Bug ID: 6818278 sunmc console when started with javaws does not communicate with the firewall port range

6818278 : sunmc console when started with javaws does not communicate with the firewall port range

Details

Type:	Enhancement	Submit Date:	2009-03-17
Status:	Closed	Updated Date:	2010-06-09
Project Name:	JDK	Resolved Date:	2009-05-17
Component:	deploy	OS:	solaris_10,windows_xp
Sub-Component:	webstart	CPU:	x86,sparc
Priority:	P2
Resolution:	Fixed
Affected Versions:	5.0u12
Fixed Versions:	6u14

Related Reports

Backport:	JDK-2175811 - sunmc console when started with javaws does not communicate with the firewall port range
Backport:	JDK-2194318 - sunmc console when started with javaws does not communicate with the firewall port range
Backport:	JDK-2182130 - sunmc console when started with javaws does not communicate with the firewall port range
Backport:	JDK-2179630 - sunmc console when started with javaws does not communicate with the firewall port range

Sub Tasks

Description

We are facing an issue with the SunMC console being started with java web start in a firewall-ed environment .
The console and server communication is happening through RMI . 

When the console is started with java the communication happens in the specified port range , (between 45,000 to 48,000 ) but when it is started using java webstart it uses arbitary port range .  

The Sunmc console when started with java with the following options :

/usr/bin/nohup $JAVA $MEMSIZE $C_STACKSIZE $FIREWALL_PROPS $PREFS_ROOT -DESROOT=$ESROOT com.sun.symon.base.console.main.ConsoleMain $ARGLIST -k 687a8398ad4a85077d33b72a94e16ffde0c4ba023e9c9ba77b247cc25bd3cd0015bc24b7429916751e681fd02e5ad6eb5345eb7c75b39a1c304e0f000846aa470b755b0640af974e7fc70daa6191dff6efa31a09431bb5e9848b7dc4cf4b97e1dbca31792d2860ca5a5990dfb369e1bcf296274a4e4984c8089329679dd304cd base-console.x >/dev/null 2>&1

The netstat output at the server is :

10.12.184.12.2099    10.12.162.93.45006   66384      0 49232      0 ESTABLISHED
10.12.184.12.39401   10.12.162.93.45009   66608      0 49232      0 ESTABLISHED
10.12.184.12.2099    10.12.162.93.45006   66384      0 49232      0 ESTABLISHED
10.12.184.12.39401   10.12.162.93.45009   65504      0 49232    268 ESTABLISHED
10.12.184.12.40498   10.12.162.93.45003   65204      0 49640      0 ESTABLISHED
10.12.184.12.2099    10.12.162.93.45006   66384      0 49232      0 ESTABLISHED
10.12.184.12.39401   10.12.162.93.45009   65504     50 49232      0 ESTABLISHED
10.12.184.12.40498   10.12.162.93.45003   65700      0 49640    106 ESTABLISHED
Console communication is happening using the correct port range .

Similarly when the SunMC console is started with javaws the options being passed are :
 /usr/bin/nohup /usr/jdk/jdk1.5.0_12/bin/javaws $MEMSIZE $C_STACKSIZE $FIREWALL_PROPS $PREFS_ROOT -J-DESROOT=$ESROOT /var/tmp/smconsole.jnlp

when the application is started with javaws the netstat output is :
10.12.184.12.2099    10.12.162.93.37015   66384      0 49232      0 ESTABLISHED
10.12.184.12.39401   10.12.162.93.37016   65680      0 49232      0 ESTABLISHED
10.12.184.12.40565   10.12.162.93.37014   65204      0 49640      0 ESTABLISHED
10.12.184.12.2099    10.12.162.93.37015   66384      0 49232      0 ESTABLISHED
10.12.184.12.39401   10.12.162.93.37016   65504     50 49232      0 ESTABLISHED
10.12.184.12.40565   10.12.162.93.37014   64824      0 49640    106 ESTABLISHED

where 10.12.184.12 is a sunmc server 
10.12.162.93 is the sunmc console 
Communication happening using the wrong port ranges at the console . outside(45,000 to 48,000 )

Comments

EVALUATION

just to confirm:
The fix being put in here is just for the RMISocketFactory.
if a jnlp file included:
      <property name="jnlp.cfg.normifactory" value="true"/>
the javaws will not set the RMISocketFactory to the DeploySocketFactory, and the application will then be free to set it itself.

2009-04-08

EVALUATION

There are several things invalid here from Java Web Start point of view.
First, you cannot invoke java web start with insecure vm-args and property settings, and expect them to be passed on the command line.  Javaws specification and doccumentation clearly state, that insecure properties will only be set by javaws after java is started before application code is called.
you set 6 insecure properties in the jnlp file:
 <property name="sunmc.server.console.firewall.Enable" value= "true" />
 <property name="sunmc.server.console.firewall.MinPort" value= "45000" />
 <property name="sunmc.server.console.firewall.MaxPort" value= "48000" />
 <property name="INTERFACE_PATH" value= "C:\Program Files" />
 <property name="sunmc.cfg" value= "javaconsole.properties" />
 <property name="java.security.policy" value= "rmiConsole.policy" />
then try to get arround this restriction by using the -J<vm-arg> argument to javaws to set the same properties.
However, -J<vm-arg> will only work for <vm-args> not already used by the java web start launcher to launch java web start.
The one property I see here that is already used by Java Web Start, -J-Djava.security.policy=rmiConsole.policy
would likely prevent this from working, 

Please add the -verbose arg to javaws and look at and record what the args to java actually are.

When I do this with the cache viewer, simply calling:
javaws -J-Djava.security.policy=rmiConsole.policy -verbose -viewer

javaws -J-Djava.security.policy=rmiConsole.policy -verbose -viewer , I can see java is launched with this property multiply deffined:

java -Xbootclasspath/a:/usr/jdk/instances/jdk1.7.0/jre/lib/javaws.jar:/usr/jdk/instances/jdk1.7.0/jre/lib/deploy.jar:/usr/jdk/instances/jdk1.7.0/jre/lib/plugin.jar
 -classpath /usr/jdk/instances/jdk1.7.0/jre/lib/deploy.jar
 -Djava.security.policy=file:/usr/jdk/instances/jdk1.7.0/jre/lib/security/javaws.policy
 -DtrustProxy=true
 -Xverify:remote
 -Djnlpx.home=/usr/jdk/instances/jdk1.7.0/jre/bin
 -Djava.security.policy=rmiConsole.policy
 -Djnlpx.jvm=/usr/jdk/instances/jdk1.7.0/jre/bin/java
 -Djnlpx.vmargs=-Djava.security.policy=rmiConsole.policy
 com.sun.javaws.Main
 -viewer

also, the rmiConsole.policy is called with an unfully qualified path name, which may be ok if you are launching from command line, but may not.
Normally, a javaws app cannot have a determinable "current directory" since it is launched from a browser.

finally, and more importantly even, you are launching javaws version 1.5.0_12, yet you are using the -J argument to javaws.
support for -J argument was added to javaws in version 1.6.0, so all of the -J args are passed on to java as additional args to the java code.
in 1.5.0 family, you can not use the -verbose mentioned above, but you can do the same thing by setting environment variable:
JAVAWS_TRACE_NATIVE = 1
similarily, you might be able to force in the same thing as passing -J args, by setting the environmental variable:
JAVAWS_VM_ARGS = -Djava.security.policy=rmiConsole.policy
but I am not sure if there is any way to pass multiple additional vm args.

2009-03-25

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together