All-Permissions not working properly with sun.plugin2.applet.FXAppletSecurityManager

Kevin Rushforth kevin.rushforth at oracle.com
Mon Jun 16 22:12:21 UTC 2014 

Hi Neil,

If you have a test program that you can send me, I can attach it for you.

Question for you: are all of your jar files (including the third-party 
libs) signed with the same certificate?

-- Kevin


ngalarneau at ABINITIO.COM wrote:
> Also, because I can't login, I can't add a comment to the bug report.
>
> I am also getting a security exception even though my applet is signed 
> & has all permissions.
>
> In this case it is happening on a call to getClassLoader() on the 
> JavaFX thread (not a daemon thread):
>
> Exception in thread "JavaFX Application Thread" 
> java.security.AccessControlException: access denied 
> ("java.lang.RuntimePermission" "getClassLoader")
>         at java.security.AccessControlContext.checkPermission(Unknown 
> Source)
>         at java.security.AccessController.checkPermission(Unknown Source)
>         at java.lang.SecurityManager.checkPermission(Unknown Source)
>         at 
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown 
> Source)
>         at java.lang.ClassLoader.checkClassLoaderPermission(Unknown 
> Source)
>         at java.lang.Class.getClassLoader(Unknown Source)
>         ...
>
> The call to getClassLoader() happens from inside a 3rd party library 
> if that matters.
>
> When I run the identical code as a desktop application it works fine 
> EVEN WHEN I ADD MY OWN SECURITY MANAGER.
>
>
> Thank you for any help,
>
> Neil
>
>
>
>
> From:        Scott Palmer <swpalmer at gmail.com>
> To:        Kevin Rushforth <kevin.rushforth at oracle.com>,
> Cc:        "openjfx-dev at openjdk.java.net" <openjfx-dev at openjdk.java.net>
> Date:        06/13/2014 08:19 PM
> Subject:        Re: All-Permissions not working properly with       
>  sun.plugin2.applet.FXAppletSecurityManager
> Sent by:        "openjfx-dev" <openjfx-dev-bounces at openjdk.java.net>
> ------------------------------------------------------------------------
>
>
>
> Thank you.
>
> Is there a way that people that are not project authors can get 
> notifications of updates?  I can’t click to add myself to the watch 
> list or vote without a login, and it seems to be near impossible to 
> get a login.
> The "Account Help” link on the login page is broken and everything 
> I’ve found in the wiki indicates I need to be a project author to get 
> an account.
>
> Scott
>
>
> On Jun 13, 2014, at 8:05 PM, Kevin Rushforth 
> <kevin.rushforth at oracle.com> wrote:
>
> > Hi Scott,
> >
> > I created two new non-confidential bugs and closed the original ones 
> as duplicates. Here are the new bugs:
> >
> >
> > reflection in daemon thread:
> > JDK-8046825 (was JDK-8040699) : All-Permissions not working properly 
> with sun.plugin2.applet.FXAppletSecurityManager
> >
> > security manager and applet-desc webstart mode:
> > JDK-8046826 (was JDK-8040231) : All permission fx javaws app could 
> not set Security Manager to null.
> >
> > I have copied Dmitry in case he has any information about these bugs.
> >
> > -- Kevin
> >
> >
> > Kevin Rushforth wrote:
> >>
> >> Dmitry can comment further, but it is possible that this issue 
> could be backported to 8u40 if done soon enough.
> >>
> >> I will double-check whether the bugs can be made non-confidential 
> (so you can at least track progress), but I suspect they cannot in 
> their current form, in which case new bugs should be filed with the 
> confidential information moved to confidential comments in the bug. I 
> will help with this.
> >>
> >> -- Kevin
> >>
> >>
> >> Scott Palmer wrote:
> >>> Drat... I was hoping to see something much sooner, like 8u20 
> (obviously too late now) or 8u40.  I'm unable to use Web Start 
> deployment because of this.
> >>>
> >>> Is it necessary for these issues to be blocked from anonymous 
> viewing?
> >>>
> >>> Thanks for the update.
> >>>
> >>> Scott
> >>>
> >>>
> >>> On Wed, Jun 11, 2014 at 11:57 AM, Kevin Rushforth 
> <kevin.rushforth at oracle.com <mailto:kevin.rushforth at oracle.com>> wrote:
> >>>
> >>>     These are now assigned to Dmitry Cherapanov who I have copied 
> here
> >>>     in case he isn't on the openjfx alias. They are both targeted to
> >>>     JDK 9.
> >>>
> >>>     -- Kevin
> >>>
> >>>
> >>>     Scott Palmer wrote:
> >>>
> >>>         I tried to send an email to Thomas asking about the status of
> >>>         these issues
> >>>         (they are not visible to me), but the email bounced (user
> >>>         unknown).  Could
> >>>         someone let me know the status?
> >>>
> >>>         Thanks,
> >>>
> >>>         Scott
> >>>
> >>>
> >>>         On Thu, Apr 17, 2014 at 1:25 AM, Thomas Ng
> >>>         <thomas.v.ng at oracle.com <mailto:thomas.v.ng at oracle.com>> 
> wrote:
> >>>
> >>>          
> >>>              Thanks for the report!
> >>>
> >>>             Two bugs created for this:
> >>>
> >>>             security manager and applet-desc webstart mode:
