AW: Webstart security problem

Alan Bateman Alan.Bateman at oracle.com
Mon Nov 7 10:05:22 UTC 2016


On 07/11/2016 09:34, Mueller-Schramm, Gerd wrote:

> I've tried to set java.security.debug via Java Control Panel but it seems to have no effect for Webstart. Printing out all system properties in the Java Console shows that it isn't set at all. But I've set trace level to 5 an got the following output - sorry for the German parts of the output :-) :
Thanks, I think there's enough here to get started.

For the first one then the issue is that the intersection of the 
permissions granted to to webstart, your application, java.xml.ws, and 
java.xml don't include access to the file system to create the URI or 
file path to the system catalog. This is either JAXP missing a 
doPrivileged or java.xml.ws needing to be granted additional 
permissions. As JAX-WS in in the process of being updated to use the new 
Catalog API then it's possible that this issue will resolve itself 
shortly. If it doesn't (because the new catalog API also needs file 
access) then it's a good time to address this issue.

The second issue is that java.xml.ws doesn't have permission to get the 
default proxy. This may have been an oversight in the work to identify 
the minimum permissions needed by java.xml.ws.

I'll create bugs for both of these issues.

Note that this kind of report is exactly what is needed in order to 
shake out issues with JDK 9. In this case, many non-core modules have 
been moved out of the boot loader (where they had all permissions) to 
the platform class loader with reduced permissions. This is good for the 
overall security of the platform but it is not always easy to identify 
the permissions to grant and so needs lots of usage and testing to shake 
out issues.

-Alan



More information about the jdk9-dev mailing list