-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
8u121
-
x86_64
-
windows_7
-
Verified
FULL PRODUCT VERSION :
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
See steps below.
REGRESSION. Last worked in version 8u102
ADDITIONAL REGRESSION INFORMATION:
Doesn't work for:
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
Work for:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
and
java version "1.7.0_75"
Java(TM) SE Runtime Environment (build 1.7.0_75-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.75-b04, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Steps:
1. Create applet jar that has public function that accesses some non-sandbox values.
See applet code below.
2. Allow all permissions to applet (it's excerpt from maven config):
<Caller-Allowable-Codebase>*</Caller-Allowable-Codebase>
<Permissions>all-permissions</Permissions>
<Application-Library-Allowable-Codebase>*</Application-Library-Allowable-Codebase>
3. Install JDK 8u121 x64 and sign this applet with jarsigner using JDK_FOLDER\bin\jarsigner.exe
4. Install JRE 7u75 (!) x86.
5. Input the applet to some page and open it in IE 11.
6. Allow applets when prompted.
7. Try to execute testFunction() from applet in javascript.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
function is executed without problems and "null" is returned.
ACTUAL -
At first, page has a security warning with message "Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk" and buttons "Run", "Update", "Cancel".
After executing testFunction() exception is thrown (see error message below).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Error from applet console:
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "some.custom.property" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at merant.adm.applet.util.SystemPropertyApplet$1.run(SystemPropertyApplet.java:30)
at java.security.AccessController.doPrivileged(Native Method)
at merant.adm.applet.util.SystemPropertyApplet.testFunction(SystemPropertyApplet.java:26)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class SystemPropertyApplet extends Applet {
public SystemPropertyApplet() {
super();
}
public String testFunction() {
final String[] res = new String[1];
res[0] = "wrong";
AccessController.doPrivileged(new PrivilegedAction() {
@Override
public Object run() {
try {
res[0] = System.getProperty("some.custom.property");
} catch (Throwable e) {
e.printStackTrace();
}
return null;
}
});
return res[0];
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Update locally to the 7u76 or a later version of Java.
OR
Use jarsigner from earlier JDK (I tried JDK 8u45, JDK 7u75).
SUPPORT :
YES
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
See steps below.
REGRESSION. Last worked in version 8u102
ADDITIONAL REGRESSION INFORMATION:
Doesn't work for:
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
Work for:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
and
java version "1.7.0_75"
Java(TM) SE Runtime Environment (build 1.7.0_75-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.75-b04, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Steps:
1. Create applet jar that has public function that accesses some non-sandbox values.
See applet code below.
2. Allow all permissions to applet (it's excerpt from maven config):
<Caller-Allowable-Codebase>*</Caller-Allowable-Codebase>
<Permissions>all-permissions</Permissions>
<Application-Library-Allowable-Codebase>*</Application-Library-Allowable-Codebase>
3. Install JDK 8u121 x64 and sign this applet with jarsigner using JDK_FOLDER\bin\jarsigner.exe
4. Install JRE 7u75 (!) x86.
5. Input the applet to some page and open it in IE 11.
6. Allow applets when prompted.
7. Try to execute testFunction() from applet in javascript.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
function is executed without problems and "null" is returned.
ACTUAL -
At first, page has a security warning with message "Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk" and buttons "Run", "Update", "Cancel".
After executing testFunction() exception is thrown (see error message below).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Error from applet console:
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "some.custom.property" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at merant.adm.applet.util.SystemPropertyApplet$1.run(SystemPropertyApplet.java:30)
at java.security.AccessController.doPrivileged(Native Method)
at merant.adm.applet.util.SystemPropertyApplet.testFunction(SystemPropertyApplet.java:26)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class SystemPropertyApplet extends Applet {
public SystemPropertyApplet() {
super();
}
public String testFunction() {
final String[] res = new String[1];
res[0] = "wrong";
AccessController.doPrivileged(new PrivilegedAction() {
@Override
public Object run() {
try {
res[0] = System.getProperty("some.custom.property");
} catch (Throwable e) {
e.printStackTrace();
}
return null;
}
});
return res[0];
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Update locally to the 7u76 or a later version of Java.
OR
Use jarsigner from earlier JDK (I tried JDK 8u45, JDK 7u75).
SUPPORT :
YES