JDK-8000288 : 1.7.0_06 update causes random "trust level" SecurityExceptions in checkResource
  • Type: Backport
  • Backport of: JDK-7193889
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2012-10-01
  • Updated: 2012-11-19
  • Resolved: 2012-10-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u10 b12Fixed 8Fixed
Description
FULL PRODUCT VERSION :
1.7.0_06

ADDITIONAL OS VERSION INFORMATION :
Windows XP Version 5.1.2600

A DESCRIPTION OF THE PROBLEM :
With 1.7.0_04 and 1.7.0_05 our Java Web Start application would launch and run fine.

With 1.7.0_06 almost every session using the application results in a java.lang.SecurityException with a message like "class "XXXXX" does not match trust level of other classes in the same package".  Sometimes the message causes Java Web Start to fail to launch the application.  Other times the application starts and encounters the error while being used.

We tried to workaround by clearing the user's Java Application Temporary Files (cache), which at first seemed to help, but then the problem began occurring again.

The stack trace is like:

java.lang.SecurityException: class "X.X.X.XXXXX" does not match trust level of other classes in the same package
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.defineClass1(Native Method)
       at java.lang.ClassLoader.defineClass(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.access$100(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.isone.sms.isouser.main.ui.LaunchAction.<clinit>(LaunchAction.java:231)
       at com.isone.sms.isouser.main.ui.ApplicationManager.<init>(ApplicationManager.java:137)
       at com.isone.sms.isouser.main.ui.ApplicationManager.main(ApplicationManager.java:274)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)

Maybe 1.7.0_06 has a regression of the fix in http://bugs.sun.com/view_bug.do?bug_id=6967414?


REGRESSION.  Last worked in version 7

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Error occurs just by launching the Java Web Start application using 1.7.0_06.  The SecurityException is often thrown as soon as the application's main method constructs an object and causes a few more classes to load.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No SecurityException.

ACTUAL -
SecurityException listed above.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.SecurityException: class "com.isone.swing.IsoFrame" does not match trust level of other classes in the same package
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.defineClass1(Native Method)
       at java.lang.ClassLoader.defineClass(Unknown Source)
       at java.security.SecureClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.defineClass(Unknown Source)
       at java.net.URLClassLoader.access$100(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.isone.sms.isouser.main.ui.LaunchAction.<clinit>(LaunchAction.java:231)
       at com.isone.sms.isouser.main.ui.ApplicationManager.<init>(ApplicationManager.java:137)
       at com.isone.sms.isouser.main.ui.ApplicationManager.main(ApplicationManager.java:274)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Don't have time to create a demonstration application.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Have not found one.