Duplicate :
|
|
Relates :
|
|
Relates :
|
|
Relates :
|
J2SE Version (please include all output from java -version flag): java version "1.6.0_24" Java(TM) SE Runtime Environment (build 1.6.0_24-b07) Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing) Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386 Does this problem occur on J2SE 1.4.x, 1.5 or 6? Yes / No (pick one) 6u24 (only) Operating System Configuration Information (be specific): Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386 Hardware Configuration Information (be specific): Tested on i386 Bug Description: If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException since 6u24 and suceeds with 6u23. Stacktrace: java.lang.SecurityException: ShowDocument url permission denied at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102) at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594) ... Digging into the source you see a security check introduced with 6u24: /* 101 */ if (!URLUtil.checkTargetURL(this._codebase, paramURL)) /* 102 */ throw new SecurityException("ShowDocument url permission denied"); First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp". In URLUtil * local variable "localURL1" then becomes "http://abc.de/xyz" * local variable "localURL2" then becomes "file://path/xyz.jnlp" Then local variable "bool3" is set to new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission()); Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false". Then local variable "bool4" is set to new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission()); Since "localURL2" points to a local file, "bool4" is set to "true". Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false". This then results in the above mentioned SecurityException. Steps to Reproduce (be specific): Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR
|