-
Bug
-
Resolution: Fixed
-
P3
-
8u65, 9, 10
-
b01
There is an inconsistency between documentation and implementation for the following two methods:
- Toolkit.getImage(URL url)
- Toolkit.createImage(URL url)
According to the documentation (i.e. https://docs.oracle.com/javase/8/docs/api/java/awt/Toolkit.html) the methods call SecurityManager.checkPermission() with the permission returned by url.openConnection().getPermission() (it returns SocketPermission for HTTP connection). However in fact URLPermission is used for the check inside SecurityManager.
Test case:
import java.awt.Toolkit;
import java.net.URL;
public class CheckPermissionTest {
public static void main(String[] args) throws Exception {
URL url = new URL("http://dummyServer.com/dummyImage.png");
System.out.println("url.openConnection().getPermission() = "+url.openConnection().getPermission());
Toolkit.getDefaultToolkit().getImage(url);
}
}
Policy file:
$cat policy.socket
grant {
permission java.net.SocketPermission "*", "connect,resolve";
permission java.lang.RuntimePermission "accessClassInPackage.sun.awt.image";
};
Steps to reproduce:
1. Compile the test: javac CheckPermissionTest.java
2. Run the test: java -Djava.security.manager -Djava.security.policy=policy.socket CheckPermissionTest
3. The following is printed out:
url.openConnection().getPermission() = ("java.net.SocketPermission" "dummyServer.com:80" "connect,resolve")
Exception in thread "main" java.security.AccessControlException: access denied ("java.net.URLPermission" "http://dummyServer.com/dummyImage@2x.png" "*:*")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at sun.awt.SunToolkit.checkPermissions(SunToolkit.java:936)
at sun.awt.SunToolkit.imageExists(SunToolkit.java:911)
at sun.lwawt.macosx.LWCToolkit.getImage(LWCToolkit.java:554)
at CheckPermissionTest.main(CheckPermissionTest.java:8)
- Toolkit.getImage(URL url)
- Toolkit.createImage(URL url)
According to the documentation (i.e. https://docs.oracle.com/javase/8/docs/api/java/awt/Toolkit.html) the methods call SecurityManager.checkPermission() with the permission returned by url.openConnection().getPermission() (it returns SocketPermission for HTTP connection). However in fact URLPermission is used for the check inside SecurityManager.
Test case:
import java.awt.Toolkit;
import java.net.URL;
public class CheckPermissionTest {
public static void main(String[] args) throws Exception {
URL url = new URL("http://dummyServer.com/dummyImage.png");
System.out.println("url.openConnection().getPermission() = "+url.openConnection().getPermission());
Toolkit.getDefaultToolkit().getImage(url);
}
}
Policy file:
$cat policy.socket
grant {
permission java.net.SocketPermission "*", "connect,resolve";
permission java.lang.RuntimePermission "accessClassInPackage.sun.awt.image";
};
Steps to reproduce:
1. Compile the test: javac CheckPermissionTest.java
2. Run the test: java -Djava.security.manager -Djava.security.policy=policy.socket CheckPermissionTest
3. The following is printed out:
url.openConnection().getPermission() = ("java.net.SocketPermission" "dummyServer.com:80" "connect,resolve")
Exception in thread "main" java.security.AccessControlException: access denied ("java.net.URLPermission" "http://dummyServer.com/dummyImage@2x.png" "*:*")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at sun.awt.SunToolkit.checkPermissions(SunToolkit.java:936)
at sun.awt.SunToolkit.imageExists(SunToolkit.java:911)
at sun.lwawt.macosx.LWCToolkit.getImage(LWCToolkit.java:554)
at CheckPermissionTest.main(CheckPermissionTest.java:8)