All-Permissions not working properly with sun.plugin2.applet.FXAppletSecurityManager
David DeHaven
david.dehaven at oracle.com
Mon Jun 16 22:18:47 UTC 2014
Run:
jarsigner -verify -verbose -certs /path/to/some.jar
This will show (excessive) signing information as well as the certs used to sign.
-DrD-
> I will see if I can get permission to send you the program.
>
> I believe all of my jars are signed with the same certificate. What is the
> best way to verify that?
>
>
> Thanks Kevin,
>
> Neil
>
>
>
>
> From: Kevin Rushforth <kevin.rushforth at oracle.com>
> To: ngalarneau at ABINITIO.COM,
> Cc: Scott Palmer <swpalmer at gmail.com>, dmitry cherepanov
> <dmitry.cherepanov at oracle.com>, "openjfx-dev at openjdk.java.net"
> <openjfx-dev at openjdk.java.net>
> Date: 06/16/2014 06:12 PM
> Subject: Re: All-Permissions not working properly with
> sun.plugin2.applet.FXAppletSecurityManager
>
>
>
> Hi Neil,
>
> If you have a test program that you can send me, I can attach it for you.
>
> Question for you: are all of your jar files (including the third-party
> libs) signed with the same certificate?
>
> -- Kevin
>
>
> ngalarneau at ABINITIO.COM wrote:
> Also, because I can't login, I can't add a comment to the bug report.
>
> I am also getting a security exception even though my applet is signed &
> has all permissions.
>
> In this case it is happening on a call to getClassLoader() on the JavaFX
> thread (not a daemon thread):
>
> Exception in thread "JavaFX Application Thread"
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at java.security.AccessControlContext.checkPermission(Unknown
> Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown Source)
>
> at java.lang.ClassLoader.checkClassLoaderPermission(Unknown
> Source)
> at java.lang.Class.getClassLoader(Unknown Source)
> ...
>
> The call to getClassLoader() happens from inside a 3rd party library if
> that matters.
>
> When I run the identical code as a desktop application it works fine EVEN
> WHEN I ADD MY OWN SECURITY MANAGER.
>
>
> Thank you for any help,
>
> Neil
>
>
>
>
> From: Scott Palmer <swpalmer at gmail.com>
> To: Kevin Rushforth <kevin.rushforth at oracle.com>,
> Cc: "openjfx-dev at openjdk.java.net" <openjfx-dev at openjdk.java.net>
> Date: 06/13/2014 08:19 PM
> Subject: Re: All-Permissions not working properly with
> sun.plugin2.applet.FXAppletSecurityManager
> Sent by: "openjfx-dev" <openjfx-dev-bounces at openjdk.java.net>
>
>
>
> Thank you.
>
> Is there a way that people that are not project authors can get
> notifications of updates? I can’t click to add myself to the watch list
> or vote without a login, and it seems to be near impossible to get a
> login.
> The "Account Help” link on the login page is broken and everything I’ve
> found in the wiki indicates I need to be a project author to get an
> account.
>
> Scott
>
>
> On Jun 13, 2014, at 8:05 PM, Kevin Rushforth <kevin.rushforth at oracle.com>
> wrote:
>
>> Hi Scott,
>>
>> I created two new non-confidential bugs and closed the original ones as
> duplicates. Here are the new bugs:
>>
>>
>> reflection in daemon thread:
>> JDK-8046825 (was JDK-8040699) : All-Permissions not working properly
> with sun.plugin2.applet.FXAppletSecurityManager
>>
>> security manager and applet-desc webstart mode:
>> JDK-8046826 (was JDK-8040231) : All permission fx javaws app could not
> set Security Manager to null.
>>
>> I have copied Dmitry in case he has any information about these bugs.
>>
>> -- Kevin
>>
>>
>> Kevin Rushforth wrote:
>>>
>>> Dmitry can comment further, but it is possible that this issue could be
> backported to 8u40 if done soon enough.
>>>
>>> I will double-check whether the bugs can be made non-confidential (so
> you can at least track progress), but I suspect they cannot in their
> current form, in which case new bugs should be filed with the confidential
> information moved to confidential comments in the bug. I will help with
> this.
>>>
>>> -- Kevin
>>>
>>>
>>> Scott Palmer wrote:
>>>> Drat... I was hoping to see something much sooner, like 8u20
> (obviously too late now) or 8u40. I'm unable to use Web Start deployment
> because of this.
>>>>
>>>> Is it necessary for these issues to be blocked from anonymous viewing?
>
>>>>
>>>> Thanks for the update.
>>>>
>>>> Scott
>>>>
>>>>
>>>> On Wed, Jun 11, 2014 at 11:57 AM, Kevin Rushforth <
> kevin.rushforth at oracle.com <mailto:kevin.rushforth at oracle.com>> wrote:
>>>>
>>>> These are now assigned to Dmitry Cherapanov who I have copied here
>
>>>> in case he isn't on the openjfx alias. They are both targeted to
>>>> JDK 9.
>>>>
>>>> -- Kevin
>>>>
>>>>
>>>> Scott Palmer wrote:
>>>>
>>>> I tried to send an email to Thomas asking about the status of
>>>> these issues
>>>> (they are not visible to me), but the email bounced (user
>>>> unknown). Could
>>>> someone let me know the status?
