[Bug 1017] New: Class files in an app's root dir should not be available to webstart at runtime

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Mon May 28 11:23:29 PDT 2012 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1017

          Priority: P3
            Bug ID: 1017
                CC: unassigned at icedtea.classpath.org
          Assignee: omajid at redhat.com
           Summary: Class files in an app's root dir should not be
                    available to webstart at runtime
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: ddadacha at redhat.com
          Hardware: x86_64
            Status: NEW
           Version: unspecified
         Component: NetX (javaws)
           Product: IcedTea-Web

Setup an app running from 'javaws http://example.com/scratch/app.jnlp' and have
the main class call some.pkged.Helper.doSomething(). This class should _not_ be
in any of the JNLP's resources. Instead, it should be found at
http://example.com/scratch/some/pkged/Helper.class.

The app should not be able to find some.pkged.Helper since it isn't in any of
the JNLP's resources. However, it runs fine on HEAD. 

If the helper class runs code that needs more permissions, the following
exception is thrown:

Error: No security instance for http://example.com/scratch/. The application
may have trouble continuing
java.lang.RuntimeException: Code source security was null
    at
net.sourceforge.jnlp.runtime.JNLPClassLoader.getPermissions(JNLPClassLoader.java:923)
    at
net.sourceforge.jnlp.runtime.JNLPPolicy.getPermissions(JNLPPolicy.java:86)
    at net.sourceforge.jnlp.runtime.JNLPPolicy.implies(JNLPPolicy.java:182)
    at java.security.ProtectionDomain.implies(ProtectionDomain.java:272)
    at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:344)
    at
java.security.AccessController.checkPermission(AccessController.java:555)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at
net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:284)
    at java.lang.System.getenv(System.java:933)
    at some.pkged.Helper.doSomething(Helper.java:5)
    at MyApp.init(MyApp.java:12)
    at sun.applet.AppletPanel.run(AppletPanel.java:435)
    at java.lang.Thread.run(Thread.java:722)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120528/d4f19904/attachment.html

More information about the distro-pkg-dev mailing list