JDK-6181598 : String constructor with "KSC5601" encoding throws AccessControlException
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.nio
  • Affected Version: 1.4.2_09,5.0
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,windows_xp
  • CPU: generic,x86
  • Submitted: 2004-10-19
  • Updated: 2012-10-10
  • Resolved: 2005-03-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_12Fixed 6 b27Fixed
Description
Description:
FULL PRODUCT VERSION :
 Sun Java System Application Server Enterprise Edition 8.1 (build b30-beta2)

FULL OS VERSION :
Windows XP

EXTRA RELEVANT SYSTEM CONFIGURATION :
korean locale

A DESCRIPTION OF THE PROBLEM :
When HttpServletRequest.setCharacterEncoding("KSC5601") is called from a servlet, java.security.AccessControlException is thrown.

HttpServletRequest.setCharacterEncoding() is implemented as follows:

        // Ensure that the specified encoding is valid
        byte buffer[] = new byte[1];
        buffer[0] = (byte) 'a';
        String dummy = new String(buffer, enc);

where 'enc' is the char encoding argument passed to HttpServletRequest.setCharacterEncoding().

String constructor throws java.security.AccessControlException, as shown in the following exception stack trace taken from the server log:

[#|2004-10-07T15:53:26.183+0900||sun-appserver-ee8.1|javax.enterprise.system.container.web|_ThreadID=13;|StandardWrapperValve[RequestParamExample]:
Servlet.service() for servlet RequestParamExample threw exception
java.security.AccessControlException: access denied
(java.lang.RuntimePermission charsetProvider)
	at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
	at
java.security.AccessController.checkPermission(AccessController.java:401)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
	at java.nio.charset.spi.CharsetProvider.<init>(CharsetProvider.java:67)
	at
sun.nio.cs.AbstractCharsetProvider.<init>(AbstractCharsetProvider.java:58)
	at sun.nio.cs.ext.ExtendedCharsets.<init>(ExtendedCharsets.java:33)
	at sun.nio.cs.ext.ExtendedCharsets.aliasesFor(ExtendedCharsets.java:372)
	at sun.nio.cs.ext.EUC_KR.<init>(EUC_KR.java:25)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
	at java.lang.Class.newInstance0(Class.java:308)
	at java.lang.Class.newInstance(Class.java:261)
	at
sun.nio.cs.AbstractCharsetProvider.lookup(AbstractCharsetProvider.java:130)
	at
sun.nio.cs.AbstractCharsetProvider.charsetForName(AbstractCharsetProvider.java:145)
	at java.nio.charset.Charset.lookupExtendedCharset(Charset.java:411)
	at java.nio.charset.Charset.lookup(Charset.java:423)
	at java.nio.charset.Charset.isSupported(Charset.java:448)
	at java.lang.StringCoding.lookupCharset(StringCoding.java:82)
	at java.lang.StringCoding.decode(StringCoding.java:211)
	at java.lang.String.<init>(String.java:320)
	at java.lang.String.<init>(String.java:346)
	at
org.apache.coyote.tomcat5.CoyoteRequest.setCharacterEncoding(CoyoteRequest.java:1540)
	at
org.apache.coyote.tomcat5.CoyoteRequestFacade.setCharacterEncoding(CoyoteRequestFacade.java:253)
	at
samples.webapps.simple.servlet.RequestParamExample.doGet(RequestParamExample.java:26)
	at
samples.webapps.simple.servlet.RequestParamExample.doPost(RequestParamExample.java:74)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:324)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:273)
	at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:236)
	at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:141)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:262)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
	at
com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:167)
	at
com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:1738)
###@###.### 10/20/04 01:03 GMT

Comments
EVALUATION Sideeffect of bugfix 4838512, the code to "hardwire" ExtendedCharsets will go down the codepath to static method ExtendedCharsets.aliasesFor(), which will throw security exception in circumstance that (1)SoftReference "instance" in ExtendedCharsets class got cleared by GC and (2)there is a SecurityManager installed and it denies charsetProvider (3)trying create a Charset instance from ExtendedCharsets, such as the EUC_KR. A quick fix would be to add doPrivileged block either in Charset.lookupExtendedCharset as suggested or in ExtendedCharsets.aliasesFor(). ###@###.### 11/3/04 00:02 GMT There is almost impossible to write a "real" regtest case to force GC to clean a particular SoftReference. So marked as noreg-hard. ###@###.### 2005-2-24 06:21:35 GMT
2004-11-03

SUGGESTED FIX Add doPrivileged block in java.nio.charset.Charset.lookupExtendedCharset(). ###@###.### 10/19/04 23:52 GMT
2004-10-19