<AWT Dev> Bug in AWT's image-loading Security checking?

Clemens Eisserer linuxhippy at gmail.com
Wed Nov 7 05:40:40 PST 2007 

Hello,

I recently stumbled over a strange issue with a signed applet when
loading images:

The following code throws a SecurityException:
new ImageIcon(new URL("http://juibrowser.sf.net/imgs/1.png")).getImage();

However this code works:
InputStream is = new URL("http://juibrowser.sf.net/imgs/1.png").openStream();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int read = 0;
while ((read = is.read()) != -1) bos.write(read);
new ImageIcon(bos.toByteArray()).getImage();

So in both cases java has to contact
http://juibrowser.sf.net/imgs/1.png, and although its deployed from
another server it should be allowed to do so in both cases because its
signed.


This is the Exception that has been thrown in the first case:
at java.lang.SecurityManager.checkPermission(SecurityManager.java:588)
	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1104)
	at sun.awt.image.URLImageSource.checkSecurity(URLImageSource.java:97)
	at sun.awt.image.ImageRepresentation.imageComplete(ImageRepresentation.java:636)
	at sun.awt.image.InputStreamImageSource.errorConsumer(InputStreamImageSource.java:147)
	at sun.awt.image.InputStreamImageSource.setDecoder(InputStreamImageSource.java:308)
	at sun.awt.image.InputStreamImageSource.doFetch(InputStreamImageSource.java:262)
	at sun.awt.image.ImageFetcher.fetchloop(ImageFetcher.java:190)
	at sun.awt.image.ImageFetcher.run(ImageFetcher.java:154)

So I dig a bit into jdk7b19's source and found the evil lines:

In ImageRepresentation:
     public void imageComplete(int status) {
	if (src != null) {
	    src.checkSecurity(null, false);
	}
----
which calles into URLImageSource:
 final boolean checkSecurity(Object context, boolean quiet) {
	if (actualHost != null) {
	    try {
                SecurityManager security = System.getSecurityManager();
                if (security != null) {
                    security.checkConnect(actualHost, actualPort, context);
                }
	    } catch (SecurityException e) {
		if (!quiet) {
		    throw e;
		}
......

I am all but a professional when it comes to Java's security
management, but there are two strange things I wonder about:
1.) Why do we check wether we have checkConnect-privilleges, if the
image has already been loaded (just a guess because the method is
named "imageComplete"?
2.) Could it be that this thread somehow has the "wrong"
SecurityContext? So although the threads started by the signed applet
have the right to do teh connect, this thread has not?

For me this has absolutly no priority because the workarround is easy.
However if its a bug I could maybe contribute a fix...

lg Clemens

More information about the awt-dev mailing list