JDK-6766037 : Signed jar gives SecurityException: host syntax error in crossdomain.xml
- Type: Bug
- Component: deploy
- Sub-Component: webstart
- Affected Version: 6u10
- Priority: P3
- Status: Closed
- Resolution: Fixed
- OS: windows_xp
- CPU: x86
- Submitted: 2008-10-31
- Updated: 2011-02-16
- Resolved: 2009-01-21
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 |
|---|
6u12 b02Fixed  |
Related Reports
|
Relates :
|
|
|
Relates :
|
Description
FULL PRODUCT VERSION :
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows XP 32 bit
A DESCRIPTION OF THE PROBLEM :
Since I installed jre 6 update 10 my Java Web Start program cannot connect to an external URL to retreive settings.
From what I've read some security improvements has been made in JRE 6u10 including support for the crossdomain.xml but this should only be adressing UNsigned java web start applications.
My application is signed and I 've also added the following entry in my JNLP-file to prevent error like this:
<security>
<all-permissions/>
</security>
My application has been running without problems since jre 1.4.2 and suddenly the functionallity has changed.
If this change is considered permanent some documentation about the change and some workarounds would be appreciated. For example I can��t find anywhere how to publish this crossdomain.xml-file on a system not hosting a http-server on port 80.
Full stack trace:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Publish a java web start program, sign the jars and try to connect to an external (different from the source of webstart program) URL from withing the java web start program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception
ACTUAL -
Exception:
java.lang.SecurityException: denied access outside a permitted URL subpath
at sun.net.www.protocol.http.HttpURLConnection.checkURLFile(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
Caused by: java.lang.SecurityException: host syntax error in crossdomain.xml check
at com.sun.javaws.security.JavaWebStartSecurity.checkConnect(Unknown Source)
... 38 more
ERROR MESSAGES/STACK TRACES THAT OCCUR :
host syntax error in crossdomain.xml check
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
URL url = new URL("http",host,port,file + "?source=" + URLEncoder.encode(sourceApp));
conn = url.openConnection();
bis = new BufferedInputStream(conn.getInputStream());
---------- END SOURCE ----------
Release Regression From : 6
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
Comments
|