United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-7036713 : javax.jnlp.BasicService.showDocument() throws SecurityException for trusted app

Details
Type:
Bug
Submit Date:
2011-04-14
Status:
Closed
Updated Date:
2011-06-14
Project Name:
JDK
Resolved Date:
2011-05-31
Component:
deploy
OS:
solaris_10,windows_xp
Sub-Component:
webstart
CPU:
x86,sparc
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u24
Fixed Versions:

Related Reports
Backport:
Duplicate:
Relates:
Relates:
Relates:

Sub Tasks

Description
J2SE Version (please include all output from java -version flag):
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)

Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386


Does this problem occur on J2SE 1.4.x, 1.5 or 6?  Yes / No (pick one)
6u24 (only)


Operating System Configuration Information (be specific):
Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386



Hardware Configuration Information (be specific):
Tested on i386



Bug Description:
If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException

since 6u24 and suceeds with 6u23.


Stacktrace:
java.lang.SecurityException: ShowDocument url permission denied
	at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102)
	at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594)
	...

Digging into the source you see a security check introduced with 6u24:
/* 101 */    if (!URLUtil.checkTargetURL(this._codebase, paramURL))
/* 102 */      throw new SecurityException("ShowDocument url permission denied");

First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp".

In URLUtil 
* local variable "localURL1" then becomes "http://abc.de/xyz"
* local variable "localURL2" then becomes "file://path/xyz.jnlp"

Then local variable "bool3" is set to
  new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission());

Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false".

Then local variable "bool4" is set to
  new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission());

Since "localURL2" points to a local file, "bool4" is set to "true".

Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false".

This then results in the above mentioned SecurityException.


Steps to Reproduce (be specific):
Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp
Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java
Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar
Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR

                                    

Comments
EVALUATION

for showing non-existing file in third steps, default browser should open automatically and indicate "file not found" in the webpage.
                                     
2011-06-13
PUBLIC COMMENTS

CAP member had verified the issue had been fixed.
                                     
2011-05-20
EVALUATION

webrev:
http://sa.us.oracle.com/projects/deployment_data/7/7036713.9 

more testcases for signed/unsigned application with these scenarios
1. show existing files
2. show directory
3. show non-existing files
http://j2se.east.sun.com/~yl232721/test/basicservice/basicservice_signed.jnlp
http://j2se.east.sun.com/~yl232721/test/basicservice/basicservice_unsigned.jnlp
                                     
2011-05-05



Hardware and Software, Engineered to Work Together