>>>>
>>>> Thanks,
>>>>
>>>> Scott
>>>>
>>>>
>>>> On Thu, Apr 17, 2014 at 1:25 AM, Thomas Ng
>>>> <thomas.v.ng at oracle.com <mailto:thomas.v.ng at oracle.com>>
> wrote:
>>>>
>>>>
>>>> Thanks for the report!
>>>>
>>>> Two bugs created for this:
>>>>
>>>> security manager and applet-desc webstart mode:
>>>> https://bugs.openjdk.java.net/browse/JDK-8040231
>>>>
>>>> reflection in daemon thread:
>>>> https://bugs.openjdk.java.net/browse/JDK-8040699
>>>>
>>>> -thomas
>>>>
>>>>
>>>> *From: *Scott Palmer <swpalmer at gmail.com
>>>> <mailto:swpalmer at gmail.com>>
>>>> *Subject: **All-Permissions not working properly with
>>>> sun.plugin2.applet.FXAppletSecurityManager*
>>>> *Date: *April 14, 2014 at 1:07:36 PM PDT
>>>> *To: *"openjfx-dev at openjdk.java.net
>>>> <mailto:openjfx-dev at openjdk.java.net>"
>>>> <openjfx-dev at openjdk.java.net
>>>> <mailto:openjfx-dev at openjdk.java.net>>
>>>>
>>>>
>>>> Can someone confirm that all-permissions is working for
>>>> JavaFX apps
>>>> that are launched via Web Start with Java 8.0 and use
>>>> daemon threads
>>>> in a Service?
>>>>
>>>> I have a JNLP file that has:
>>>> <security>
>>>> <all-permissions/>
>>>> </security>
>>>>
>>>> and the manifest of my app's jar has the following
>>>> instruction in my
>>>> Gradle script:
>>>>
>>>> jar {
>>>> manifest {
>>>> attributes('Permissions': 'all-permissions',
>>>> 'Codebase': '*')
>>>> }
>>>> }
>>>>
>>>> I'm using the javafx gradle plugin and signing the jars...
>
>>>> e.g. I see this for every dependency and the main jar:
>>>> ...
>>>> Signing (BLOB) C:\Users\scott\.m2\caches\path\to\some.jar
>>>> Signed as C:\Users\scott\dev\MyProject\build\libs\some.jar
>
>>>> ...
>>>>
>>>> I even tried System.setSecurityManager(null); in my
>>>> start() method
>>>> (and it lets me do it).
>>>>
>>>> However, daemon threads started by my Service are unable
>>>> to use
>>>> reflection. (It is working in the main FX application
>>>> thread.) I see
>>>> the following stack trace in the Java console:
>>>>
>>>>
>>>> Caused by: java.security.AccessControlException: access
> denied
>>>> ("java.lang.reflect.ReflectPermission"
> "suppressAccessChecks")
>>>> at
>>>> java.security.AccessControlContext.checkPermission(Unknown
>
>>>> Source)
>>>> at java.security.AccessController.checkPermission(Unknown
>>>> Source)
>>>> at java.lang.SecurityManager.checkPermission(Unknown
> Source)
>>>> at
>>>>
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown
>>>> Source)
>>>> at
>>>> java.lang.reflect.AccessibleObject.setAccessible(Unknown
>>>> Source)
>>>>
>>>>
>>>> Caused by: java.security.AccessControlException: access
> denied
>>>> ("java.lang.RuntimePermission" "accessDeclaredMembers")
>>>> at
>>>> java.security.AccessControlContext.checkPermission(Unknown
>
>>>> Source)
>>>> at java.security.AccessController.checkPermission(Unknown
>>>> Source)
>>>> at java.lang.SecurityManager.checkPermission(Unknown
> Source)
>>>> at
>>>>
> sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown
>>>> Source)
>>>> at java.lang.Class.checkMemberAccess(Unknown Source)
>>>> at java.lang.Class.getDeclaredMethod(Unknown Source)
>>>> at
>>>>
> ma.glasnost.orika.property.PropertyResolver.resolvePropertyType(PropertyResolver.java:304)
>
>>>> at
>>>>
> ma.glasnost.orika.property.PropertyResolver.processProperty(PropertyResolver.java:240)
>
>>>> at
>>>>
> ma.glasnost.orika.property.IntrospectorPropertyResolver.collectProperties(IntrospectorPropertyResolver.java:83)
>
>>>> ... 33 more
>>>>
>>>> I bring it up here because FXAppletSecurityManager is
>>>> involved and
>>>> this smells like a possible bug in plugin2
>>>>
>>>> Regards,
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>
>
>
>
>
> NOTICE from Ab Initio: This email (including any attachments) may contain
> information that is subject to confidentiality obligations or is legally
> privileged, and sender does not waive confidentiality or privilege. If
> received in error, please notify the sender, delete this email, and make
> no further use, disclosure, or distribution.
>
>
>
> NOTICE from Ab Initio: This email (including any attachments) may contain
> information that is subject to confidentiality obligations or is legally
> privileged, and sender does not waive confidentiality or privilege. If
> received in error, please notify the sender, delete this email, and make
> no further use, disclosure, or distribution.
More information about the openjfx-dev
mailing list