JDK-8009764 : Java Web Start app run on Java SE 8 b79 shows "trust level" SecurityExceptions
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 7u40,8
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2013-03-11
  • Updated: 2014-10-22
  • Resolved: 2014-02-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u66Fixed 8u20 b03Fixed 9Fixed
Description
Java Web Start application run on Java SE 8 b79 shows "trust level" SecurityExceptions
intermittently. Once the issue occurs, the error message is repeated:

2013-03-06 13:47:44,203 ERROR [AWT-EventQueue-0] [X.XX.XXX.XXXX.DefaultExceptionHandler] Uncaught Exception: class "X.XX.XXX.XXXX.CannedTreePopup$CannedResponsesDialog$1" does not match trust level of other classes in the same package
java.lang.SecurityException: class "X.XX.XXX.XXXX.CannedTreePopup$CannedResponsesDialog$1" does not match trust level of other classes in the same package
        at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
        at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
        at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
        at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:357)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:354)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:353)
        at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
        at X.XX.XXX.XXXX.CannedTreePopup$CannedResponsesDialog.<init>(CannedTreePopup.java:1037)
        at X.XX.XXX.XXXX.CannedTreePopup.show(CannedTreePopup.java:623)
        at X.XX.XXX.XXXX.CannedPopupAction.actionPerformed(CannedPopupAction.java:31)
        at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
        at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2346)
        at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
        at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
        at javax.swing.AbstractButton.doClick(AbstractButton.java:376)
        at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:833)
        at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:877)
        at java.awt.Component.processMouseEvent(Component.java:6513)
        at javax.swing.JComponent.processMouseEvent(JComponent.java:3322)
        at java.awt.Component.processEvent(Component.java:6278)
        at java.awt.Container.processEvent(Container.java:2229)
        at java.awt.Component.dispatchEventImpl(Component.java:4869)
        at java.awt.Container.dispatchEventImpl(Container.java:2287)
        at java.awt.Component.dispatchEvent(Component.java:4691)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4856)
        at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4516)
        at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4446)
        at java.awt.Container.dispatchEventImpl(Container.java:2273)
        at java.awt.Window.dispatchEventImpl(Window.java:2721)
        at java.awt.Component.dispatchEvent(Component.java:4691)
        at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:722)
        at java.awt.EventQueue.access$200(EventQueue.java:103)
        at java.awt.EventQueue$3.run(EventQueue.java:681)
        at java.awt.EventQueue$3.run(EventQueue.java:679)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.awt.EventQueue$4.run(EventQueue.java:695)
        at java.awt.EventQueue$4.run(EventQueue.java:693)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
        at java.awt.EventQueue.dispatchEvent(EventQueue.java:692)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:216)
        at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:135)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:123)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:119)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:111)
        at java.awt.EventDispatchThread.run(EventDispatchThread.java:97)

At this point the application is broken. Menu item 'File->Exit' does not longer respond.
Likewise, other GUI functions do no longer respond.

Comments
SQE OK to take the fix into PSU14_03 to get the regression JDK-8039155 fixed in the release.
18-04-2014

Critical Request Template - Justification : Customer demand - Risk Analysis : we believe this is minor - Webrev : http://sa.sfbay.sun.com/projects/deployment_data/8/8009764.0/ - Testing (done/to-be-done) : Done - Support ran tests for 168 hours (7 days) and no issue were seen. - Back ports (done/to-be-done) : Done - FX Impact : None
17-04-2014

Seems this one it a cause of JDK-8039155 which fix is not integrated or even requested into CPU. Need to clarify dependecies and either push all together or reject from CPU.
14-04-2014

Evaluation: CPCallbackHandler class uses CodeSource instances to check the security level of jar components. CodeSource object may be created by two ways: using code signer information and using certificates information. The method CodeSource.equals() may return false for CodeSource objects created by different ways even if they are relevant to the same JAR file. Suggested fix: Add new private method CPCallbackHandler.compareCodeSources() responsible for comparison of CodeSource objects. If the current version of Java is 1.5 or greater the method will use code signer information to compare the objects, otherwise certificate information will be used. All invocations of CodeSource.equals() in CPCallbackHandler should be replaced by compareCodeSources().
20-12-2013

Thomas (Lenz) - can you please re-test or provide an alternate reproducer? The site linked no longer exists.
01-10-2013