United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6967414 Loading class randomly throws java.lang.SecurityException.
JDK-6967414 : Loading class randomly throws java.lang.SecurityException.

Details
Type:
Bug
Submit Date:
2010-07-07
Status:
Resolved
Updated Date:
2013-06-22
Project Name:
JDK
Resolved Date:
2011-12-19
Component:
deploy
OS:
windows_xp
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u20
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Backport:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
C:\>java -version
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) Client VM (build 16.3-b01, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Tested enviroments: Java Webstart 1.6.0_17, 1.6.0_18, 1.6.0_20
Affected enviroment: 1.6.0_20


A DESCRIPTION OF THE PROBLEM :
Loading class randomly throws java.lang.SecurityException. Maybe due to static block? they are importing in classloading. When I say randomly I mean 1/30 start fail. All jars and classes are signed and verified! Default java security settings. No special entries in manifest. In JNLP is <security><all-permissions/></security>

*** CASE 1 ****
There are two diferent exceptions on the same code. (some concurrent access ?)

Exception 1 stack:
      java.lang.SecurityException: class "cz.oksystem.rcp.print.i18n.MessageCodesStyleSimpleField" does not match trust level of other classes in the same package
      at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
      at java.net.URLClassLoader$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findClass(Unknown Source)
      at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at cz.oksystem.centrum.core.rcp.isds.panel.login.ActionDs.getName(ActionDs.java:29)
      at org.openide.util.actions.SystemAction.getValue(SystemAction.java:179)
      at org.openide.awt.Actions$MenuBridge.updateState(Actions.java:977)
      at org.openide.awt.Actions.connect(Actions.java:198)
      at org.openide.awt.Actions.connect(Actions.java:165)
      at org.openide.awt.Actions$MenuItem.<init>(Actions.java:1287)
      at org.netbeans.modules.openide.awt.DefaultAWTBridge.createMenuPresenter(DefaultAWTBridge.java:67)
      at org.openide.util.actions.CallableSystemAction.getMenuPresenter(CallableSystemAction.java:79)
      at org.openide.awt.DynaMenuModel.loadSubmenu(DynaMenuModel.java:92)
      at org.openide.awt.MenuBar$LazyMenu$MenuFolder.createInstance(MenuBar.java:683)
      at org.openide.loaders.FolderInstance.defaultProcessObjects(FolderInstance.java:767)
      at org.openide.loaders.FolderInstance.access$000(FolderInstance.java:99)
      at org.openide.loaders.FolderInstance$2.run(FolderInstance.java:655)
      at org.openide.util.Task.run(Task.java:249)
      at org.openide.awt.AWTTask.run(AWTTask.java:57)
      at java.awt.event.InvocationEvent.dispatch(Unknown Source)
      at java.awt.EventQueue.dispatchEvent(Unknown Source)
      at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:104)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.Dialog$1.run(Unknown Source)
      at java.awt.event.InvocationEvent.dispatch(Unknown Source)
      at java.awt.EventQueue.dispatchEvent(Unknown Source)
      at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:104)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.run(Unknown Source)

Exception 2 stack:
java.lang.SecurityException: trusted loader attempted to load sandboxed resource from https://okcentrum.mpsv.cz:443/centrum/netbeans/modules/ext/rcp-print-1.4.18-update3.jar
      at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
      at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
      at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
      at java.net.URLClassLoader$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findClass(Unknown Source)
      at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at cz.oksystem.centrum.core.rcp.isds.panel.login.ActionDs.getName(ActionDs.java:29)
      at org.openide.util.actions.SystemAction.getValue(SystemAction.java:179)
      at org.openide.awt.Actions$MenuBridge.updateState(Actions.java:977)
      at org.openide.awt.Actions.connect(Actions.java:198)
      at org.openide.awt.Actions.connect(Actions.java:165)
      at org.openide.awt.Actions$MenuItem.<init>(Actions.java:1287)
      at org.netbeans.modules.openide.awt.DefaultAWTBridge.createMenuPresenter(DefaultAWTBridge.java:67)
      at org.openide.util.actions.CallableSystemAction.getMenuPresenter(CallableSystemAction.java:79)
      at org.openide.awt.DynaMenuModel.loadSubmenu(DynaMenuModel.java:92)
      at org.openide.awt.MenuBar$LazyMenu$MenuFolder.createInstance(MenuBar.java:683)
      at org.openide.loaders.FolderInstance.defaultProcessObjects(FolderInstance.java:767)
      at org.openide.loaders.FolderInstance.access$000(FolderInstance.java:99)
      at org.openide.loaders.FolderInstance$2.run(FolderInstance.java:655)
      at org.openide.util.Task.run(Task.java:249)
      at org.openide.awt.AWTTask.run(AWTTask.java:57)
      at java.awt.event.InvocationEvent.dispatch(Unknown Source)
      at java.awt.EventQueue.dispatchEvent(Unknown Source)
      at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:104)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.Dialog$1.run(Unknown Source)
      at java.awt.event.InvocationEvent.dispatch(Unknown Source)
      at java.awt.EventQueue.dispatchEvent(Unknown Source)
      at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:104)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
      at java.awt.EventDispatchThread.run(Unknown Source)

