Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8026757

getContextClassLoader().getResources() produces mix-code warning as of 7u45.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Cannot Reproduce
    • Affects Version/s: 7u45
    • Fix Version/s: None
    • Component/s: deploy
    • Labels:
    • Subcomponent:
    • Introduced In Build:
      b05
    • Introduced In Version:
    • OS:
      windows_7

      Backports

        Description

        FULL PRODUCT VERSION :
        java -version
        java version "1.7.0_45"
        Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
        Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.1.7601]

        A DESCRIPTION OF THE PROBLEM :
        enumerating resources returned by classloader.getResources() produces a mixed signed/unsigned code warning as of 7u45. jstack output while the security warning is up shows this stack:

        "javawsApplicationMain" prio=6 tid=0x06463000 nid=0x2630 runnable [0x0998d000]
           java.lang.Thread.State: RUNNABLE
                at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog._show(Native Method)
                at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.access$000(Unknown Source)
                at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog$2.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.showImmediately(Unknown Source)
                at com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog.show(Unknown Source)
                at com.sun.deploy.security.CPCallbackHandler.showMixedTrustDialog(Unknown Source)
                at com.sun.deploy.security.CPCallbackHandler.access$1100(Unknown Source)
                at com.sun.deploy.security.CPCallbackHandler$ParentCallback.checkAllowed(Unknown Source)
                at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
                - locked <0x29db79f8> (a com.sun.deploy.security.CPCallbackHandler$ParentCallback)
                at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1700(Unknown Source)
                at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath$JarLoader.findResource(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath$1.next(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath$1.hasMoreElements(Unknown Source)
                at java.net.URLClassLoader$3$1.run(Unknown Source)
                at java.net.URLClassLoader$3$1.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at java.net.URLClassLoader$3.next(Unknown Source)
                at java.net.URLClassLoader$3.hasMoreElements(Unknown Source)
                at sun.misc.CompoundEnumeration.next(Unknown Source)
                at sun.misc.CompoundEnumeration.hasMoreElements(Unknown Source)
                at testcase.TestCase.main(Unknown Source)

        this testcase is launched from a single signed jar via webstart.



        This is not a mixed signed/unsigned environment. It's a single jar, that's signed.

        REGRESSION. Last worked in version 7u40

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        build the class, sign and deploy with the jnlp file. run with java console shown.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        no mixed code dialog, output of jars on the class path.
        ACTUAL -
        mixed signed/unsigned code dialog with block/dont-block prompt.

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        If you press 5 in the console, and then choose 'Block' in the dialog, you get this error:

        security: resource name "META-INF/MANIFEST.MF" in http://localhost/test/testcase.jar : java.lang.SecurityException: trusted loader attempted to load sandboxed resource from http://localhost/test/testcase.jar

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        <?xml version="1.0" encoding="UTF-8"?>
        <jnlp spec="1.0+" codebase="http://localhost/test" href="test.jnlp">
            <information>
                <title>test</title>
                <vendor>test</vendor>
              </information>
            <security><all-permissions/></security>
            <resources>
                <jar href="testcase.jar" main="true" download="eager"/>
            </resources>
            <application-desc main-class="testcase.TestCase"/>
        </jnlp>


        package testcase;

        import java.io.*;
        import java.net.*;
        import java.util.Enumeration;

        public class TestCase {
            public static void main(String[] args) throws URISyntaxException, IOException {
                final Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
                while (mfUrls.hasMoreElements()) {
                    URL jarUrl = mfUrls.nextElement();
                    System.out.println(jarUrl.toURI());
                }
            }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        The workaround is to add "Trusted-Library: true" to the manifest.

        Which doesn't make sense unless the JNLPClassLoader doesn't trust webstart/jre itself since the whole test case is one class in one jar.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  herrick Andy Herrick
                  Reporter:
                  rlewis Roger Lewis (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: