JDK-8079618 : AccessControlException with deployment cache and RMI
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 8u31
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-03-02
  • Updated: 2015-11-23
  • Resolved: 2015-07-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u66Fixed 9 b76Fixed
Description
FULL PRODUCT VERSION :
Java Plug-in 11.31.2.13
Using JRE version 1.8.0_31-b13 Java HotSpot(TM) Client VM

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :
The problem occurs with RMI Calls within an applet that uses RMI codebase. The RMI downloaded code runs in the sandbox: The host where the RMI server runs is the same as the host of the codebase. In this scenario the AccessControlException (see below) occurs when the deployment cache is already populated. After clearing the cache everythings works fine for one browser session. With previous Java Version (e. g. 1.8.0_25) this problem doesn't appear.

CacheEntry[http://192.168.35.165:44066/jar/device/msr/jpos/chyjpos/chyjpos-service-dl.jar]: updateAvailable=false,lastModified=Thu Jan 01 01:00:00 CET 1970,length=288352
CacheEntry[http://192.168.35.165:44066/jar/device/cdm/cashpro/kbacashpro4-service-dl.jar]: updateAvailable=false,lastModified=Thu Jan 01 01:00:00 CET 1970,length=463931
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dea\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\3c5d5a3b-6d8e48ab" "read")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkRead(Unknown Source)
	at java.util.zip.ZipFile.<init>(Unknown Source)
	at java.util.zip.ZipFile.<init>(Unknown Source)
	at java.util.jar.JarFile.<init>(Unknown Source)
	at java.util.jar.JarFile.<init>(Unknown Source)
	at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
	at com.sun.deploy.cache.CacheEntry.getJarSigningData(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.getSigningData(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile$JarFileEntry.getCodeSigners(Unknown Source)
	at sun.misc.URLClassPath$JarLoader$2.getCodeSigners(Unknown Source)
	at java.net.URLClassLoader.defineClass(Unknown Source)
	at java.net.URLClassLoader.access$100(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.rmi.server.LoaderHandler$Loader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClassForName(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
	at java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
	at com.sun.deploy.util.DeployRMIClassLoaderSpi.loadClass(Unknown Source)
	at java.rmi.server.RMIClassLoader.loadClass(Unknown Source)
	at sun.rmi.server.MarshalInputStream.resolveClass(Unknown Source)
	at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
	at java.io.ObjectInputStream.readClassDesc(Unknown Source)
	at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
	at java.io.ObjectInputStream.readObject0(Unknown Source)
	at java.io.ObjectInputStream.readObject(Unknown Source)
	at java.rmi.MarshalledObject.get(Unknown Source)
	at com.sun.jini.reggie.Item.get(Item.java:122)
	at com.sun.jini.reggie.Item.toServiceItem(Item.java:158)
	at com.sun.jini.reggie.Matches.get(Matches.java:73)
	at com.sun.jini.reggie.RegistrarProxy.lookup(RegistrarProxy.java:102)
	at net.jini.lookup.ServiceDiscoveryManager.lookup(Unknown Source)
	at com.rubean.drubeans.app.device.discovery.impl.DeviceDiscovererImpl$InitialLookupTask.run(Unknown Source)
	at com.sun.jini.thread.TaskManager$TaskThread.run(Unknown Source)


REGRESSION.  Last worked in version 8u25

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Perform Jini Service Discovery with Services offering service objects via RMI downloadable code.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Service Proxy Object is loaded correctly.
ACTUAL -
AccessControlException during class loading.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
CacheEntry[http://192.168.35.165:44066/jar/device/msr/jpos/chyjpos/chyjpos-service-dl.jar]: updateAvailable=false,lastModified=Thu Jan 01 01:00:00 CET 1970,length=288352
CacheEntry[http://192.168.35.165:44066/jar/device/cdm/cashpro/kbacashpro4-service-dl.jar]: updateAvailable=false,lastModified=Thu Jan 01 01:00:00 CET 1970,length=463931
java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dea\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\3c5d5a3b-6d8e48ab" "read")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkRead(Unknown Source)
	at java.util.zip.ZipFile.<init>(Unknown Source)
	at java.util.zip.ZipFile.<init>(Unknown Source)
	at java.util.jar.JarFile.<init>(Unknown Source)
	at java.util.jar.JarFile.<init>(Unknown Source)
	at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
	at com.sun.deploy.cache.CacheEntry.getJarSigningData(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.getSigningData(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile$JarFileEntry.getCodeSigners(Unknown Source)
	at sun.misc.URLClassPath$JarLoader$2.getCodeSigners(Unknown Source)
	at java.net.URLClassLoader.defineClass(Unknown Source)
	at java.net.URLClassLoader.access$100(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.rmi.server.LoaderHandler$Loader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClassForName(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
	at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
	at java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
	at com.sun.deploy.util.DeployRMIClassLoaderSpi.loadClass(Unknown Source)
	at java.rmi.server.RMIClassLoader.loadClass(Unknown Source)
	at sun.rmi.server.MarshalInputStream.resolveClass(Unknown Source)
	at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
	at java.io.ObjectInputStream.readClassDesc(Unknown Source)
	at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
	at java.io.ObjectInputStream.readObject0(Unknown Source)
	at java.io.ObjectInputStream.readObject(Unknown Source)
	at java.rmi.MarshalledObject.get(Unknown Source)
	at com.sun.jini.reggie.Item.get(Item.java:122)
	at com.sun.jini.reggie.Item.toServiceItem(Item.java:158)
	at com.sun.jini.reggie.Matches.get(Matches.java:73)
	at com.sun.jini.reggie.RegistrarProxy.lookup(RegistrarProxy.java:102)
	at net.jini.lookup.ServiceDiscoveryManager.lookup(Unknown Source)
	at com.rubean.drubeans.app.device.discovery.impl.DeviceDiscovererImpl$InitialLookupTask.run(Unknown Source)
	at com.sun.jini.thread.TaskManager$TaskThread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.


Comments
QE contact: Deepak D
31-07-2015

Looks like this is a regression of JDK-8062925 and the deploy code in CacheEntry.getJarSigningData() needs to be wrapped in doPrivileged().
07-07-2015

I don't think JDK-8055309 is related,though this is a good guess. Those changes change the permissions in effect for code called from various RMI service threads. The stack trace looks like it's coming from a Jini TaskManager thread instead. Now the description is interesting in that it says that it works the first time but fails the second time, after the deployment cache has been populated. Presumably the deployment cache is written to during the first execution, and something needed to have asserted the proper permissions to do so. The corresponding privileges probably need to be asserted at the time the cache is read. It looks like some com.sun.deploy.cache code is being executed just before the JarFile is created, so perhaps that code needs a doPrivileged() to ensure that it has the right permissions to read the jar file that had been placed into the cache. Reassigning to deploy.
12-05-2015

The RMI framework runs with restricted permissions. As can be seen from stacktrace, an attempt to read a file form the deployment cache store fails a permission check.Question is -- should RMI code cater for this or should deploy code add necessary permissions when it wants to perform some cache operations.. JDK-8055309 seems like one candidate to cause this behavioural change.
12-05-2015

reopening - I think we've enough to go on here.
12-05-2015