<div dir="ltr"><div><div>Sean,<br><br>Rather than add those lines in my JDK installation, I'm going to add them in my JRE installation, specifically: C:\Program Files\Java\jre9b181\lib\security\default.policy. If this is different than what you intended, please let me know. The infinite recursion is happening when running with the JRE. I haven't tried running with the JDK installation.<br></div><br></div>-- Tom<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 20, 2017 at 2:17 PM, Tom Hood <span dir="ltr"><<a href="mailto:tom.w.hood@gmail.com" target="_blank">tom.w.hood@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>In case useful, our jnlp file also contains this:<br></div><security><br></div> <all-permissions/><br></div></security><br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 20, 2017 at 2:14 PM, Tom Hood <span dir="ltr"><<a href="mailto:tom.w.hood@gmail.com" target="_blank">tom.w.hood@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div>Sean,<br><br></div>I'll add those lines to the lib/security/default.policy file as you suggested. I left the app running overnight and came in this morning and it was stuck in the infinite recursion loop again. I'll leave it running tonight as well with the default.policy change.<br><br></div>How do I set java.security.debug=all within the jnlp? I tried several things, but none worked.<br><br></div><j2se version="1.9+" initial-heap-size="32m" max-heap-size="3072m"<br></div> java-vm-args="<b>-Djava.security.<wbr>debug=all</b> --add-modules=java.corba --add-exports=java.desktop/com<wbr>.sun.java.swing.plaf.windows=A<wbr>LL-UNNAMED --add-exports=java.desktop/sun<wbr>.swing=ALL-UNNAMED --add-exports=java.desktop/sun<wbr>.awt.shell=ALL-UNNAMED --add-opens=java.base/java.lan<wbr>g=ALL-UNNAMED --add-exports=java.desktop/sun<wbr>.awt.image=ALL-UNNAMED"/><br><br></div>Then I tried setting it as a property in the jnlp:<br><br></div><property name="jnlp.<b>java.security.</b><b>debug</b><wbr>" value="all"/><br><br></div>I also tried removing the jnlp prefix from the property name:<br><br><property name="<b>java.security.debug</b>" value="all"/><div><div><div><div><br></div><div>Then I tried setting it at the start of main with Security.setProperty("java.sec<wbr>urity.debug", "all") as well as System.setProperty("java.secur<wbr>ity.debug", "all"). No luck.<br><br></div><div>Then I tried wrapping javaws in a windows batch file with the following line and selecting the batch file when firefox asks for the program to open the jnlp with:<br><br></div><div>C:\"Program Files"\Java\jre9b181\bin\javaw<wbr>s -J<b>-Djava.security.debug=all</b> %1<br><br></div><div>which also didn't work.<span class="m_2394257946066681328HOEnZb"><font color="#888888"><br></font></span></div><span class="m_2394257946066681328HOEnZb"><font color="#888888"><div><br></div><div>-- Tom<br></div><div><div><div><br></div></div></div></font></span></div></div></div></div><div class="m_2394257946066681328HOEnZb"><div class="m_2394257946066681328h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 20, 2017 at 12:56 PM, mandy chung <span dir="ltr"><<a href="mailto:mandy.chung@oracle.com" target="_blank">mandy.chung@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">FYI. jdk.javaws is granted with AllPermissions in conf/security/javaws.policy. Maybe javaws.policy is not augmented to the security policy at runtime?<span class="m_2394257946066681328m_-2685466896639186706HOEnZb"><font color="#888888"><br>
<br>
Mandy</font></span><div class="m_2394257946066681328m_-2685466896639186706HOEnZb"><div class="m_2394257946066681328m_-2685466896639186706h5"><br>
<br>
On 9/20/17 12:45 PM, Sean Mullan wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Tom,<br>
<br>
Try adding the following lines to the lib/security/default.policy file in your JDK installation:<br>
<br>
grant codeBase "jrt:/jdk.javaws" {<br>
permission java.security.AllPermission;<br>
};<br>
<br>
