Bug ID: JDK-6593830 FactoryURLClassLoader permissions constrain security-related applet operations

Type: Bug
Component: deploy
Sub-Component: deployment_toolkit
Affected Version: 6,7
Priority: P4
Status: Closed
Resolution: Duplicate
OS: windows_xp
CPU: x86
Submitted: 2007-08-16
Updated: 2013-09-12
Resolved: 2011-05-23
JDK 7
7Resolved
FULL PRODUCT VERSION :
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
Thread.inheritedAccessControlContext has all the permissions the plugin has but the created FactoryURLClassLoader only has a SocketPermission associated with it. Later their two respective ProtectionDomain arrays get combined in the AccessControlContext.optimize() method therefore when checkPermission() is called the security check will fail when it reaches the permission set containing only the SocketPermission but not the needed "http.agent read" permission.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Run the test case so test.xml gets cached. No errors.
2) Run the test again and get the error.



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied (java.util.PropertyPermission http.agent read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
	at java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
	at java.lang.System.getProperty(System.java:652)
	at com.sun.deploy.net.BasicHttpRequest.createUrlConnection(Unknown Source)
	at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
	at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
	at com.sun.deploy.net.DownloadEngine.isUpdateAvailable(Unknown Source)
	at com.sun.deploy.cache.DeployCacheHandler.get(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:685)
	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:658)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981)
	at java.net.URL.openStream(URL.java:1009)
	at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1161)
	at java.lang.Class.getResourceAsStream(Class.java:2030)
	at URLClassLoaderTest.play(URLClassLoaderTest.java:21)
	at URLClassLoaderTest.init(URLClassLoaderTest.java:10)
	at sun.applet.AppletPanel.run(AppletPanel.java:417)
	at java.lang.Thread.run(Thread.java:619)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.applet.Applet;
import java.io.InputStream;
import java.net.URL;
import java.net.URLClassLoader;

public class URLClassLoaderTest extends Applet{

    public void init(){
        try{
            ((Applet)URLClassLoader.newInstance(new URL[]{getCodeBase()},null).loadClass(URLClassLoaderTest.class.getName()).newInstance()).play(getCodeBase());
        }
        catch(Exception e){
            e.printStackTrace();
        }
    }
    
    public void play(URL codeBase){
        try{
            InputStream is= getClass().getResourceAsStream("test.xml");
            while(is.read()!=-1);
            is.close();
        }
        catch(Exception e){
            e.printStackTrace();
        }
    }
    
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Clear jvm cache every time before running such an applet.