JDK-8061643 : JavaWS fails with proxy autoconfig due to missing "resolve" permission
- Type: Bug
- Component: deploy
- Sub-Component: webstart
- Affected Version: 8u25
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- OS: windows_7
- CPU: x86_64
- Submitted: 2014-10-16
- Updated: 2016-01-20
- Resolved: 2014-10-31
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 | JDK 7 | JDK 8 | JDK 9 |
|---|---|---|---|
| 6u85Fixed | 7u72Fixed  |
8u25Fixed |
9Fixed |
Related Reports
|
Duplicate :
|
|
|
Duplicate :
|
|
|
Duplicate :
|
|
|
Duplicate :
|
|
|
Relates :
|
|
|
Relates :
|
Description
FULL PRODUCT VERSION :
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Corporate Environment - No direct connection to the internet - only via http/socks-proxys
A DESCRIPTION OF THE PROBLEM :
When in an environment where proxy configuration is determined by an autoconfig-script and jars have to be downloaded via proxys, JavaWS fails because of java.security.AccessControlException: access denied ("java.net.SocketPermission" "docs.oracle.com" "resolve")
Because of different proxys for different destinations a single proxy configuration isn't applicable.
REGRESSION. Last worked in version 8u20
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Be in a corporate environment and only have access to the internet and other destinations via (multiple) proxies
2. Deploy an autoconfig.conf like this:
(actual content doesn't really matter here)
====================
function FindProxyForURL(url, host)
{
if(dnsResolve(host) == '') {
return "DIRECT"
}
if (!isResolvable(host) && dnsDomainIs(host, "some.domain.com"))
{
return "PROXY a.proxy.in.your.company:proxyport";
}
if (isInNet(host, "255.255.0.0", "255.255.0.0") && false)
{
return "DIRECT";
}
return "PROXY yourproxy:yourproxyport";
}
====================
3. Go to http://docs.oracle.com/javase/tutorial/uiswing/layout/gridbag.html
and launch the demo:
http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The jnlp should load and spawn a new java process launching the demo.
ACTUAL -
The Application could not be started because of com.sun.deploy.net.FailedDownloadException: Ressource konnte nicht geladen werden: http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied ("java.net.SocketPermission" "docs.oracle.com" "resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at com.sun.deploy.net.proxy.PACFunctionsImpl.dnsResolve(Unknown Source)
at com.sun.deploy.net.proxy.PACFunctionsImpl.isResolvable(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler$9.apply(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler$9.apply(Unknown Source)
at jdk.nashorn.internal.scripts.Script$\^eval\_.:scopeCall-6(<eval>)
at jdk.nashorn.internal.scripts.Script$\^eval\_.FindProxyForURL(<eval>:155)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:539)
at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:209)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:378)
at jdk.nashorn.api.scripting.ScriptObjectMirror.callMember(ScriptObjectMirror.java:185)
at jdk.nashorn.api.scripting.NashornScriptEngine.invokeImpl(NashornScriptEngine.java:505)
at jdk.nashorn.api.scripting.NashornScriptEngine.invokeFunction(NashornScriptEngine.java:227)
at com.sun.deploy.net.proxy.SunAutoProxyHandler.jsGetProxyInfo(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler.access$100(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler$2.run(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.net.proxy.SunAutoProxyHandler.jsGetProxyInfo(Unknown Source)
at com.sun.deploy.net.proxy.SunAutoProxyHandler.getProxyInfo(Unknown Source)
at com.sun.deploy.net.proxy.DynamicProxyManager.getProxyList(Unknown Source)
at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivileged(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivileged(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
http://docs.oracle.com/javase/tutorialJWS/samples/uiswing/GridBagLayoutDemoProject/GridBagLayoutDemo.jnlp
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
When you must use an autoconfig-script in your environment - there's no workaround except sticking to Java 8u20 or Java 7u67; but those have critical security advirories.
SUPPORT :
YES
Comments
|