-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u91
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
Java Web Start 11.91.2.14
Using JRE version 1.8.0_91-b14 Java HotSpot(TM) Client VM
ADDITIONAL OS VERSION INFORMATION :
Appears OS independent. Confirmed on:
Microsoft Windows [Version 6.1.7601]
Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
I cannot run a WebStart application containing a signed log4j 1.2.17 jar on 1.8.0_91. Error messages are included below.
This is the problem reported inJDK-8155901 that the user did not follow up on. I can reproduce and am willing to follow up.
LikeJDK-8155901 I have a signed app that has been working fine for years. All jars in the app are signed and include the RIA security attributes:
Application-Name: MyApp
Permissions: all-permissions
Codebase: *
Trusted-Only: true
It still works on 1.8.0_77. It also works on 1.8.0_91 if I downgrade to log4j 1.2.16.
Speculation follows...
The two log4j versions mentioned have different OSGI related Manifest entries. The one that does not work includes the DynamicImport-Package: * entry in the following section:
Name: org.apache.log4j
DynamicImport-Package: *
Implementation-Vendor: "Apache Software Foundation"
Implementation-Title: log4j
Implementation-Version: 1.2.17
After being signed (via maven-webstart plugin) the above section ends up midway through the Manifest in amongst the class signatures.
Is is possible there's a defect related to the OSGI entry and/or the section ordering?
REGRESSION. Last worked in version 8u77
ERROR MESSAGES/STACK TRACES THAT OCCUR :
With Trusted-Only=false:
java.lang.ExceptionInInitializerError
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger" does not match trust level of other classes in the same package
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at com.ibfx.lm.ui.app.Application.<clinit>(Application.java:29)
... 9 more
With Trusted-Only=true:
java.lang.ExceptionInInitializerError
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://192.168.1.11:9090/myapp/app/log4j-1.2.17.jar.pack.gz
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1800(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at com.ibfx.lm.ui.app.Application.<clinit>(Application.java:29)
... 9 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use log4j 1.2.16.
Java Web Start 11.91.2.14
Using JRE version 1.8.0_91-b14 Java HotSpot(TM) Client VM
ADDITIONAL OS VERSION INFORMATION :
Appears OS independent. Confirmed on:
Microsoft Windows [Version 6.1.7601]
Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
I cannot run a WebStart application containing a signed log4j 1.2.17 jar on 1.8.0_91. Error messages are included below.
This is the problem reported in
Like
Application-Name: MyApp
Permissions: all-permissions
Codebase: *
Trusted-Only: true
It still works on 1.8.0_77. It also works on 1.8.0_91 if I downgrade to log4j 1.2.16.
Speculation follows...
The two log4j versions mentioned have different OSGI related Manifest entries. The one that does not work includes the DynamicImport-Package: * entry in the following section:
Name: org.apache.log4j
DynamicImport-Package: *
Implementation-Vendor: "Apache Software Foundation"
Implementation-Title: log4j
Implementation-Version: 1.2.17
After being signed (via maven-webstart plugin) the above section ends up midway through the Manifest in amongst the class signatures.
Is is possible there's a defect related to the OSGI entry and/or the section ordering?
REGRESSION. Last worked in version 8u77
ERROR MESSAGES/STACK TRACES THAT OCCUR :
With Trusted-Only=false:
java.lang.ExceptionInInitializerError
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger" does not match trust level of other classes in the same package
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at com.ibfx.lm.ui.app.Application.<clinit>(Application.java:29)
... 9 more
With Trusted-Only=true:
java.lang.ExceptionInInitializerError
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://192.168.1.11:9090/myapp/app/log4j-1.2.17.jar.pack.gz
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1800(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at com.ibfx.lm.ui.app.Application.<clinit>(Application.java:29)
... 9 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use log4j 1.2.16.
- relates to
-
-
- Closed
-