-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
7u71
-
x86
-
linux
-
Verified
FULL PRODUCT VERSION :
/usr/java/latest/bin/java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux 3.0.101-0.40-pae #1 SMP Thu Sep 18 13:09:38 UTC 2014 (44b8c95) i686 i686 i386 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Running Firefox 24.8 ESR browser.
A DESCRIPTION OF THE PROBLEM :
While upgrading client workstations to SUSE Linux Enterprise Desktop 11 SP3, noticed that a web app that executes JavaScript code to access a Java applet always pops up a Security Warning dialog. The 'Do not show again for this app and web site' check box does not suppress the dialog on subsequent access. This applet is loaded from a site where the server's URL starts with the letter 't'. We have upgraded client workstations at many other sites and this problem HAS NOT occurred. I found this issue reporting the same problem --
https://community.oracle.com/thread/3575740 -- and have confirmed that using an alias for the server name (or using the server's IP address) prevents the problem from occurring.
Looking at the .java cache file containing the 'js.allowed.codebases' values, ./6.0/31/79b1f55f-AAA-6.0.lap, possibly the use of the '/t' separator is associated with the problem.
#LAP
#Fri Feb 27 19:41:01 GMT-00:00 2015
mainTitle=AAA
mainPublisher=AAA Code Sign
js.allowed.codebases=http//taaa\:8080/thttp//taaa\:8080/thttp//taaa\:8080
Excerpts from the java trace log are below:
=================================
basic: Told clients applet is started
JTaskCreateRunnable.run(): Start
JTaskComponent.invoke(): Start
JTaskComponent.invoke(): No object to call. Method:resize
JTaskComponent.invoke(): End
security: Javascript from a non secure page is accessing privileged code. Consider using HTTPS protocol when using Javascript -> Java liveconnect calls.
ruleset: Non-jnlp rule id:
title: THE_TITLE
location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar version: null
isArtifact: true
ruleset: finding Deployment Rule Set for
title: THE_TITLE
location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar version: null
isArtifact: true
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source
=FirefoxInit
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=fu
ll&source=FirefoxInit
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mod
e=full&source=FirefoxInit
ruleset: RuleId compare: (http, tAAA, 8080, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=
FirefoxInit
ruleset: no rule applies, returning Default Rule
ui: NativeMixedCodeDialog executes the command in a separate process:
ui: args[0]=/usr/java/jdk1.7.0_71/jre/bin/java
ui: args[1]=-cp
ui: args[2]=/usr/java/jdk1.7.0_71/jre/lib/deploy.jar
ui: args[3]=com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog
ui: args[4]=AAA
ui: args[5]=Web Site:
ui: args[6]=http://tAAA:8080
ui: args[7]=Publisher:
ui: args[8]=AAA
ui: args[9]=Do not show this again for this app and web site.
preloader: Stop progressCheck thread queue.size()=0
JTaskThread.setPyObject(): Start
JTaskThread.setPyObject(): End
JTaskCreateRunnable.run(): End
ADDITIONAL REGRESSION INFORMATION:
/usr/java/latest/bin/java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Open a browser and from a URL starting with the letter 't', access a web page containing javascript that accesses a java applet. Once the "1.7.0_71" JRE loads, a security warning dialog pops up.
2. Select the 'Do not show this again ...' check box and select 'Allow'. Allow applet to load and continue.
3. Close browser.
4. Repeat steps 1-2. Note that the warning dialog reappears. Clicking the check box does not suppress the dialog.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The warning dialog should be suppressed on subsequent accesses.
ACTUAL -
The warning dialog pops up on every access of the web page (and applet)
Note, on all other sites (with server URLs starting with a letter other than 't', selecting the check box to suppress the dialog has worked as expected.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Replacing the server's URL with an alias or the actual IP address prevents the problem from occurring, but is just a temporary work around.
