AW: Webstart security problem
Alan Bateman
Alan.Bateman at oracle.com
Mon Nov 7 10:05:22 UTC 2016
On 07/11/2016 09:34, Mueller-Schramm, Gerd wrote:
> I've tried to set java.security.debug via Java Control Panel but it seems to have no effect for Webstart. Printing out all system properties in the Java Console shows that it isn't set at all. But I've set trace level to 5 an got the following output - sorry for the German parts of the output :-) :
Thanks, I think there's enough here to get started.
For the first one then the issue is that the intersection of the
permissions granted to to webstart, your application, java.xml.ws, and
java.xml don't include access to the file system to create the URI or
file path to the system catalog. This is either JAXP missing a
doPrivileged or java.xml.ws needing to be granted additional
permissions. As JAX-WS in in the process of being updated to use the new
Catalog API then it's possible that this issue will resolve itself
shortly. If it doesn't (because the new catalog API also needs file
access) then it's a good time to address this issue.
The second issue is that java.xml.ws doesn't have permission to get the
default proxy. This may have been an oversight in the work to identify
the minimum permissions needed by java.xml.ws.
I'll create bugs for both of these issues.
Note that this kind of report is exactly what is needed in order to
shake out issues with JDK 9. In this case, many non-core modules have
been moved out of the boot loader (where they had all permissions) to
the platform class loader with reduced permissions. This is good for the
overall security of the platform but it is not always easy to identify
the permissions to grant and so needs lots of usage and testing to shake
out issues.
-Alan
More information about the jdk9-dev
mailing list