[Bug 1592] New: icedtea-web drop permissions on signed jars when run in combination with unsigned code

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Fri Nov 1 09:11:39 PDT 2013 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1592

            Bug ID: 1592
           Summary: icedtea-web drop permissions on signed jars when run
                    in combination with unsigned code
    Classification: Unclassified
           Product: IcedTea
           Version: unspecified
          Hardware: all
               URL: http://jogamp.org/deployment/jogamp-current/jogl-apple
                    t-runner-newt-gears-normal-napplet.html
                OS: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: NPPlugin
          Assignee: aazores at redhat.com
          Reporter: xerxes at zafena.se
                CC: dbhole at redhat.com, unassigned at icedtea.classpath.org

IcedTea-Web 1.5pre+re6ba4b4dea45

http://jogamp.org/deployment/jogamp-current/jogl-applet-runner-newt-gears-normal-napplet.html
This URL and applet only uses signing for the jars that require it
This applet is supposed to follow the mixed code guideline:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html

This URL and applet runs fine on Oracle's plug-in after accepting the warning
dialogue box granting the applet permission to run.

When using icedtea-web this applet fails to run, after the security dialogue is
accepted it then catches an security exception in the code that is supposed to
be signed.
The applet fails to run using both
High Security - User will be promted for each unsigned applet
and Low Security - All, even unsigned, applets will be run

Stored action for unsigned applet at
http://jogamp.org/deployment/jogamp-current/ was A - Always trust this
(matching) applet(s)
Class-Path attribute cleared for
/home/xranby/.cache/icedtea-web/cache/0/http/jogamp.org/deployment/jogamp-current/jar/jogl-all.jar
Consumer thread 2 woken...
Class-Path attribute cleared for
/home/xranby/.cache/icedtea-web/cache/2/http/jogamp.org/deployment/jogamp-current/jar/gluegen-rt.jar
Denying permission: ("java.security.AllPermission" "<all permissions>" "<all
actions>")
Exception in thread "Applet" java.lang.ExceptionInInitializerError
at
com.jogamp.newt.awt.applet.JOGLNewtAppletBase.<clinit>(JOGLNewtAppletBase.java:59)
at
com.jogamp.newt.awt.applet.JOGLNewtApplet1Run.<clinit>(JOGLNewtApplet1Run.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:374)
at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:710)
at net.sourceforge.jnlp.Launcher.getApplet(Launcher.java:650)
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:878)
Caused by: java.security.AccessControlException: access denied
("java.security.AllPermission" "<all permissions>" "<all actions>")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:285)
at com.jogamp.common.util.SecurityUtil.checkPermission(SecurityUtil.java:118)
at
com.jogamp.common.util.SecurityUtil.checkAllPermissions(SecurityUtil.java:109)
at
com.jogamp.common.util.PropertyAccess.addTrustedPrefix(PropertyAccess.java:63)
at jogamp.newt.Debug.access$000(Debug.java:50)
at jogamp.newt.Debug$1.run(Debug.java:59)
at java.security.AccessController.doPrivileged(Native Method)
at jogamp.newt.Debug.<clinit>(Debug.java:56)
... 10 more
java.lang.NullPointerException
at net.sourceforge.jnlp.NetxPanel.runLoader(NetxPanel.java:117)
at sun.applet.AppletPanel.run(AppletPanel.java:380)
at java.lang.Thread.run(Thread.java:724)

Full logs: https://gist.github.com/xranby/557669f9704abb118ac9

Expected behaviour is that the applet runs and passes the security exception
after the user accepts the dialouge box and grants the application to run.


IcedTea-web currently only runs URL and applets where all jars are signed.
Example these two jogamp test applications work ok:
http://jogamp.org/deployment/jogamp-current/jogl-applet-version-napplet.html
http://jogamp.org/deployment/test/jake2/jake2-napplet01.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131101/23745b65/attachment.html

More information about the distro-pkg-dev mailing list