RFR: 8181571: printing to CUPS fails on mac sandbox app [v3]

Alexander Scherbatiy alexsch at openjdk.java.net
Fri Oct 8 11:25:09 UTC 2021 

On Tue, 24 Aug 2021 15:49:00 GMT, Alexander Scherbatiy <alexsch at openjdk.org> wrote:

>> The issue is reproduced on macOS Big Sur 11.0.1 with jdk 16.0.1+9.
>> 
>> Create a native macOS app from the Hello.java file, sign and run it in sandbox:
>> 
>> import javax.print.*;
>> import javax.swing.*;
>> 
>> public class Hello {
>> 
>>     public static void main(String[] args) throws Exception {
>>         SwingUtilities.invokeAndWait(() -> {
>>             boolean isSandboxed = System.getenv("APP_SANDBOX_CONTAINER_ID") != null;
>>             PrintService defaultPrinter = PrintServiceLookup.lookupDefaultPrintService();
>>             PrintService[] services = PrintServiceLookup.lookupPrintServices(null, null);
>> 
>>             StringBuilder builder = new StringBuilder();
>>             builder.append("is sandboxed: ").append(isSandboxed).append("\n");
>>             builder.append("default printer: ").append(defaultPrinter).append("\n");
>>             int size = services.length;
>>             for (int i = 0; i < size; i++) {
>>                 builder.append("printer[").append(i).append("]=").append(services[i]).append("\n");
>>             }
>>             JOptionPane.showMessageDialog(null, builder.toString());
>>         });
>>     }
>> }
>> 
>> The signed app in sandbox shows null default printer and PrintServiceLookup.lookupPrintServices(null, null) returns "Unix Printer: lp".
>> ![PrintSandboxedApp](https://bugs.openjdk.java.net/secure/attachment/95629/PrintSandboxedApp.png)
>> 
>> The problem has been discussed on  2d-dev mail list:
>>   https://mail.openjdk.java.net/pipermail/2d-dev/2017-June/008375.html
>>   https://mail.openjdk.java.net/pipermail/2d-dev/2017-July/008418.html
>> 
>> According to the discussion:
>> 
>>> I've submitted a DTS incident to Apple and a friend there has followed-up.
>>> Their unofficial position is that java should be connecting to the cups interface returned
>>> by the cupsServer() function and not changing the interface string to "localhost".
>>> Security changes in 10.12.4 reject the TCP connection which they say confuses
>>> network-client access with print access.  They don't seem interested in loosening that change.
>> 
>> 
>> The proposed solution is to use the domain socket pathname in httpConnect(...) cups function and cupsGetDests(...) to get list of printers from cups  when the app is signed and is run in sandbox on MacOs.
>
> Alexander Scherbatiy has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Return null if printers are not found in sandboxed app on MacOS

Just some more details about code in CUPSPrinter class static initialization.

The getCupsServer() native method from CUPSPrinter calls j2d_cupsServer() function to get the cups server. If the server name starts with "/" it is replaced to "localhost"
https://github.com/openjdk/jdk/blob/f608e81ad8309a001b8a92563a93b8adee1ce2b8/src/java.desktop/unix/native/common/awt/CUPSfuncs.c#L176

To keep the domain socket path name from j2d_cupsServer() call the fix moves the cups server name handling to the java side. The original domain socket path name is preserved in the  CUPSPrinter class only for MacOS when sandboxed app is used.

-------------

PR: https://git.openjdk.java.net/jdk/pull/4861

More information about the client-libs-dev mailing list