Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8154405

AccessControlException by URLPermission check

XMLWordPrintable

    • b01

      There is an inconsistency between documentation and implementation for the following two methods:
      - Toolkit.getImage(URL url)
      - Toolkit.createImage(URL url)

      According to the documentation (i.e. https://docs.oracle.com/javase/8/docs/api/java/awt/Toolkit.html) the methods call SecurityManager.checkPermission() with the permission returned by url.openConnection().getPermission() (it returns SocketPermission for HTTP connection). However in fact URLPermission is used for the check inside SecurityManager.

      Test case:
      import java.awt.Toolkit;
      import java.net.URL;

      public class CheckPermissionTest {
          public static void main(String[] args) throws Exception {
              URL url = new URL("http://dummyServer.com/dummyImage.png");
              System.out.println("url.openConnection().getPermission() = "+url.openConnection().getPermission());
              Toolkit.getDefaultToolkit().getImage(url);
          }
      }

      Policy file:
      $cat policy.socket
      grant {
        permission java.net.SocketPermission "*", "connect,resolve";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.awt.image";
      };

      Steps to reproduce:
      1. Compile the test: javac CheckPermissionTest.java
      2. Run the test: java -Djava.security.manager -Djava.security.policy=policy.socket CheckPermissionTest
      3. The following is printed out:

      url.openConnection().getPermission() = ("java.net.SocketPermission" "dummyServer.com:80" "connect,resolve")
      Exception in thread "main" java.security.AccessControlException: access denied ("java.net.URLPermission" "http://dummyServer.com/dummyImage@2x.png" "*:*")
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      at java.security.AccessController.checkPermission(AccessController.java:884)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
      at sun.awt.SunToolkit.checkPermissions(SunToolkit.java:936)
      at sun.awt.SunToolkit.imageExists(SunToolkit.java:911)
      at sun.lwawt.macosx.LWCToolkit.getImage(LWCToolkit.java:554)
      at CheckPermissionTest.main(CheckPermissionTest.java:8)

            dmarkov Dmitry Markov
            shadowbug Shadow Bug
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: