JDK-6790708 : crossdomain.xml broken in Java 6 update 12ea b02/b03
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u12
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2009-01-06
  • Updated: 2013-01-10
  • Resolved: 2009-01-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u12 b04Fixed
Related Reports
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.6.0_12-ea"
Java(TM) SE Runtime Environment (build 1.6.0_12-ea-b03)
Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [versie 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Both Internet Explorer 7 and Fiirefox 3(.0.5)

A DESCRIPTION OF THE PROBLEM :
crossdomain.xml broken in Java 6 update 12ea

For example, this demo is not working in update12 b03, but it is doing fine in previous update versions: http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html

Another application that is trying to connect to the Google translation services, throws a SocketPermission access denied, while the crossdomein.xml file is available; http://ajax.googleapis.com/crossdomain.xml

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start this example with both Java 6 update 10 and Java 6 update 12 b03
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Working application, images from Flickr
ACTUAL -
No images, console error: java.security.AccessControlException: access denied

ERROR MESSAGES/STACK TRACES THAT OCCUR :
network: Connecting http://ajax.googleapis.com/ajax/services/language/translate?langpair=%7Cen&v=1.0&hl=nl&format=text&q=test with proxy=DIRECT
23-dec-2008 0:46:22 translator.ui.TranslationDialog$TranslateAction$5 done
WARNING: Translation error
java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve)
at java.util.concurrent.FutureTask$Sync.innerGet(Unknown Source)
at java.util.concurrent.FutureTask.get(Unknown Source)
at javax.swing.SwingWorker.get(Unknown Source)
at translator.ui.TranslationDialog$TranslateAction$5.done(TranslationDialog.java:541)
Caused by: java.security.AccessControlException: access denied (java.net.SocketPermission ajax.googleapis.com:80 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at applications.translator.utils.TranslationUtils.openHttpConnection(TranslationUtils.java:393)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html
---------- END SOURCE ----------

Release Regression From : 6u10
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Comments
SUGGESTED FIX http://web-east.east/www/webrevs/andy/1.6.0_12/6790708/
07-01-2009

EVALUATION problem is caused by the fix to 6766037. In the plugin/webstart security manager checkConnect method, when we catch the security exception and fall back to call CrossDomainXML.check, we did the following: if ((url != null) && CrossDomainXML.check(getClassContext(), url, host, port, mode)) { Problem is url is always null here, because url is only set when mode is CHECK_SET_HOST or CHECK_SUBPATH. There is no need to ensure url is non-null here. removing the null check fixed the problem.
07-01-2009

EVALUATION 6u12 b01 is okay. problem exists starting in 6u12 b02.
07-01-2009