Bug ID: 6672250 Regression: new jnlp.packEnabled property breaks sophisticated applets using LiveConnect

6672250 : Regression: new jnlp.packEnabled property breaks sophisticated applets using LiveConnect

Details

Type:	Bug	Submit Date:	2008-03-06
Status:	Closed	Updated Date:	2013-01-10
Project Name:	JDK	Resolved Date:	2008-05-15
Component:	deploy	OS:	generic,windows_xp
Sub-Component:	deployment_toolkit	CPU:	x86,generic
Priority:	P2
Resolution:	Fixed
Affected Versions:	6u10
Fixed Versions:	6u10

Related Reports

Relates:	JDK-6378311 - support versioning and pack in plugin and webstart without need for version based download protocol
Relates:	JDK-6665053 - Access denied when read jnlp.packEnabled jnlp.packEnabled property

Sub Tasks

Description

The introduction of client-side Pack200 selection in 6378311 has introduced a regression in sophisticated applets using LiveConnect because of the fact that the new code does not use AccessController.doPrivileged() to read the jnlp.packEnabled system property. If JavaScript calls into Java and causes a resource to be loaded, since the JavaScript frame on the stack does not have the permission to read the jnlp.packEnabled system property, a SecurityException will be raised deep in the deployment code and the application will return null for their call to ClassLoader.getResourceAsStream(). This regression was reproduced with NeuroDNA's product at http://www.neurodna.com/ and may affect other real-world applets. It is related to an earlier bug, 6665053.

Comments

SUGGESTED FIX

http://sa.sfbay.sun.com/projects/deployment_data/6u10/6672250.0
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6672250

2008-03-07

EVALUATION

The introduction of client-side Pack200 selection in 6378311 has
introduced a regression in sophisticated applets using LiveConnect
because of the fact that the new code does not use
AccessController.doPrivileged() to read the jnlp.packEnabled system
property. If JavaScript calls into Java and causes a resource to be
loaded, since the JavaScript frame on the stack does not have the
permission to read the jnlp.packEnabled system property, a
SecurityException will be raised deep in the deployment code and the
application will return null for their call to
ClassLoader.getResourceAsStream(). This regression was reproduced with
NeuroDNA's product at http://www.neurodna.com/ and may affect other
real-world applets. It is related to an earlier bug, 6665053.

Fixed this by properly using AccessController.doPrivileged() to fetch
this system property in the PluginURLJarFileCallBack. Also refactored
code in the new plug-in to grant the default set of permissions for
untrusted code to calls coming in from JavaScript, which are treated
as coming from untrusted code hosted at the document base.

2008-03-07

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together