JDK-7193889 : 1.7.0_06 update causes random "trust level" SecurityExceptions in checkResource
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2012-08-24
  • Updated: 2013-09-12
  • Resolved: 2012-09-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8
6u43Fixed 7u10Fixed 8 b58Fixed
Description
FULL PRODUCT VERSION :
1.7.0_06

ADDITIONAL OS VERSION INFORMATION :
Windows XP Version 5.1.2600

A DESCRIPTION OF THE PROBLEM :
With 1.7.0_04 and 1.7.0_05 our Java Web Start application would launch and run fine.

With 1.7.0_06 almost every session using the application results in a java.lang.SecurityException with a message like "class "XXXXX" does not match trust level of other classes in the same package".  Sometimes the message causes Java Web Start to fail to launch the application.  Other times the application starts and encounters the error while being used.

We tried to workaround by clearing the user's Java Application Temporary Files (cache), which at first seemed to help, but then the problem began occurring again.

The stack trace is like:

java.lang.SecurityException: class "X.X.X.XXXXX" does not match trust level of other classes in the same package
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.defineClass1(Native Method)
       at java.lang.ClassLoader.defineClass(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.access$100(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.isone.sms.isouser.main.ui.LaunchAction.<clinit>(LaunchAction.java:231)
       at com.isone.sms.isouser.main.ui.ApplicationManager.<init>(ApplicationManager.java:137)
       at com.isone.sms.isouser.main.ui.ApplicationManager.main(ApplicationManager.java:274)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)

Maybe 1.7.0_06 has a regression of the fix in http://bugs.sun.com/view_bug.do?bug_id=6967414?


REGRESSION.  Last worked in version 7

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Error occurs just by launching the Java Web Start application using 1.7.0_06.  The SecurityException is often thrown as soon as the application's main method constructs an object and causes a few more classes to load.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No SecurityException.

ACTUAL -
SecurityException listed above.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.SecurityException: class "com.isone.swing.IsoFrame" does not match trust level of other classes in the same package
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.defineClass1(Native Method)
       at java.lang.ClassLoader.defineClass(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.access$100(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.isone.sms.isouser.main.ui.LaunchAction.<clinit>(LaunchAction.java:231)
       at com.isone.sms.isouser.main.ui.ApplicationManager.<init>(ApplicationManager.java:137)
       at com.isone.sms.isouser.main.ui.ApplicationManager.main(ApplicationManager.java:274)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Don't have time to create a demonstration application.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Have not found one.
Comments
EVALUATION For the provided test cases, the manifest of the SecurityException was actually the combination of GC's forcing recreation of the softly referenced signing data and the loading of weblogic URL stream handler (causing by loading of a number of weblogic classes). We correct the issue by making sure the restoration of the signing data using the same URL with same stream handler as originally returned. Also, improve encapsulation by jar signing data object so user code are not exposed to internal caching of signing data details.
25-09-2012