Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6422133

(tz) TimeZone deserialization requires extra security permissions

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Future Project
    • Affects Version/s: 5.0
    • Fix Version/s: None
    • Component/s: core-libs
    • Labels:
      None

      Description

      Deserialization of TimeZone object requires extra security permission

      java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar"

      Here is an example:

      import java.io.*;
      import java.util.*;

      public class TimeZoneTest {
          public static void main(String[] args) throws Exception {
              TimeZone zone = TimeZone.getTimeZone("PST");
              ByteArrayOutputStream bout = new ByteArrayOutputStream();
              ObjectOutputStream os = new ObjectOutputStream(bout);
              os.writeObject(zone);
              os.flush();
              os.close();
              byte[] bytes = bout.toByteArray();
              ObjectInputStream input = new ObjectInputStream(new ByteArrayInputStream(bytes));
              TimeZone zone2 = (TimeZone) input.readObject();
              System.out.println(zone.hasSameRules(zone2));
          }
      }

      Here is the command and output for running with the default security policy:

      /java/re/j2se/1.5/archive/fcs/binaries/solaris-sparc/bin/java -Djava.security.manager -classpath . TimeZoneTest
      Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.util.calendar)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
      at java.security.AccessController.checkPermission(AccessController.java:427)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
      at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
      at java.lang.Class.forName0(Native Method)
      at java.lang.Class.forName(Class.java:242)
      at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:574)
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1538)
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1460)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1693)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1299)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:339)
      at TimeZoneTest.main(TimeZoneTest.java:14)

        Attachments

          Activity

            People

            • Assignee:
              okutsu Masayoshi Okutsu
              Reporter:
              xwangsunw Xiaozhong Wang (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: