JDK-7036713 : javax.jnlp.BasicService.showDocument() throws SecurityException for trusted app
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u24
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: solaris_10,windows_xp
  • CPU: x86,sparc
  • Submitted: 2011-04-14
  • Updated: 2013-09-12
  • Resolved: 2011-05-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u27Fixed 7 b142Fixed
Related Reports
Duplicate :  
Relates :  
Relates :  
Relates :  
Description
J2SE Version (please include all output from java -version flag):
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)

Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386


Does this problem occur on J2SE 1.4.x, 1.5 or 6?  Yes / No (pick one)
6u24 (only)


Operating System Configuration Information (be specific):
Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386



Hardware Configuration Information (be specific):
Tested on i386



Bug Description:
If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException

since 6u24 and suceeds with 6u23.


Stacktrace:
java.lang.SecurityException: ShowDocument url permission denied
	at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102)
	at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594)
	...

Digging into the source you see a security check introduced with 6u24:
/* 101 */    if (!URLUtil.checkTargetURL(this._codebase, paramURL))
/* 102 */      throw new SecurityException("ShowDocument url permission denied");

First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp".

In URLUtil 
* local variable "localURL1" then becomes "http://abc.de/xyz"
* local variable "localURL2" then becomes "file://path/xyz.jnlp"

Then local variable "bool3" is set to
  new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission());

Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false".

Then local variable "bool4" is set to
  new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission());

Since "localURL2" points to a local file, "bool4" is set to "true".

Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false".

This then results in the above mentioned SecurityException.


Steps to Reproduce (be specific):
Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp
Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java
Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar
Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR

Comments
EVALUATION for showing non-existing file in third steps, default browser should open automatically and indicate "file not found" in the webpage.
13-06-2011

PUBLIC COMMENTS CAP member had verified the issue had been fixed.
20-05-2011