> >>>             https://bugs.openjdk.java.net/browse/JDK-8040231
> >>>
> >>>             reflection in daemon thread:
> >>>             https://bugs.openjdk.java.net/browse/JDK-8040699
> >>>
> >>>             -thomas
> >>>
> >>>
> >>>               *From: *Scott Palmer <swpalmer at gmail.com
> >>>             <mailto:swpalmer at gmail.com>>
> >>>              *Subject: **All-Permissions not working properly with
> >>>             sun.plugin2.applet.FXAppletSecurityManager*
> >>>              *Date: *April 14, 2014 at 1:07:36 PM PDT
> >>>              *To: *"openjfx-dev at openjdk.java.net
> >>>             <mailto:openjfx-dev at openjdk.java.net>"
> >>>             <openjfx-dev at openjdk.java.net
> >>>             <mailto:openjfx-dev at openjdk.java.net>>
> >>>
> >>>
> >>>             Can someone confirm that all-permissions is working for
> >>>             JavaFX apps
> >>>             that are launched via Web Start with Java 8.0 and use
> >>>             daemon threads
> >>>             in a Service?
> >>>
> >>>             I have a JNLP file that has:
> >>>             <security>
> >>>              <all-permissions/>
> >>>             </security>
> >>>
> >>>             and the manifest of my app's jar has the following
> >>>             instruction in my
> >>>             Gradle script:
> >>>
> >>>             jar {
> >>>                manifest {
> >>>                    attributes('Permissions': 'all-permissions',
> >>>                               'Codebase': '*')
> >>>                }
> >>>             }
> >>>
> >>>             I'm using the javafx gradle plugin and signing the 
> jars...
> >>>             e.g. I see this for every dependency and the main jar:
> >>>             ...
> >>>             Signing (BLOB) C:\Users\scott\.m2\caches\path\to\some.jar
> >>>             Signed as 
> C:\Users\scott\dev\MyProject\build\libs\some.jar
> >>>             ...
> >>>
> >>>             I even tried System.setSecurityManager(null); in my
> >>>             start() method
> >>>             (and it lets me do it).
> >>>
> >>>             However, daemon threads started by my Service are unable
> >>>             to use
> >>>             reflection. (It is working in the main FX application
> >>>             thread.)  I see
> >>>             the following stack trace in the Java console:
> >>>
> >>>
> >>>             Caused by: java.security.AccessControlException: 
> access denied
> >>>             ("java.lang.reflect.ReflectPermission" 
> "suppressAccessChecks")
> >>>             at
> >>>             
> java.security.AccessControlContext.checkPermission(Unknown
> >>>             Source)
> >>>             at java.security.AccessController.checkPermission(Unknown
> >>>             Source)
> >>>             at java.lang.SecurityManager.checkPermission(Unknown 
> Source)
> >>>             at
> >>>             
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown
> >>>             Source)
> >>>             at
> >>>             java.lang.reflect.AccessibleObject.setAccessible(Unknown
> >>>             Source)
> >>>
> >>>
> >>>             Caused by: java.security.AccessControlException: 
> access denied
> >>>             ("java.lang.RuntimePermission" "accessDeclaredMembers")
> >>>             at
> >>>             
> java.security.AccessControlContext.checkPermission(Unknown
> >>>             Source)
> >>>             at java.security.AccessController.checkPermission(Unknown
> >>>             Source)
> >>>             at java.lang.SecurityManager.checkPermission(Unknown 
> Source)
> >>>             at
> >>>             
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown
> >>>             Source)
> >>>             at java.lang.Class.checkMemberAccess(Unknown Source)
> >>>             at java.lang.Class.getDeclaredMethod(Unknown Source)
> >>>             at
> >>>             
> ma.glasnost.orika.property.PropertyResolver.resolvePropertyType(PropertyResolver.java:304) 
>
> >>>             at
> >>>             
> ma.glasnost.orika.property.PropertyResolver.processProperty(PropertyResolver.java:240) 
>
> >>>             at
> >>>             
> ma.glasnost.orika.property.IntrospectorPropertyResolver.collectProperties(IntrospectorPropertyResolver.java:83) 
>
> >>>             ... 33 more
> >>>
> >>>             I bring it up here because FXAppletSecurityManager is
> >>>             involved and
> >>>             this smells like a possible bug in plugin2
> >>>
> >>>             Regards,
> >>>
> >>>             Scott
> >>>
> >>>
> >>>
> >>>
> >>>                
> >>>
>
>
>
>
>
> NOTICE /from Ab Initio: This email (including any attachments) may 
> contain information that is subject to confidentiality obligations or 
> is legally privileged, and sender does not waive confidentiality or 
> privilege. If received in error, please notify the sender, delete this 
> email, and make no further use, disclosure, or distribution. /

More information about the openjfx-dev mailing list