Code snippets:
--- class ActionDs is not from rcp-print-1.4.18-update3.jar ---
  @Override
  public String getName() {
    return DsMessageCodes.DATOVA_SCHRANKA_NAME.getMessage(); // line 29
  }
---
--- class DsMessageCodes is not from rcp-print-1.4.18-update3.jar ---
  static {
    initMessageCodes(DsMessageCodes.class, null, null,
        MessageCodesStyleSimpleField.STYLE_NORMALIZED_FIELD_ONLY);
  }
---
--- class MessageCodesStyleSimpleField is from rcp-print-1.4.18-update3.jar ---
  public static final MessageCodesStyleSimpleField STYLE_NORMALIZED_FIELD_ONLY = new MessageCodesStyleSimpleField();
---

*** CASE 2 ***

Exception stack:
java.lang.SecurityException: class "cz.oksystem.centrum.vyprava.rcp.menu.VypravaMenu" does not match trust level of other classes in the same package
      at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
      at java.net.URLClassLoader$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findClass(Unknown Source)
      at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(Unknown Source)
      at cz.oksystem.centrum.kontrola.rcp.NabidkaKontrola.initMenu(NabidkaKontrola.java:71)
      at cz.oksystem.centrum.kontrola.rcp.NabidkaKontrola.<init>(NabidkaKontrola.java:58)
      at cz.oksystem.centrum.kontrola.rcp.Installer$1.actionPerformed(Installer.java:41)
      at cz.oksystem.centrum.core.rcp.start.StartPanelNabidka$1.actionPerformed(StartPanelNabidka.java:155)
      at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
      at org.jdesktop.swingx.JXHyperlink.fireActionPerformed(JXHyperlink.java:244)
      at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
      at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
      at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
      at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
      at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
      at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
      at java.awt.Component.processMouseEvent(Unknown Source)
      at javax.swing.JComponent.processMouseEvent(Unknown Source)
      at java.awt.Component.processEvent(Unknown Source)
      at java.awt.Container.processEvent(Unknown Source)
      at java.awt.Component.dispatchEventImpl(Unknown Source)
      at java.awt.Container.dispatchEventImpl(Unknown Source)
      at java.awt.Component.dispatchEvent(Unknown Source)
      at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
      at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
      at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
      at java.awt.Container.dispatchEventImpl(Unknown Source)
      at java.awt.Window.dispatchEventImpl(Unknown Source)
      at java.awt.Component.dispatchEvent(Unknown Source)
      at java.awt.EventQueue.dispatchEvent(Unknown Source)
      at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:104)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
      at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
      at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.run(Unknown Source)

Code snippets:
--- class NabidkaKontrola ---
VypravaMenu vypravaMenu = new VypravaMenu(AgendaEnum.RESENI_KONTROLNI_CINNOSTI); // line 71
---
--- class VypravaMenu ---
private static final MessageBundle MESSAGE_BUNDLE = MessageBundleFactory.getInstance().get(VypravaMenu.class);
---

*** CASE 3 ***
Exception stack:
java.lang.SecurityException: trusted loader attempted to load sandboxed resource from https://okct/centrum/netbeans/modules/ext/spring-orm-3.0.0.RELEASE.jar
               at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
               at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
               at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
               at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
               at java.net.URLClassLoader$1.run(Unknown Source)
               at java.security.AccessController.doPrivileged(Native Method)
               at java.net.URLClassLoader.findClass(Unknown Source)
               at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
               at java.lang.ClassLoader.loadClass(Unknown Source)
               at java.lang.ClassLoader.loadClass(Unknown Source)
               at cz.oksystem.centrum.core.rcp.util.ConcurrentUtils.handleConcurrentException(ConcurrentUtils.java:45)
                ....


--- class ConcurrentUtils ---
} else if (StaleStateException.class.isAssignableFrom(exception.getClass()) ||
               HibernateOptimisticLockingFailureException.class.isAssignableFrom(exception.getClass())) { // line 45
---
HibernateOptimisticLockingFailureException is from spring-orm-3.0.0.RELEASE.jar and is descendent of org.springframework.core.NestedRuntimeException
--- class NestedRuntimeException ---
static {
  // Eagerly load the NestedExceptionUtils class to avoid classloader deadlock
  // issues on OSGi when calling getMessage(). Reported by Don Brown; SPR-5607.
  NestedExceptionUtils.class.getName();
}
---



REPRODUCIBILITY :
This bug can be reproduced occasionally.

CUSTOMER SUBMITTED WORKAROUND :
Disable JRE 1.6.0_20

Release Regression From : 6u18
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6u18
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

Fixed by improving existing recovery code for CachedJarFile soft references as described at:
http://sa.us.oracle.com/mail-archive/6967414-deployment

Pushed to 8 with changeset:
http://closedjdk.us.oracle.com/jdk8/deploy/deploy/rev/fcf67f818fce
                                     
2011-11-17



Hardware and Software, Engineered to Work Together