JDK-6258510 : PropertyEditorManager.findEditor() fails if SecurityManager installed
  • Type: Bug
  • Component: client-libs
  • Sub-Component: java.beans
  • Affected Version: 5.0
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: linux,windows_xp
  • CPU: x86
  • Submitted: 2005-04-20
  • Updated: 2011-03-09
  • Resolved: 2011-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b07Fixed
Related Reports
Duplicate :  
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.5.0_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_02-b09)
Java HotSpot(TM) Client VM (build 1.5.0_02-b09, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Windows XP


A DESCRIPTION OF THE PROBLEM :
When the default "sandbox" SecurityManager is installed (example: WebStart apps w/o all-permissions tag), the PropertyEditoryManager is unable to access/instantiate the sun.beans.editors.fooEditor classes.

The inability to alter the editor search path or call registerEditor() (because the code does not have checkPropertiesAccess() permission also prevents the developer from shipping replacement PropertyEditor's.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run test case with and without an installed SecurityManager

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
java BugDemo:
  sun.beans.editors.StringEditor

java -Djava.security.manager WSBugDemo
  sun.beans.editors.StringEditor

ACTUAL -
java BugDemo:
  sun.beans.editors.StringEditor

java -Djava.security.manager BugDemo
  failure

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
public class BugDemo {
	public static void main(String[] args) {
		PropertyEditor pe = PropertyEditorManager.findEditor(String.class);
		if (pe == null) {
			System.out.println("failure");
		} else {
			System.out.println(pe.getClass().getName());
		}
	}
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
The default security policy file can be altered. This requires the user to dig in the internals of the VM installation.

The application can be shipped with the Java WebStart <all-permissions> tag, however,  for security-conscious users, this may be unacceptable.

The implementation of PropertyEditorManager can be altered to wrap the instantiation of the sun.beans.editors.fooEditor in a PrivledgedAction, but it is against the Java license to ship an altered core class.
###@###.### 2005-04-20 17:21:21 GMT

Comments
EVALUATION ClassFinder should be updated.
11-12-2006

EVALUATION The reason of this bug goes deep to class loader code. Need to investrigate it more carefully. ###@###.### 2005-04-25 17:22:41 GMT
25-04-2005