JDK-7036713 : javax.jnlp.BasicService.showDocument() throws SecurityException for trusted app
- Type: Bug
- Component: deploy
- Sub-Component: webstart
- Affected Version: 6u24
- Priority: P2
- Status: Closed
- Resolution: Fixed
- OS: solaris_10,windows_xp
- CPU: x86,sparc
- Submitted: 2011-04-14
- Updated: 2013-09-12
- Resolved: 2011-05-31
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 | JDK 7 |
|---|---|
6u27Fixed  |
7 b142Fixed |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
Description
J2SE Version (please include all output from java -version flag):
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)
Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386
Does this problem occur on J2SE 1.4.x, 1.5 or 6? Yes / No (pick one)
6u24 (only)
Operating System Configuration Information (be specific):
Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386
Hardware Configuration Information (be specific):
Tested on i386
Bug Description:
If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException
since 6u24 and suceeds with 6u23.
Stacktrace:
java.lang.SecurityException: ShowDocument url permission denied
at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102)
at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594)
...
Digging into the source you see a security check introduced with 6u24:
/* 101 */ if (!URLUtil.checkTargetURL(this._codebase, paramURL))
/* 102 */ throw new SecurityException("ShowDocument url permission denied");
First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp".
In URLUtil
* local variable "localURL1" then becomes "http://abc.de/xyz"
* local variable "localURL2" then becomes "file://path/xyz.jnlp"
Then local variable "bool3" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission());
Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false".
Then local variable "bool4" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission());
Since "localURL2" points to a local file, "bool4" is set to "true".
Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false".
This then results in the above mentioned SecurityException.
Steps to Reproduce (be specific):
Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp
Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java
Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar
Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR
Comments
|