream();
We are using signed applets, I tested with a java client program from eclipse, this works fine, only with Applet we have issue. may be Applet security need to use full permissions we try with MANIFEST.MF with Permissions: all-permissions and object parameters for applet which doesn't solve the problem.
When we grant in the client machine java.policy to full permissions it was worked fine, but this is not correct way to go ahead forcing to change client machine java.policy
REGRESSION. Last worked in version 7u72
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a signed applet and that will open a Socket to communicate the server.
http://www.cuesportz.com/
Go to this site and register yourself then you can play the pool game. We have designed an applet which can be launched to play the game and will communicate to game server with a socket from applet. You can play the multiplay with any opponent or can use speed pool to play alone.
As I review the source of JDK and JRE 8 changes here is my analysis let me know if am wrong.
1. JRE 8 has introduced the Java.net.URLPermission class before was using SocketPermissions, which will take care about the permissions to URL's in the applet security
2. As we review the java/net/Socket.java implementation for the connect method it has the following code
SecurityManager security = System.getSecurityManager();
if (security != null) {
if (epoint.isUnresolved())
security.checkConnect(epoint.getHostName(), port);
else
security.checkConnect(addr.getHostAddress(), port);
}
Then the checkConnect method of SecurityManager is using SocketPermission
if (port == -1) {
checkPermission(new SocketPermission(host,
SecurityConstants.SOCKET_RESOLVE_ACTION));
} else {
checkPermission(new SocketPermission(host+":"+port,
SecurityConstants.SOCKET_CONNECT_ACTION));
}
I think the Socket connection is referring to the SocketPermission where the security is giving only the URL permission
Here is another observation from JDK 7 and 8, In the Java console log from client browser, I find this difference
JRE 7 has the following entry in the log:
security: Grant socket perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@1ae5edf (
("java.net.SocketPermission" "cuesportz.net" "connect,accept,resolve")
)
JRE 8 has the following entry in the log:
security: Grant connect perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@e51286 (
("java.net.URLPermission" "http://cuesportz.net:80" "*:*")
("java.net.URLPermission" "http://cuesportz.net:80/-" "*:*")
)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Should connect to the ServerSocket for the communication
ACTUAL -
Is giving Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")
REPRODUCIBILITY :
This bug can be reproduced always.
- duplicates
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-