United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-7076626 : DeployClassLoader should have enough permission to load sealed packages.

Details
Type:
Bug
Submit Date:
2011-08-09
Status:
Resolved
Updated Date:
2011-09-22
Project Name:
JDK
Resolved Date:
2011-09-06
Component:
deploy
OS:
generic
Sub-Component:
plugin
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7-client
Fixed Versions:
7u2 (b04)

Related Reports
Backport:

Sub Tasks

Description
When a public API in a sealed package try to create an inner anonymous class, AccessControlException is throw with a stack similar to following,

Exception in thread "Thread-13" java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.deploy.uitoolkit.impl.fx")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
	at sun.plugin2.applet.SecurityManagerHelper.checkPackageAccessHelper(SecurityManagerHelper.java:248)
	at sun.plugin2.applet.FXAppletSecurityManager.checkPackageAccess(FXAppletSecurityManager.java:93)
	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at com.sun.deploy.net.DeployClassLoader.loadClass(DeployClassLoader.java:115)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at com.sun.deploy.uitoolkit.impl.fx.FXPluginToolkit$4.leaveBlockingMode(FXPluginToolkit.java:205)
	at com.sun.deploy.uitoolkit.ToolkitStore$TaskThread.run(ToolkitStore.java:444)

                                    

Comments
EVALUATION

Bypass package check for classes loaded by DeployClassLoader.
                                     
2011-08-30
SUGGESTED FIX

Add marker to a thread when DeployClassLoader is trying to load a class. So that implementation of SecurityManager can grant permission properly.
                                     
2011-08-09
EVALUATION

When unsigned user code invoke the public API in JavaFX goes down to any sealed package code trying to access inner anonymous class, the ClassLoader.loadClass will check with SecurityManager, since access to com.sun.deploy is not allowed by SecurityManager, the AccessControlException is thrown.
                                     
2011-08-09



Hardware and Software, Engineered to Work Together