JDK-4321303 : SocketPermission doesn't work with trustProxy property.
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 1.3.0
  • Priority: P1
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_2.6,windows_nt
  • CPU: x86,sparc
  • Submitted: 2000-03-14
  • Updated: 2000-04-06
  • Resolved: 2000-04-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.3.0 rc3Fixed
Related Reports
Duplicate :  
JDK-4326519 - AccessControlException thrown for permission which was granted to all
Duplicate :  
JDK-4320895 - SocketPermision.implies broken when IP not accessible
Relates :  
JDK-4323955 - Rresource loading from a jar fails if hostname resolution fails
Description
To avoid DNS spoofing (see #4155463), any connection made by applets/applications are required to perform reverse DNS lookup to obtain both the host name and IP address, so security is checked properly in Java 2. However. this causes a lot of problems to most users because some of them don't have DNS setup properly. Even worse, if they try to connect to external web server through the proxy, Java will require their applets/applications to be able to resolve the external hostname through their internal DNS server, and it will fail in most cases. 

To workaround this problem, a Java property "trustProxy" was introduced to avoid this problem if enabled, so applets/applications will work with external web servers. However in JDK 1.2/1.3, the trustProxy setting no longer works. The problem is in the java.net.SocketPermission's impliesIgnoreMask method. 


    boolean impliesIgnoreMask(SocketPermission that) {
        int i,j;

        if ((that.mask & RESOLVE) != that.mask) {
            // check port range
            if ((that.portrange[0] < this.portrange[0]) ||
                    (that.portrange[1] > this.portrange[1])) {
                    return false;
            }
        }

        // allow a "*" wildcard to always match anything
        if (this.wildcard && this.getName().equals("*"))
            return true;

        // return if either one of these NetPerm objects are invalid...
        if (this.invalid || that.invalid) {
            if (!trustProxy)
                return false;

            // if we trust the proxy, we see if the original names/IPs passed
            // in were equal.

            String thisHost = getName();
            String thatHost = that.getName();

            int sep = thisHost.indexOf(':');
            if (sep != -1)
                thisHost = thisHost.substring(0, sep);

            sep = thatHost.indexOf(':');
            if (sep != -1)
                thatHost = thatHost.substring(0, sep);

            if (thisHost == null) 
                return false;
            else 
                return thisHost.equalsIgnoreCase(thatHost);
        }
      
        ...............


	The field "invalid" is used to determine if the host name cannot be resolved through DNS lookup. However, because of the way SocketPermission works, it will perform delay DNS lookup if possible. Therefore, by the time impliesIgnoreMask is called, DNS lookup may have been delayed, so the "invalid" field doesn't reflect the proper state, and it remains to be false by default. As a result, the trustProxy check will not be executed, so trustProxy property doesn't work in SocketPermission.

	Supporting trustProxy setting is extremely important to Java Plug-in. As Java Plug-in will be bundled with Communicator 6.0, we will probably enable the trustProxy settting for Communicator. Without fixing this problem,. any Internet users may see this problem with the APPLET tag in the browser, and it will prevent them to use Java 2 in the browsers.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: kestrel-rc3 FIXED IN: kestrel-rc3 INTEGRATED IN: kestrel-rc3
14-06-2004
SUGGESTED FIX Catch the UnknownHostException in impliesIgnoreMask and use the trustProxy logic. gary.ellison@eng 2000-03-20
20-03-2000
EVALUATION Under normal circumstances when trustProxy is set the first attempt to getIP address throws an UnknownHostException which is ignored and the implies method returns false. As a side effect the SocketPermission is marked invalid. Subsequent attempts to imply the SocketPermission will pass through the trustProxy logic and return a true. gary.ellison@eng 2000-03-20
20-03-2000