United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6766037 Signed jar gives SecurityException: host syntax error in crossdomain.xml
JDK-6766037 : Signed jar gives SecurityException: host syntax error in crossdomain.xml

Details
Type:
Bug
Submit Date:
2008-10-31
Status:
Closed
Updated Date:
2011-02-16
Project Name:
JDK
Resolved Date:
2009-01-21
Component:
deploy
OS:
windows_xp
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u10
Fixed Versions:
6u12 (b02)

Related Reports
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows XP 32 bit

A DESCRIPTION OF THE PROBLEM :
Since I installed jre 6 update 10 my Java Web Start program cannot connect to an external URL to retreive settings.

  From what I've read some security improvements has been made in JRE 6u10 including support for the crossdomain.xml but this should only be adressing UNsigned java web start applications.

My application is signed and I 've also added the following entry in my JNLP-file to prevent error like this:
  <security>
    <all-permissions/>
  </security>

My application has been running without problems since jre 1.4.2 and suddenly the functionallity has changed.

If this change is considered permanent some documentation about the change and some workarounds would be appreciated. For example I can??t find anywhere how to publish this crossdomain.xml-file on a system not hosting a http-server on port 80.


Full stack trace:
java.lang.SecurityException: denied access outside a permitted URL subpath
	at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
	at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
	... 38 more

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Publish a java web start program, sign the jars and try to connect to an external (different from the source of webstart program) URL from withing the java web start program.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception
ACTUAL -
Exception:
java.lang.SecurityException: denied access outside a permitted URL subpath
	at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
	at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
	... 38 more

ERROR MESSAGES/STACK TRACES THAT OCCUR :
 host syntax error in crossdomain.xml check

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
            URL url = new URL("http",host,port,file + "?source=" + URLEncoder.encode(sourceApp));
            conn = url.openConnection();
            bis = new BufferedInputStream(conn.getInputStream());
---------- END SOURCE ----------

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

This appears to be a regression in an application not even attempting to use the crossdomain.xml support. Requires immediate evaluation.
                                     
2008-11-03
WORK AROUND

Do not use 4 arg constructor of URL
                                     
2008-11-03
EVALUATION

this is caused by: 
4328499: URL.toString() leaves out slash between host and file
                                     
2008-11-04
WORK AROUND

include leading slash in path arg to 4 arg URL constructor
                                     
2008-11-06
EVALUATION

the problem only occurs when URL constructor with 4 args is used, and the path arg is relative.  This is known to generate a URL that cannot be read (see 4328499).
The crossdomain change caused this to throw a security exception when reading from the url, instead of the IOException that was previous.  Our fix is just to refactor the crossdomain code to not throw the SecurityException.
                                     
2008-11-11



Hardware and Software, Engineered to Work Together