JDK-8039034 : 8u20: No blocked dialog for plugin and javafx apps when no jre matches the rule specified by Admin(DRS with force)
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 8u20
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-04-02
  • Updated: 2015-01-29
  • Resolved: 2014-04-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7-poolResolved 8u20 b12Fixed 9Fixed
Description
When there is no jre matches the rule specified by Admin, there is a blocked dialog for javaws apps. But no such dialog for plugin applet and javafx apps.

Steps to reproduce:
test scenario: Admin provide a secure version(version="secure") with "force=true" while no secure jre installed on system
1) Install 8u20 nighty build#2550
2) Download http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/LSPJPI/lib/DeploymentRuleSet.jar and then copy it to deployment.system.home/
In this DeploymentRuleSet.jar, we have:
<ruleset version="1.1">
  <rule> <!-- allow run everything -->
     <id location="http://sqeweb.us.oracle.com/"/>
     <action permission="run" version="SECURE" force="true"/>
  </rule>
  <!-- block everything else -->
  <rule>
     <id/>
     <action permission="block" message="we don't want to run anything else"/>
  </rule>
</ruleset>
3) Make sure you can access to internet or disable OCSP and CRL check from JCP
4) Add information "1.8.0_99" to baseline.versions file under {DEPLOY_USER_HOME}/security/ dir to make test jre as old
5) Load applet: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/LSPJPI/html/UnsignedSandboxJNLP.html
6) If this app get blocked directly without any blocked dialog, then this bug is reproduced. In log, there is NPE:
java.lang.NullPointerException
	at sun.plugin2.applet.Plugin2Manager.setParameter(Unknown Source)
	at sun.plugin2.main.client.PluginMain.performSSVValidation(Unknown Source)
	at sun.plugin2.main.client.PluginMain$StartAppletListener.appletSSVValidation(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.fireAppletSSVValidation(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Expected behavior:
There should be a blocked dialog shows up.

Note:
For javaws apps, there is a blocked dialog. See attachment javaws-blocked-dialog.png
Steps to reproduce:
1) Install 8u20 nighty build#2550
2) Download http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/LSPJPI/lib/DeploymentRuleSet.jar and then copy it to deployment.system.home/
In this DeploymentRuleSet.jar, we have:
<ruleset version="1.1">
  <rule> <!-- allow run everything -->
     <id location="http://sqeweb.us.oracle.com/"/>
     <action permission="run" version="SECURE" force="true"/>
  </rule>
  <!-- block everything else -->
  <rule>
     <id/>
     <action permission="block" message="we don't want to run anything else"/>
  </rule>
</ruleset>
3) Make sure you can access to internet or disable OCSP and CRL check from JCP
4) Add information "1.8.0_99" to baseline.versions file under {DEPLOY_USER_HOME}/security/ dir to make test jre as old
5) Load javaws app: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/jnlp/testSelfsignedAllpermissionJNLP.jnlp
6) There will be a "Java Application Blocked dialog" shows up.
Comments
Verified ok with 8u20 b17
19-06-2014
webrev: http://oklahoma.us.oracle.com/www/webrevs/aherrick/1.9.0/8039034/deploy/webrev/ The fix in PluginMain is to not call setParameter(SSV_VERSION, selectedVersion, when selectedVersion is null. Instead proceed to go thru the rest of the code below.
18-04-2014
The above doesn't properly fix the problem because although no NPE is thrown, without something set as the SSV_VERSION parameter, the applet will continue to run with the installed latest version, without being aware that another version is required.
18-04-2014
The reason this is not reproducible on JDK9, is https://bugs.openjdk.java.net/browse/JDK-8041133. with the current code, you cannot make 9 insecure. When I can make this insecure - I can see the problem (when there are no secure versions installed, and DRS requires a SECURE version. fix is as above, make sure setParameter(String name, Object value) when value is null will clear the parameter instead of throwing NPE
18-04-2014
I can't seem to reproduce this problem using JDK9, so am rebuilding 8u20 from scratch. from looking at the code, it seems logic in Plugin2Manager.setParameter() seems to prohibit setting parameter to null: public void setParameter(String name, Object value) { name = name.toLowerCase(java.util.Locale.ENGLISH); Map/*<String,String>*/ parms = getAppletParameters(); synchronized(parms) { parms.put(name, StringUtils.trimWhitespace(value.toString())); } } code in PluginMain.performSSVValidation() seems to have possibility to call with null value: selectedVersion = JREMatcher.getJREVersionFromDRS(drs); hostingManager.setParameter(ParameterNames.SSV_VERSION, selectedVersion);
02-04-2014
Affected tests: DRSForceVersionTest::testAdminWithVerSecure_NoSecureVer_High DRSForceVersionTest::testAdminWithVerSecure_NoSecureVer_VeryHigh DRSForceVersionTest::testForceVerNotInstalled_NoMatch_Dialog_High DRSForceVersionTest::testForceVerNotInstalled_NoMatch_Dialog_VeryHigh DRSForceVersionTest::testForceVerNotInstalled_NoMatch_High DRSForceVersionTest::testForceVerNotInstalled_NoMatch_VeryHigh DRSForceVersionTest::testAdminWith17Star_DevWith18Star_No7Installed_High DRSForceVersionTest::testAdminWith17Star_DevWith18Star_No7Installed_VeryHigh LSPFXAutoForceVersionJNLPTest::testAdminWithVerSecure_NoSecureVer_High LSPFXAutoForceVersionJNLPTest::testAdminWithVerSecure_NoSecureVer_VeryHigh LSPFXAutoForceVersionTest::testForceVerNotInstalled_NoMatch_Dialog_High LSPFXAutoForceVersionTest::testForceVerNotInstalled_NoMatch_Dialog_VeryHigh LSPFXAutoForceVersionTest::testForceVerNotInstalled_NoMatch_High LSPFXAutoForceVersionTest::testForceVerNotInstalled_NoMatch_VeryHigh LSPFXAutoForceVersionJNLPTest::testAdminWith17Star_DevWith18Star_No7Installed_High LSPFXAutoForceVersionJNLPTest::testAdminWith17Star_DevWith18Star_No7Installed_VeryHigh
02-04-2014