/usr/java/latest/bin/java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux 3.0.101-0.40-pae #1 SMP Thu Sep 18 13:09:38 UTC 2014 (44b8c95) i686 i686 i386 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Running Firefox 24.8 ESR browser.
A DESCRIPTION OF THE PROBLEM :
While upgrading client workstations to SUSE Linux Enterprise Desktop 11 SP3, noticed that a web app that executes JavaScript code to access a Java applet always pops up a Security Warning dialog. The 'Do not show again for this app and web site' check box does not suppress the dialog on subsequent access. This applet is loaded from a site where the server's URL starts with the letter 't'. We have upgraded client workstations at many other sites and this problem HAS NOT occurred. I found this issue reporting the same problem --
https://community.oracle.com/thread/3575740 -- and have confirmed that using an alias for the server name (or using the server's IP address) prevents the problem from occurring.
Looking at the .java cache file containing the 'js.allowed.codebases' values, ./6.0/31/79b1f55f-AAA-6.0.lap, possibly the use of the '/t' separator is associated with the problem.
#LAP
#Fri Feb 27 19:41:01 GMT-00:00 2015
mainTitle=AAA
mainPublisher=AAA Code Sign
js.allowed.codebases=http//taaa\:8080/thttp//taaa\:8080/thttp//taaa\:8080
Excerpts from the java trace log are below:
=================================
basic: Told clients applet is started
JTaskCreateRunnable.run(): Start
JTaskComponent.invoke(): Start
JTaskComponent.invoke(): No object to call. Method:resize
JTaskComponent.invoke(): End
security: Javascript from a non secure page is accessing privileged code. Consider using HTTPS protocol when using Javascript -> Java liveconnect calls.
ruleset: Non-jnlp rule id:
title: THE_TITLE
location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar version: null
isArtifact: true
ruleset: finding Deployment Rule Set for
title: THE_TITLE
location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar location: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=FirefoxInit
jar version: null
isArtifact: true
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source
=FirefoxInit
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=fu
ll&source=FirefoxInit
ruleset: RuleId compare: (https, tAAA, 8443, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mod
e=full&source=FirefoxInit
ruleset: RuleId compare: (http, tAAA, 8080, ) to url: http://<URL>:8080/<FOO>&userId=usr1&transactionId=0&mode=full&source=
FirefoxInit
ruleset: no rule applies, returning Default Rule
ui: NativeMixedCodeDialog executes the command in a separate process:
ui: args[0]=/usr/java/jdk1.7.0_71/jre/bin/java
ui: args[1]=-cp
ui: args[2]=/usr/java/jdk1.7.0_71/jre/lib/deploy.jar
ui: args[3]=com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog
ui: args[4]=AAA
ui: args[5]=Web Site:
ui: args[6]=http://tAAA:8080
ui: args[7]=Publisher:
ui: args[8]=AAA
ui: args[9]=Do not show this again for this app and web site.
preloader: Stop progressCheck thread queue.size()=0
JTaskThread.setPyObject(): Start
JTaskThread.setPyObject(): End
JTaskCreateRunnable.run(): End
ADDITIONAL REGRESSION INFORMATION:
/usr/java/latest/bin/java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Open a browser and from a URL starting with the letter 't', access a web page containing javascript that accesses a java applet. Once the "1.7.0_71" JRE loads, a security warning dialog pops up.
2. Select the 'Do not show this again ...' check box and select 'Allow'. Allow applet to load and continue.
3. Close browser.
4. Repeat steps 1-2. Note that the warning dialog reappears. Clicking the check box does not suppress the dialog.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The warning dialog should be suppressed on subsequent accesses.
ACTUAL -
The warning dialog pops up on every access of the web page (and applet)
Note, on all other sites (with server URLs starting with a letter other than 't', selecting the check box to suppress the dialog has worked as expected.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Replacing the server's URL with an alias or the actual IP address prevents the problem from occurring, but is just a temporary work around.