I have a hunch that permissions are not being granted to the jdk.javaws module before it needs them. If that fixes the issue (or you don't see it for a few days), I'll followup and file a bug.<br>
<br>
Thanks,<br>
Sean<br>
<br>
On 9/19/17 5:55 PM, Tom Hood wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
No luck so far reproducing this problem. The two times it happened to me yesterday have both been with Java 9 build 181 and the application has been idle for awhile. I login to our application, execute various features of the application, go to a meeting, return, and then see the java console repeatedly displaying the stack overflow exception. Maybe meetings are bad for Java 9? :-) I think there are some background threads in our application that are waking up periodically and doing "stuff". I don't know what that "stuff" is yet, but that would be my guess at where I will find the code that triggered the overflow.<br>
<br>
Assuming I can get our application to the point where I can reproduce the stack overflow, are there particular Java 9 builds that made significant changes to security-relevant code that you'd like me to try?<br>
<br>
Keep in mind that our app runs on a network not connected to the internet. As it is, I manually typed in the stack trace, so if there's a lot of output I'll have to print it and go through an approval process to show it to you via a scanned pdf. I will continue testing of our app with the security debug turned on so that I'll have the output if it happens again. I also have the logging and tracing enabled in the java control panel.<br>
<br>
-- Tom<br>
<br>
<br>
On Tue, Sep 19, 2017 at 12:13 PM, Sean Mullan <<a href="mailto:sean.mullan@oracle.com" target="_blank">sean.mullan@oracle.com</a> <mailto:<a href="mailto:sean.mullan@oracle.com" target="_blank">sean.mullan@oracle.com</a><wbr>>> wrote:<br>
<br>
Cross-posting to security-dev as this is more relevant to that list<br>
and bcc-ing core-libs-dev.<br>
<br>
I think this might be an issue with the JavaWebStart SecurityManager<br>
not being granted the proper permissions. It is possible that the<br>
deployment policy files are not being loaded or there is some other<br>
subtle bootstrapping issue. It should not result in a recursive loop<br>
of course, but there may be a workaround.<br>
<br>
In the meantime, can you send me more information, preferably a test<br>
case and a log file with -Djava.security.debug=all enabled? (The<br>
latter will help analyze the recursion and see what security checks<br>
are failing and for which ProtectionDomains). Also, have you tested<br>
this on builds earlier than b181?<br>
<br>
Thanks,<br>
Sean<br>
<br>
On 9/19/17 2:53 PM, Tom Hood wrote:<br>
<br>
I should add that we have not modified or overridden any policy<br>
files.<br>
Also, we are not using a custom security manager.<br>
<br>
On Tue, Sep 19, 2017 at 11:52 AM, Tom Hood <<a href="mailto:tom.w.hood@gmail.com" target="_blank">tom.w.hood@gmail.com</a><br>
<mailto:<a href="mailto:tom.w.hood@gmail.com" target="_blank">tom.w.hood@gmail.com</a>>> wrote:<br>
<br>
Hi,<br>
<br>
I hit an infinite recursion loop probably related to<br>
PolicyFile that<br>
exists in Java 9 build 181 for windows 64-bit. It might be<br>
related to<br>
JDK-8077418<br>
<<a href="https://bugs.openjdk.java.net/browse/JDK-8077418" rel="noreferrer" target="_blank">https://bugs.openjdk.java.net<wbr>/browse/JDK-8077418</a><br>
<<a href="https://bugs.openjdk.java.net/browse/JDK-8077418" rel="noreferrer" target="_blank">https://bugs.openjdk.java.net<wbr>/browse/JDK-8077418</a>>><br>
<br>
<br>
I haven't tracked down what is causing our webstart app to<br>
hit this<br>
problem yet, but I thought I would let you know sooner than<br>
later. Also,<br>
it probably is not a problem for our particular application<br>
as I should be<br>
able to set the security manager to null which I think/hope<br>
will bypass<br>
this issue. I will try today to reproduce it in our app so<br>
I can confirm<br>
