Bug ID: JDK-4326519 AccessControlException thrown for permission which was granted to all

JDK-4326519 : AccessControlException thrown for permission which was granted to all

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 1.3.0

Priority: P4
Status: Closed
Resolution: Duplicate
OS: solaris_2.6
CPU: sparc

Submitted: 2000-03-30
Updated: 2000-03-31
Resolved: 2000-03-31

Related Reports

Duplicate :

JDK-4321303 - SocketPermission doesn't work with trustProxy property.

Description

Running:
appletviewer -J-Djava.security.policy=/tmp/ap.policy http://www.soda.co.uk/soda/constructor/index.htm

where /tmp/ap.policy contains:
grant {
    permission java.net.SocketPermission "www.soda.co.uk", "connect,accept,resolve";
};

nevertheless produces the exception:
java.security.AccessControlException: access denied (java.net.SocketPermission www.soda.co.uk connect,accept,resolve)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
        at java.security.AccessController.checkPermission(AccessController.java:399)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
        at java.net.URLClassLoader$5.run(URLClassLoader.java:463)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.getPermissions(URLClassLoader.java:461)
        at sun.applet.AppletClassLoader.getPermissions(AppletClassLoader.java:171)
        at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:162)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:111)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:248)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:128)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:297)
        at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:108)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:253)
        at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:366)
        at sun.applet.AppletPanel.createApplet(AppletPanel.java:579)
        at sun.applet.AppletPanel.runLoader(AppletPanel.java:515)
        at sun.applet.AppletPanel.run(AppletPanel.java:293)
        at java.lang.Thread.run(Thread.java:484)

The mystery is that the denied permission is exactly the same as the one granted.

Version information (appletviewer -J-version):
java version "1.3.0rc2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0rc2-Y)
Java HotSpot(TM) Client VM (build 1.3.0rc2-Y, interpreted mode)

Using -J-Djava.security.debug=policy verifies that the policy file is being read:
policy: reading file:/tmp/ap.policy
policy: Adding policy entry: 
policy:   signedBy null
policy:   codeBase null
policy:
policy:   (java.net.SocketPermission www.soda.co.uk connect,accept,resolve)

Using -J-Djava.security.policy=access,failure verifies that the protection
domain has the relevant permission at checkPermission time:
access: access denied (java.net.SocketPermission www.soda.co.uk connect,accept,resolve)
java.lang.Exception: Stack trace
        at java.lang.Thread.dumpStack(Thread.java:993)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:261)
        at java.security.AccessController.checkPermission(AccessController.java:399)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
        at java.net.URLClassLoader$5.run(URLClassLoader.java:463)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.getPermissions(URLClassLoader.java:461)
        at sun.applet.AppletClassLoader.getPermissions(AppletClassLoader.java:171)
        at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:162)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:111)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:248)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:128)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:297)
        at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:108)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:253)
        at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:366)
        at sun.applet.AppletPanel.createApplet(AppletPanel.java:579)
        at sun.applet.AppletPanel.runLoader(AppletPanel.java:515)
        at sun.applet.AppletPanel.run(AppletPanel.java:293)
        at java.lang.Thread.run(Thread.java:484)
access: domain that failed ProtectionDomain (http://www.soda.co.uk/soda/constructor/ <no certificates>)
java.security.Permissions@786e64 (
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.vendor read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.lang.RuntimePermission stopThread)
 (java.lang.RuntimePermission createClassLoader)
 (java.net.SocketPermission www.soda.co.uk connect,accept,resolve)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (java.net.SocketPermission www.soda.co.uk connect,accept,resolve)
 (java.net.SocketPermission www.soda.co.uk:80 connect,resolve)
)

I'm running this within SWAN.

Comments

WORK AROUND None known.

11-06-2004

PUBLIC COMMENTS Running: appletviewer -J-Djava.security.policy=/tmp/ap.policy http://www.soda.co.uk/soda/constructor/index.htm where /tmp/ap.policy contains: grant { permission java.net.SocketPermission "www.soda.co.uk", "connect,accept,resolve"; }; nevertheless produces the exception: java.security.AccessControlException: access denied (java.net.SocketPermission www.soda.co.uk connect,accept,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.net.URLClassLoader$5.run(URLClassLoader.java:463) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.getPermissions(URLClassLoader.java:461) at sun.applet.AppletClassLoader.getPermissions(AppletClassLoader.java:171) at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:162) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:111) at java.net.URLClassLoader.defineClass(URLClassLoader.java:248) at java.net.URLClassLoader.access$100(URLClassLoader.java:56) at java.net.URLClassLoader$1.run(URLClassLoader.java:195) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:128) at java.lang.ClassLoader.loadClass(ClassLoader.java:297) at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:108) at java.lang.ClassLoader.loadClass(ClassLoader.java:253) at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:366) at sun.applet.AppletPanel.createApplet(AppletPanel.java:579) at sun.applet.AppletPanel.runLoader(AppletPanel.java:515) at sun.applet.AppletPanel.run(AppletPanel.java:293) at java.lang.Thread.run(Thread.java:484) The mystery is that the denied permission is exactly the same as the one granted. Version information (appletviewer -J-version): java version "1.3.0rc2" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0rc2-Y) Java HotSpot(TM) Client VM (build 1.3.0rc2-Y, interpreted mode)

10-06-2004

EVALUATION This is due to the inability of resolving the origin servers IP address. In order for the applet to be able to connect back to the origin server when behind a proxy/firewall where external DNS resolution does not work the runtime must be started with the system property trustProxy=true. However this is broken. See bug 4321303. This bug is slated to be fixed in kestrel and in the 1.2.2_005 patch. BTW, very cool applet. gary.ellison@eng 2000-03-31

31-03-2000