JDK-7076626 : DeployClassLoader should have enough permission to load sealed packages.
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 7-client
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2011-08-09
  • Updated: 2011-09-22
  • Resolved: 2011-09-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u2 b04Fixed 8Fixed
When a public API in a sealed package try to create an inner anonymous class, AccessControlException is throw with a stack similar to following,

Exception in thread "Thread-13" java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.deploy.uitoolkit.impl.fx")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
	at sun.plugin2.applet.SecurityManagerHelper.checkPackageAccessHelper(SecurityManagerHelper.java:248)
	at sun.plugin2.applet.FXAppletSecurityManager.checkPackageAccess(FXAppletSecurityManager.java:93)
	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at com.sun.deploy.net.DeployClassLoader.loadClass(DeployClassLoader.java:115)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at com.sun.deploy.uitoolkit.impl.fx.FXPluginToolkit$4.leaveBlockingMode(FXPluginToolkit.java:205)
	at com.sun.deploy.uitoolkit.ToolkitStore$TaskThread.run(ToolkitStore.java:444)

EVALUATION Bypass package check for classes loaded by DeployClassLoader.

SUGGESTED FIX Add marker to a thread when DeployClassLoader is trying to load a class. So that implementation of SecurityManager can grant permission properly.

EVALUATION When unsigned user code invoke the public API in JavaFX goes down to any sealed package code trying to access inner anonymous class, the ClassLoader.loadClass will check with SecurityManager, since access to com.sun.deploy is not allowed by SecurityManager, the AccessControlException is thrown.