-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
8u45
-
x86
-
windows_7
FULL PRODUCT VERSION :
Working with:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b15)
Java HotSpot(TM) Client VM (build 25.45-b02, mixed mode)
Also tested with latest Java 8 ea: 8u60b18 (2 Jun 2015) and also not working
ADDITIONAL OS VERSION INFORMATION :
Windows 7 32 bits, and 64 bits
Internet Explorer 11 and 8
A DESCRIPTION OF THE PROBLEM :
A signed applet, with a valid certificate, and valid tsa information, with a permissive manifest, defnied as:
Trusted-Library: true
Permissions: all-permissions
Codebase: the-correct-codebase
When it tries to load a resource located in the codebase directory (not in a jar) by using Thread.currentThread().getContextClassLoader().getResourceAsStream(...) a mixed code security prompt is show.
The applet is following all the rules defined in the documentacion for mixed code loading, see: http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/mixed_code.html
This behaviour is not happening with Java 7 (lastest as today is 7u80) but it happens with current Java 8 (8u45) and Java 8 ea (8u60b18)
According to mixed code Trusted-library documentation, the warning should not appear.
Also, the warning description is inaccurate, as it says that the applet is not signed and the published unknown, and that is not the case, misleading the user.
REGRESSION. Last worked in version 7u80
ADDITIONAL REGRESSION INFORMATION:
Working with:
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) Client VM (build 20.60-b11, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Deploy signed applet (testJava8.jar) test resource(test.xml) and webpage(testJava8Applet.html) to docroot at a webserver
2) Access the html page with a IE 11
3) The applet loads and shows the signed applet warning, accept it
4) The applet runs, enters its inti method, and tries to load the resource prompting a mixed code warning
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The applet should be able to load the resource with not additional warnign as its signed, has valid tsa information, is a trusted library, has all-permissions and the resource is located in the codebase
ACTUAL -
A mixed code security warning is shown
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Stack for the thread showing the mixed code warning:
"thread applet-testJava8.ResourceLoadingTestApplet-1" #37 prio=4 os_prio=-1 tid=0x1619f800 nid=0x36c in Object.wait() [0x1916e000]
java.lang.Thread.State: WAITING (on object monitor)
at java.lang.Object.wait(Native Method)
- waiting on <0x0a5befc0> (a sun.plugin.util.PluginSysUtil$SysExecutionThread)
at java.lang.Thread.join(Unknown Source)
- locked <0x0a5befc0> (a sun.plugin.util.PluginSysUtil$SysExecutionThread)
at java.lang.Thread.join(Unknown Source)
at sun.plugin.util.PluginSysUtil.execute(Unknown Source)
at sun.plugin.util.PluginSysUtil.execute(Unknown Source)
at sun.plugin.util.PluginSysUtil.delegate(Unknown Source)
at com.sun.deploy.util.DeploySysRun.execute(Unknown Source)
at com.sun.deploy.util.DeploySysRun$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.util.DeploySysRun.executePrivileged(Unknown Source)
at com.sun.deploy.ui.UIFactory.showSSV3Dialog(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.ui.UIFactoryImpl.showSSV3Dialog(Unknown Source)
at com.sun.deploy.uitoolkit.ui.DelegatingPluginUIFactory.showSSV3Dialog(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.showUntrustedDialog(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.checkRunUntrusted(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.checkUnsignedSandboxSecurity(Unknown Source)
- locked <0x0a2e7ec0> (a com.sun.deploy.util.SessionProperties)
at com.sun.deploy.security.SandboxSecurity.isPermissionGranted(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourcePermission(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourceAsStream(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.getResourceAsStream(Unknown Source)
- locked <0x0a208d70> (a java.lang.Object)
at testJava8.ResourceLoadingTestApplet.init(ResourceLoadingTestApplet.java:19)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Example applet:
package testJava8;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import javax.swing.JApplet;
public class ResourceLoadingTestApplet extends JApplet {
private static final long serialVersionUID = -3327350932754744165L;
public void init() {
System.out.println("Inside applet init...");
System.out.println("Trying Thread.currentThread().getContextClassLoader().getResourceAsStream(\"/test.xml\")");
System.out.println("test.xml");
InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("test.xml");
readMyInputStream(is);
System.out.println("Exiting applet init...");
}
private void readMyInputStream(InputStream is) {
try {
byte[] buffer = new byte[4 * 1024];
ByteArrayOutputStream baos = new ByteArrayOutputStream();
int len = is.read(buffer);
while (len >= 0) {
baos.write(buffer, 0, len);
len = is.read(buffer);
}
System.out.println("XML size:"+baos.size());
System.out.println("XML content: "+new String(baos.toByteArray()));
} catch (Exception ioe) {
ioe.printStackTrace();
}finally{
try {
is.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
Manifest:
Manifest-Version: 1.0
Application-Name: TestJava8
Trusted-Library: true
Permissions: all-permissions
Codebase: *
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Web page loading the applet:
<HTML>
<HEAD>
<TITLE>Test java 8 applet</TITLE>
</HEAD>
<BODY>
<script src="https://www.java.com/js/deployJava.js"></script>
<script>
var attributes = {
code : 'testJava8.ResourceLoadingTestApplet',
archive : 'testJava8.jar',
width : 710,
height : 540
};
var parameters = {
fontSize : 16,
codebase : 'http://localhost:8080',
codebase_lookup : 'true'
};
deployJava.runApplet(attributes, parameters);
</script>
</BODY>
</HTML>
Test resource:
<test>This is a dummy xml config file</test>
---------- END SOURCE ----------
Working with:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b15)
Java HotSpot(TM) Client VM (build 25.45-b02, mixed mode)
Also tested with latest Java 8 ea: 8u60b18 (2 Jun 2015) and also not working
ADDITIONAL OS VERSION INFORMATION :
Windows 7 32 bits, and 64 bits
Internet Explorer 11 and 8
A DESCRIPTION OF THE PROBLEM :
A signed applet, with a valid certificate, and valid tsa information, with a permissive manifest, defnied as:
Trusted-Library: true
Permissions: all-permissions
Codebase: the-correct-codebase
When it tries to load a resource located in the codebase directory (not in a jar) by using Thread.currentThread().getContextClassLoader().getResourceAsStream(...) a mixed code security prompt is show.
