United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6790708 crossdomain.xml broken in Java 6 update 12ea b02/b03
JDK-6790708 : crossdomain.xml broken in Java 6 update 12ea b02/b03

Details
Type:
Bug
Submit Date:
2009-01-06
Status:
Closed
Updated Date:
2013-01-10
Project Name:
JDK
Resolved Date:
2009-01-31
Component:
deploy
OS:
windows_xp
Sub-Component:
plugin
CPU:
x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u12
Fixed Versions:
6u12 (b04)

Related Reports
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_12-ea"
Java(TM) SE Runtime Environment (build 1.6.0_12-ea-b03)
Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [versie 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Both Internet Explorer 7 and Fiirefox 3(.0.5)

A DESCRIPTION OF THE PROBLEM :
crossdomain.xml broken in Java 6 update 12ea

For example, this demo is not working in update12 b03, but it is doing fine in previous update versions: http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html

Another application that is trying to connect to the Google translation services, throws a SocketPermission access denied, while the crossdomein.xml file is available; http://ajax.googleapis.com/crossdomain.xml

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start this example with both Java 6 update 10 and Java 6 update 12 b03
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Working application, images from Flickr
ACTUAL -
No images, console error: java.security.AccessControlException: access denied

ERROR MESSAGES/STACK TRACES THAT OCCUR :
network: Connecting http://ajax.googleapis.com/ajax/services/language/translate?langpair=%7Cen&v=1.0&hl=nl&format=text&q=test with proxy=DIRECT
23-dec-2008 0:46:22 translator.ui.TranslationDialog$TranslateAction$5 done
WARNING: Translation error
java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve)
at java.util.concurrent.FutureTask$Sync.innerGet(Unknown Source)
at java.util.concurrent.FutureTask.get(Unknown Source)
at javax.swing.SwingWorker.get(Unknown Source)
at translator.ui.TranslationDialog$TranslateAction$5.done(TranslationDialog.java:541)
Caused by: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at applications.translator.utils.TranslationUtils.openHttpConnection(TranslationUtils.java:393)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html
---------- END SOURCE ----------

Release Regression From : 6u10
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

6u12 b01 is okay.  problem exists starting in 6u12 b02.
                                     
2009-01-07
EVALUATION

problem is caused by the fix to 6766037.

In the plugin/webstart security manager checkConnect method, when we catch the security exception and fall back to call CrossDomainXML.check, we did the following:

 if ((url != null) && CrossDomainXML.check(getClassContext(), 
                                                url, host, port, mode)) {

Problem is url is always null here, because url is only set when mode is CHECK_SET_HOST or CHECK_SUBPATH.

There is no need to ensure url is non-null here.  removing the null check fixed the problem.
                                     
2009-01-07
SUGGESTED FIX

http://web-east.east/www/webrevs/andy/1.6.0_12/6790708/
                                     
2009-01-07



Hardware and Software, Engineered to Work Together