Bug ID: JDK-5004073 Impossible to use Security Manager with unstable DNS


Name: gm110360			Date: 02/26/2004


FULL PRODUCT VERSION :
java version "1.4.2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-b28)
Java HotSpot(TM) Client VM (build 1.4.2-b28, mixed mode)

and

java version "1.5.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-beta-b32c)
Java HotSpot(TM) Client VM (build 1.5.0-beta-b32c, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Red Hat Enterprise Linux ES release 3 (Taroon)
Fedora Core release 1 (Yarrow)
Mandrake Linux release 8.2 (Bluebird) for i586


A DESCRIPTION OF THE PROBLEM :
On webservers, the security manager is often used to secure the environment. A problem by doing so is that if the DNS service the webserver is using is down, response times of the webserver rise considerably. It seems that SocketPermission wants to do a dns query on every established connection to the server, even though you permitted '*'

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The reproduce this, use for instance KnockKnockServer/Client from http://java.sun.com/docs/books/tutorial/networking/sockets/clientServer.html

Change /etc/resolv.conf to point to bogus nameservers and make sure the client and server hosts are not listed in /etc/hosts

Start KnockKnockServer using this policy file:

grant codeBase "file:///home/foo/java/test/knockknock/-" {
  permission java.net.SocketPermission "*", "accept, connect, listen, resolve";
};

Run the server:
java -Djava.security.manager -Djava.security.policy=file:/home/foo/java/test/knockknock/kk.policy KnockKnockServer

Run the client on a different host than the KnockKnockServer...


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Client responds immediately with:

Server: Knock! Knock!
ACTUAL -
Client hangs for several seconds before responding with:

Server: Knock! Knock!



ERROR MESSAGES/STACK TRACES THAT OCCUR :
While waiting for reply the a stacktrace of the KnockKnockServer look like:

Full thread dump Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode):
 
"Signal Dispatcher" daemon prio=1 tid=0x0809e340 nid=0x1977 waiting on condition [0..0]
 
"Finalizer" daemon prio=1 tid=0x08088ea0 nid=0x1977 in Object.wait() [4c942000..4c94287c]
        at java.lang.Object.wait(Native Method)
        - waiting on <0x44740490> (a java.lang.ref.ReferenceQueue$Lock)
        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:111)
        - locked <0x44740490> (a java.lang.ref.ReferenceQueue$Lock)
        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:127)
        at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:159)
 
"Reference Handler" daemon prio=1 tid=0x08088230 nid=0x1977 in Object.wait() [4c8c1000..4c8c187c]
        at java.lang.Object.wait(Native Method)
        - waiting on <0x44740380> (a java.lang.ref.Reference$Lock)
        at java.lang.Object.wait(Object.java:429)
        at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:115)
        - locked <0x44740380> (a java.lang.ref.Reference$Lock)
 
"main" prio=1 tid=0x080529e8 nid=0x1977 runnable [bfffd000..bfffd4fc]
        at java.net.Inet6AddressImpl.getHostByAddr(Native Method)
        at java.net.InetAddress$1.getHostByAddr(InetAddress.java:774)
        at java.net.InetAddress.getHostFromNameService(InetAddress.java:464)
        at java.net.InetAddress.getHostName(InetAddress.java:407)
        at java.net.SocketPermission.getCanonName(SocketPermission.java:567)
        at java.net.SocketPermission.impliesIgnoreMask(SocketPermission.java:770)
        at java.net.SocketPermissionCollection.implies(SocketPermission.java:1129)
        at java.security.Permissions.implies(Permissions.java:157)
        at sun.security.provider.PolicyFile.implies(PolicyFile.java:1096)
        at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:254)
        at java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
        at java.lang.SecurityManager.checkAccept(SecurityManager.java:1149)
        at java.net.ServerSocket.implAccept(ServerSocket.java:452)
        at java.net.ServerSocket.accept(ServerSocket.java:419)
        at KnockKnockServer.main(KnockKnockServer.java:17)
 
"VM Thread" prio=1 tid=0x08086e20 nid=0x1977 runnable
 
"VM Periodic Task Thread" prio=1 tid=0x080a0e90 nid=0x1977 waiting on condition
"Suspend Checker Thread" prio=1 tid=0x0809d738 nid=0x1977 runnable



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Source code can be fetched from: http://java.sun.com/docs/books/tutorial/networking/sockets/clientServer.html
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Do not use Security Manager...
(Incident Review ID: 240438) 
======================================================================