JDK-8229532 : URLClassLoader with SecurityManager throws ClassNotFoundException
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 8,11,13,14
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic
  • CPU: generic
  • Submitted: 2019-08-10
  • Updated: 2019-08-19
  • Resolved: 2019-08-14
Description
ADDITIONAL SYSTEM INFORMATION :
Operating system: OSX Mojave 10.14.6

Versions of Java:
java version "1.8.0_181" Java(TM) SE Runtime Environment (build 1.8.0_181-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

java version "10.0.2" 2018-07-17 Java(TM) SE Runtime Environment 18.3 (build 10.0.2+13) Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.2+13, mixed mode)

java version "12.0.1" 2019-04-16 Java(TM) SE Runtime Environment (build 12.0.1+12) Java HotSpot(TM) 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)

A DESCRIPTION OF THE PROBLEM :
This behaviour was observed on OSX with Java 12.0.1, but also with older versions of Java (down to 8). It might occur on other platforms too (Windows, Linux).

The possible bug and how to reproduce it, is described in detail on Stack Overflow:
https://stackoverflow.com/questions/57433655/classnotfoundexception-issued-by-urlclassloader-when-the-security-manager-is-ena

If it is not a bug, a rationale for this behaviour would be very welcome.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See reference above

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
See reference above
ACTUAL -
See reference above

---------- BEGIN SOURCE ----------
See reference above
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
A possible workaround for a user would be to inherit the URLClassLoader and override the findClass() method, but that would be a strange requirement.
Comments
From submitter: Thank you. Your reply of the 2019-08-14 and the -Djava.security.debug=access flag were very helpful. Adding the following line to the grant entry of security.properties file: permission java.util.PropertyPermission "user.dir", "read"; solves the problem! However I still think there is a bug, in the sense that the wrong exception is thrown. It is made clear with the -Djava.security.debug=access output: access: access denied ("java.util.PropertyPermission" "user.dir" "read") // shows up only in debug mode Exception in thread "main" java.lang.ClassNotFoundException: Untrusted While this is clearly a Permission exception, what shows up is a ClassNotFoundException, that is misleading and can be very confusing for users unaware of the java.security.debug property (that was my case). In any case, thank you again for your helpful reply! You can mark this issue as solved and closed.
19-08-2019
Please re-open if issue is not as described by Alan
14-08-2019
The submitter needs to run with `-Djava.security.debug=access` to see more details on why the SM check is failing. In this case, it's because the code doesn't have permission to read the "user.dir" property (Unstrusted.class is in the working directory). Once the policy file is updated to grant read access to this property then the test will work.
14-08-2019
To reproduce the issue, run the attached test case. JDK 8u221- Fail JDK 11.0.4 - Fail JDK 14-ea+8 - Fail Output: C:\Triaging\CLTest\src>C:\JDK\jdk-14\bin\java -Djava.security.manager -Djava.security.policy=security.policy clmain.ClassLoaderTest Exception in thread "main" java.lang.ClassNotFoundException: Untrusted at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:435) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) at clmain.ClassLoaderTest.main(ClassLoaderTest.java:11) C:\Triaging\CLTest\src>C:\JDK\jdk-14\bin\java clmain.ClassLoaderTest Instantiation of Untrusted
14-08-2019