The applet is following all the rules defined in the documentacion for mixed code loading, see: http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/mixed_code.html
This behaviour is not happening with Java 7 (lastest as today is 7u80) but it happens with current Java 8 (8u45) and Java 8 ea (8u60b18)
According to mixed code Trusted-library documentation, the warning should not appear.
Also, the warning description is inaccurate, as it says that the applet is not signed and the published unknown, and that is not the case, misleading the user.
REGRESSION. Last worked in version 7u80
ADDITIONAL REGRESSION INFORMATION:
Working with:
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) Client VM (build 20.60-b11, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Deploy signed applet (testJava8.jar) test resource(test.xml) and webpage(testJava8Applet.html) to docroot at a webserver
2) Access the html page with a IE 11
3) The applet loads and shows the signed applet warning, accept it
4) The applet runs, enters its inti method, and tries to load the resource prompting a mixed code warning
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The applet should be able to load the resource with not additional warnign as its signed, has valid tsa information, is a trusted library, has all-permissions and the resource is located in the codebase
ACTUAL -
A mixed code security warning is shown
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Stack for the thread showing the mixed code warning:
"thread applet-testJava8.ResourceLoadingTestApplet-1" #37 prio=4 os_prio=-1 tid=0x1619f800 nid=0x36c in Object.wait() [0x1916e000]
java.lang.Thread.State: WAITING (on object monitor)
at java.lang.Object.wait(Native Method)
- waiting on <0x0a5befc0> (a sun.plugin.util.PluginSysUtil$SysExecutionThread)
at java.lang.Thread.join(Unknown Source)
- locked <0x0a5befc0> (a sun.plugin.util.PluginSysUtil$SysExecutionThread)
at java.lang.Thread.join(Unknown Source)
at sun.plugin.util.PluginSysUtil.execute(Unknown Source)
at sun.plugin.util.PluginSysUtil.execute(Unknown Source)
at sun.plugin.util.PluginSysUtil.delegate(Unknown Source)
at com.sun.deploy.util.DeploySysRun.execute(Unknown Source)
at com.sun.deploy.util.DeploySysRun$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.util.DeploySysRun.executePrivileged(Unknown Source)
at com.sun.deploy.ui.UIFactory.showSSV3Dialog(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.ui.UIFactoryImpl.showSSV3Dialog(Unknown Source)
at com.sun.deploy.uitoolkit.ui.DelegatingPluginUIFactory.showSSV3Dialog(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.showUntrustedDialog(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.checkRunUntrusted(Unknown Source)
at com.sun.deploy.security.SandboxSecurity.checkUnsignedSandboxSecurity(Unknown Source)
- locked <0x0a2e7ec0> (a com.sun.deploy.util.SessionProperties)
at com.sun.deploy.security.SandboxSecurity.isPermissionGranted(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourcePermission(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourceAsStream(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.getResourceAsStream(Unknown Source)
- locked <0x0a208d70> (a java.lang.Object)
at testJava8.ResourceLoadingTestApplet.init(ResourceLoadingTestApplet.java:19)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Example applet:
package testJava8;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import javax.swing.JApplet;
public class ResourceLoadingTestApplet extends JApplet {
private static final long serialVersionUID = -3327350932754744165L;
public void init() {
System.out.println("Inside applet init...");
System.out.println("Trying Thread.currentThread().getContextClassLoader().getResourceAsStream(\"/test.xml\")");
System.out.println("test.xml");
InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("test.xml");
readMyInputStream(is);
System.out.println("Exiting applet init...");
}
private void readMyInputStream(InputStream is) {
try {
byte[] buffer = new byte[4 * 1024];
ByteArrayOutputStream baos = new ByteArrayOutputStream();
int len = is.read(buffer);
while (len >= 0) {
baos.write(buffer, 0, len);
len = is.read(buffer);
}
System.out.println("XML size:"+baos.size());
System.out.println("XML content: "+new String(baos.toByteArray()));
} catch (Exception ioe) {
ioe.printStackTrace();
}finally{
try {
is.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
Manifest:
Manifest-Version: 1.0
Application-Name: TestJava8
Trusted-Library: true
Permissions: all-permissions
Codebase: *
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Web page loading the applet:
<HTML>
<HEAD>
<TITLE>Test java 8 applet</TITLE>
</HEAD>
<BODY>
<script src="https://www.java.com/js/deployJava.js"></script>
<script>
var attributes = {
code : 'testJava8.ResourceLoadingTestApplet',
archive : 'testJava8.jar',
width : 710,
height : 540
};
var parameters = {
fontSize : 16,
codebase : 'http://localhost:8080',
codebase_lookup : 'true'
};
deployJava.runApplet(attributes, parameters);
</script>
</BODY>
</HTML>
Test resource:
<test>This is a dummy xml config file</test>
---------- END SOURCE ----------