FULL PRODUCT VERSION :
java version "1.5.0_08"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_08-b03)
Java HotSpot(TM) Client VM (build 1.5.0_08-b03, mixed mode, sharing)
java version "1.6.0-rc"
Java(TM) SE Runtime Environment (build 1.6.0-rc-b92)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b92, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When serializing Swing components (tested with JFrame and JPanel) with the Ocean theme, classes from sun.swing.* are serialised. sun.* classes cannot be deserialised. This will cause an AccessControlException in untrusted code.
Examining the serializer data, the class sun.swing.PrintColorUIResource appears to be present. This class appears in javax.swing.plaf.metal.OceanTheme.CONTROL_TEXT_COLOR and OCEAN_BLACK. Using the -Dswing.metalTheme=steel command line option switches to the Steel theme and prevents the exception. I believe Component.doSwingSerialization should remove PL&F artifacts during serialization.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The program below set a security manager, serialises a JPanel and then desrialises it. Run as:
java OceanSun
To run without Ocean (and hence the exception):
java -Dswing.metalTheme=steel OceanSun
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should run and exit without error.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.swing)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at java.io.ObjectInputStream.resolveClass(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at java.awt.Component.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at OceanSun.main(OceanSun.java:15)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.*;
import javax.swing.*;
class OceanSun {
public static void main(String[] args) throws Exception {
System.setSecurityManager(new SecurityManager());
ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteOut);
JPanel frame = new JPanel();
out.writeObject(frame);
out.close();
ObjectInputStream in = new ObjectInputStream(
new ByteArrayInputStream(byteOut.toByteArray())
);
JPanel readFrame = (JPanel)in.readObject();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use Ocean when serializing components. It may be possible to overwrite the relevant Color properties on the Component.
|
Java