Bug ID: JDK-7044443 Permissions resolved incorrectly for jar protocol (Patch from bugs.openjdk.java.net)

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 7

Priority: P2
Status: Closed
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2011-05-12
Updated: 2011-06-22
Resolved: 2011-06-22

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 7
7 b145Fixed

If this isn't the right cat/subcat, please reassign.

Please see the patch submitted by Redhat at:

https://bugs.openjdk.java.net/show_bug.cgi?id=100142

This got missed in JDK 7.  It could be considered a regression, since it works in 6.

EVALUATION Changeset: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0a80650409e1

24-05-2011

WORK AROUND Use a file: URL to reference the jar instead.

18-05-2011

EVALUATION This would appear to be a regression as a result of the changes for CR 5021645. Before 5021645, url.openConnection.getPermission() was used to determine the permission. For jar url's this will create a new JarURLConnection that will delegate the getPermission request to its "wrapped" url, in this case file://... After 5021645, url.getProtocol() is used to manually determine if the url is a file url or not. This will not work for jar urls since they just wrap other urls. The changes for CR 5021645 could be reversed or url.getProtocol() equal to jar could be special cased to use url.getFile to look inside the jar url.

13-05-2011

Relates :	JDK-5021645 - Optimize PolicyFile.canonicalizeCodebase()
Relates :	JDK-7050329 - test/java/security/Policy/GetPermissions/JarURL.java fails on Windows