United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6672250 Regression: new jnlp.packEnabled property breaks sophisticated applets using LiveConnect
JDK-6672250 : Regression: new jnlp.packEnabled property breaks sophisticated applets using LiveConnect

Details
Type:
Bug
Submit Date:
2008-03-06
Status:
Closed
Updated Date:
2013-01-10
Project Name:
JDK
Resolved Date:
2008-05-15
Component:
deploy
OS:
generic,windows_xp
Sub-Component:
deployment_toolkit
CPU:
x86,generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u10
Fixed Versions:
6u10 (b14)

Related Reports
Relates:
Relates:

Sub Tasks

Description
The introduction of client-side Pack200 selection in 6378311 has introduced a regression in sophisticated applets using LiveConnect because of the fact that the new code does not use AccessController.doPrivileged() to read the jnlp.packEnabled system property. If JavaScript calls into Java and causes a resource to be loaded, since the JavaScript frame on the stack does not have the permission to read the jnlp.packEnabled system property, a SecurityException will be raised deep in the deployment code and the application will return null for their call to ClassLoader.getResourceAsStream(). This regression was reproduced with NeuroDNA's product at http://www.neurodna.com/ and may affect other real-world applets. It is related to an earlier bug, 6665053.

                                    

Comments
SUGGESTED FIX

http://sa.sfbay.sun.com/projects/deployment_data/6u10/6672250.0
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6672250
                                     
2008-03-07
EVALUATION

The introduction of client-side Pack200 selection in 6378311 has
introduced a regression in sophisticated applets using LiveConnect
because of the fact that the new code does not use
AccessController.doPrivileged() to read the jnlp.packEnabled system
property. If JavaScript calls into Java and causes a resource to be
loaded, since the JavaScript frame on the stack does not have the
permission to read the jnlp.packEnabled system property, a
SecurityException will be raised deep in the deployment code and the
application will return null for their call to
ClassLoader.getResourceAsStream(). This regression was reproduced with
NeuroDNA's product at http://www.neurodna.com/ and may affect other
real-world applets. It is related to an earlier bug, 6665053.

Fixed this by properly using AccessController.doPrivileged() to fetch
this system property in the PluginURLJarFileCallBack. Also refactored
code in the new plug-in to grant the default set of permissions for
untrusted code to calls coming in from JavaScript, which are treated
as coming from untrusted code hosted at the document base.
                                     
2008-03-07



Hardware and Software, Engineered to Work Together