if setting security manager to null will work for us.<br>
<br>
The stack looks like the following: (with many repeat stacks<br>
omitted)<br>
<br>
Exception in thread "AWT-EventQueue-2"<br>
java.lang.StackOverflowError<br>
at<br>
java.base/java.security.Access<wbr>Controller.doPrivileged(Native<br>
Method)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1135)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1082)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.implies(PolicyFil<br>
e.java:1038)<br>
at java.base/java.security.provid<wbr>er.ProtectionDomain.implies(Pr<br>
otectionDomain.java:323)<br>
at java.base/java.security.provid<wbr>er.ProtectionDomain.impliesWit<br>
hAltFilePerm(ProtectionDomain.<wbr>java:355)<br>
at java.base/java.security.provid<wbr>er.AccessControlContext.checkP<br>
ermission(AccessControlContext<wbr>.java:450)<br>
at java.base/java.security.provid<wbr>er.AccessController.checkPermi<br>
ssion(AccessController.java:89<wbr>5)<br>
at java.base/java.lang.SecurityMa<wbr>nager.checkPermission(Security<br>
Manager.java:558)<br>
at jdk.javaws/com.sun.javaws.secu<wbr>rity.JavaWebStartSecurity.chec<br>
kPermission(JavaWebStartSecuri<wbr>ty.java:237)<br>
at<br>
java.base/java.lang.SecurityMa<wbr>nager.checkRead(SecurityManage<wbr>r.java:897)<br>
at java.base/java.io.File.isDirec<wbr>tory(File.java:845)<br>
at<br>
java.base/sun.net.www.ParseUti<wbr>l.fileToEncodedURL(ParseUtil.j<wbr>ava:299)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.canonicalizeCodeb<br>
ase(PolicyFile.java:1665)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.access$700(Policy<br>
File.java:263)<br>
at<br>
java.base/sun.security.provide<wbr>r.PolicyFile$7.run(PolicyFile.<wbr>java:1139)<br>
at<br>
java.base/sun.security.provide<wbr>r.PolicyFile$7.run(PolicyFile.<wbr>java:1136)<br>
**** and again ****<br>
at<br>
java.base/java.security.Access<wbr>Controller.doPrivileged(Native<br>
Method)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1135)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1082)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.implies(PolicyFil<br>
e.java:1038)<br>
at java.base/java.security.provid<wbr>er.ProtectionDomain.implies(Pr<br>
otectionDomain.java:323)<br>
at java.base/java.security.provid<wbr>er.ProtectionDomain.impliesWit<br>
hAltFilePerm(ProtectionDomain.<wbr>java:355)<br>
at java.base/java.security.provid<wbr>er.AccessControlContext.checkP<br>
ermission(AccessControlContext<wbr>.java:450)<br>
at java.base/java.security.provid<wbr>er.AccessController.checkPermi<br>
ssion(AccessController.java:89<wbr>5)<br>
at java.base/java.lang.SecurityMa<wbr>nager.checkPermission(Security<br>
Manager.java:558)<br>
at jdk.javaws/com.sun.javaws.secu<wbr>rity.JavaWebStartSecurity.chec<br>
kPermission(JavaWebStartSecuri<wbr>ty.java:237)<br>
at<br>
java.base/java.lang.SecurityMa<wbr>nager.checkRead(SecurityManage<wbr>r.java:897)<br>
at java.base/java.io.File.isDirec<wbr>tory(File.java:845)<br>
at<br>
java.base/sun.net.www.ParseUti<wbr>l.fileToEncodedURL(ParseUtil.j<wbr>ava:299)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.canonicalizeCodeb<br>
ase(PolicyFile.java:1665)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.access$700(Policy<br>
File.java:263)<br>
at<br>
java.base/sun.security.provide<wbr>r.PolicyFile$7.run(PolicyFile.<wbr>java:1139)<br>
at<br>
java.base/sun.security.provide<wbr>r.PolicyFile$7.run(PolicyFile.<wbr>java:1136)<br>
**** above lines start the stack that repeats until overflow<br>
****<br>
at<br>
java.base/java.security.Access<wbr>Controller.doPrivileged(Native<br>
Method)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1135)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.getPermissions(Po<br>
licyFile.java:1082)<br>
at java.base/sun.security.provide<wbr>r.PolicyFile.implies(PolicyFil<br>
e.java:1038)<br>
<br>
-- Tom<br>
<br>
<br>
<br>
</blockquote></blockquote>
<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>