-
Bug
-
Resolution: Duplicate
-
P3
-
7u72
-
x86
-
linux
FULL PRODUCT VERSION :
java version "1.7.0_72"
Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
Java HotSpot(TM) Client VM (build 24.72-b04, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
Linux ubuntu 3.13.0-39-generic #66-Ubuntu SMP Tue Oct 28 13:30:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Used browser: Mozilla Firefox 31.0
A DESCRIPTION OF THE PROBLEM :
After invoking Java applet method from JS, following error message is logged to console and exception is thrown at Javascript side:
liveconnect: Security Exception: JavaScript from URL_OF_APPLET_HTML attempted to access a resource it has no rights to.
This only occurs when Caller-Allowable-Codebase manifest attribute in is set to "*" or is missing. There is no problem when this attribute set to particular domain.
According to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html, security warning should be shown when "*" is used and Javascript call should not fail. In our case, no warning is shown and call will fail.
Our internal investigation shows that following code is executed to show security warning dialog:
JAVA_HOME/bin/java -cp JAVA_HOME/lib/deploy.jar com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog a b c
On Linux platform, -1 is returned and no dialog is shown.
REGRESSION. Last worked in version 7u67
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Build java applet from provided source code.
Create jar with provided manifest attributes.
Sign jar.
2. Browse provided html page.
3. Applet should be loaded and message "TestApplet initialized" should be logged to JavaConsole.
4. Click the "hello" button (Java call is initiated).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Security warning dialog should be shown and Javascript to Java call should not fail. Message "TestApplet hello" should be logged to JavaConsole.
ACTUAL -
Javascript to Java call will fail with following exception at Javascript side:
Liveconnect call for Applet ID 1 is not allowed in this JVM instance.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Message logged in JavaConsole:
liveconnect: Security Exception: JavaScript from URL_OF_APPLET_HTML attempted to access a resource it has no rights to
Message thrown at Javascript side:
Liveconnect call for Applet ID 1 is not allowed in this JVM instance
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
***** applet (TestApplet.java) *****
import java.applet.Applet;
public class TestApplet extends Applet
{
@Override
public void init()
{
super.init();
System.out.println("TestApplet initialized");
}
public void hello()
{
System.out.println("TestApplet hello");
}
}
***** manifest attributes *****
Trusted-Library: true
Permissions: all-permissions
Codebase: *
Caller-Allowable-Codebase: *
Application-Library-Allowable-Codebase: *
Application-Name: TestApplet
***** test page (test.html) *****
<applet id="testApplet" codebase="." code="TestApplet.class" archive="testApplet.jar" width="1" height="1">
</applet>
<input type="button" value="hello" onclick="document.getElementById('testApplet').hello()" />
---------- END SOURCE ----------
java version "1.7.0_72"
Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
Java HotSpot(TM) Client VM (build 24.72-b04, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
Linux ubuntu 3.13.0-39-generic #66-Ubuntu SMP Tue Oct 28 13:30:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Used browser: Mozilla Firefox 31.0
A DESCRIPTION OF THE PROBLEM :
After invoking Java applet method from JS, following error message is logged to console and exception is thrown at Javascript side:
liveconnect: Security Exception: JavaScript from URL_OF_APPLET_HTML attempted to access a resource it has no rights to.
This only occurs when Caller-Allowable-Codebase manifest attribute in is set to "*" or is missing. There is no problem when this attribute set to particular domain.
According to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html, security warning should be shown when "*" is used and Javascript call should not fail. In our case, no warning is shown and call will fail.
Our internal investigation shows that following code is executed to show security warning dialog:
JAVA_HOME/bin/java -cp JAVA_HOME/lib/deploy.jar com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog a b c
On Linux platform, -1 is returned and no dialog is shown.
REGRESSION. Last worked in version 7u67
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Build java applet from provided source code.
Create jar with provided manifest attributes.
Sign jar.
2. Browse provided html page.
3. Applet should be loaded and message "TestApplet initialized" should be logged to JavaConsole.
4. Click the "hello" button (Java call is initiated).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Security warning dialog should be shown and Javascript to Java call should not fail. Message "TestApplet hello" should be logged to JavaConsole.
ACTUAL -
Javascript to Java call will fail with following exception at Javascript side:
Liveconnect call for Applet ID 1 is not allowed in this JVM instance.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Message logged in JavaConsole:
liveconnect: Security Exception: JavaScript from URL_OF_APPLET_HTML attempted to access a resource it has no rights to
Message thrown at Javascript side:
Liveconnect call for Applet ID 1 is not allowed in this JVM instance
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
***** applet (TestApplet.java) *****
import java.applet.Applet;
public class TestApplet extends Applet
{
@Override
public void init()
{
super.init();
System.out.println("TestApplet initialized");
}
public void hello()
{
System.out.println("TestApplet hello");
}
}
***** manifest attributes *****
Trusted-Library: true
Permissions: all-permissions
Codebase: *
Caller-Allowable-Codebase: *
Application-Library-Allowable-Codebase: *
Application-Name: TestApplet
***** test page (test.html) *****
<applet id="testApplet" codebase="." code="TestApplet.class" archive="testApplet.jar" width="1" height="1">
</applet>
<input type="button" value="hello" onclick="document.getElementById('testApplet').hello()" />
---------- END SOURCE ----------