United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6181598 : String constructor with "KSC5601" encoding throws AccessControlException

Details
Type:
Bug
Submit Date:
2004-10-19
Status:
Resolved
Updated Date:
2012-10-10
Project Name:
JDK
Resolved Date:
2005-03-04
Component:
core-libs
OS:
generic,windows_xp
Sub-Component:
java.nio
CPU:
x86,generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
1.4.2_09,5.0
Fixed Versions:

Related Reports
Backport:
Backport:

Sub Tasks

Description
Description:
FULL PRODUCT VERSION :
 Sun Java System Application Server Enterprise Edition 8.1 (build b30-beta2)

FULL OS VERSION :
Windows XP

EXTRA RELEVANT SYSTEM CONFIGURATION :
korean locale

A DESCRIPTION OF THE PROBLEM :
When HttpServletRequest.setCharacterEncoding("KSC5601") is called from a servlet, java.security.AccessControlException is thrown.

HttpServletRequest.setCharacterEncoding() is implemented as follows:

        // Ensure that the specified encoding is valid
        byte buffer[] = new byte[1];
        buffer[0] = (byte) 'a';
        String dummy = new String(buffer, enc);

where 'enc' is the char encoding argument passed to HttpServletRequest.setCharacterEncoding().

String constructor throws java.security.AccessControlException, as shown in the following exception stack trace taken from the server log:

[#|2004-10-07T15:53:26.183+0900||sun-appserver-ee8.1|javax.enterprise.system.container.web|_ThreadID=13;|StandardWrapperValve[RequestParamExample]:
Servlet.service() for servlet RequestParamExample threw exception
java.security.AccessControlException: access denied
(java.lang.RuntimePermission charsetProvider)
	at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
	at
java.security.AccessController.checkPermission(AccessController.java:401)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
	at java.nio.charset.spi.CharsetProvider.<init>(CharsetProvider.java:67)
	at
sun.nio.cs.AbstractCharsetProvider.<init>(AbstractCharsetProvider.java:58)
	at sun.nio.cs.ext.ExtendedCharsets.<init>(ExtendedCharsets.java:33)
	at sun.nio.cs.ext.ExtendedCharsets.aliasesFor(ExtendedCharsets.java:372)
	at sun.nio.cs.ext.EUC_KR.<init>(EUC_KR.java:25)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
	at java.lang.Class.newInstance0(Class.java:308)
	at java.lang.Class.newInstance(Class.java:261)
	at
sun.nio.cs.AbstractCharsetProvider.lookup(AbstractCharsetProvider.java:130)
	at
sun.nio.cs.AbstractCharsetProvider.charsetForName(AbstractCharsetProvider.java:145)
	at java.nio.charset.Charset.lookupExtendedCharset(Charset.java:411)
	at java.nio.charset.Charset.lookup(Charset.java:423)
	at java.nio.charset.Charset.isSupported(Charset.java:448)
	at java.lang.StringCoding.lookupCharset(StringCoding.java:82)
	at java.lang.StringCoding.decode(StringCoding.java:211)
	at java.lang.String.<init>(String.java:320)
	at java.lang.String.<init>(String.java:346)
	at
org.apache.coyote.tomcat5.CoyoteRequest.setCharacterEncoding(CoyoteRequest.java:1540)
	at
org.apache.coyote.tomcat5.CoyoteRequestFacade.setCharacterEncoding(CoyoteRequestFacade.java:253)
	at
samples.webapps.simple.servlet.RequestParamExample.doGet(RequestParamExample.java:26)
	at
samples.webapps.simple.servlet.RequestParamExample.doPost(RequestParamExample.java:74)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:324)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:273)
	at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:236)
	at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:141)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:262)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
	at
com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:167)
	at
com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:1738)
###@###.### 10/20/04 01:03 GMT

                                    

Comments
EVALUATION

Sideeffect of bugfix 4838512, the code to "hardwire" ExtendedCharsets
will go down the codepath to static method ExtendedCharsets.aliasesFor(),
which will throw security exception in circumstance that 
(1)SoftReference "instance" in ExtendedCharsets class got cleared by GC and
(2)there is a SecurityManager installed and it denies charsetProvider
(3)trying create a Charset instance from ExtendedCharsets, such as the EUC_KR. 

A quick fix would be to add doPrivileged block either in 
Charset.lookupExtendedCharset as suggested or in 
ExtendedCharsets.aliasesFor().
###@###.### 11/3/04 00:02 GMT

There is almost impossible to write a "real" regtest case to force GC to clean a particular SoftReference. So marked as noreg-hard.
###@###.### 2005-2-24 06:21:35 GMT
                                     
2004-11-03
SUGGESTED FIX

Add doPrivileged block in java.nio.charset.Charset.lookupExtendedCharset().
###@###.### 10/19/04 23:52 GMT
                                     
2004-10-19



Hardware and Software, Engineered to Work Together