Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8062793

Signed applets are giving java.net.SocketPermission exception with JRE 8

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 8u25, 8u40
    • Fix Version/s: None
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_8

      Description

      FULL PRODUCT VERSION :


      A DESCRIPTION OF THE PROBLEM :
      It was working fine with JDK 1.7 or earlier versions, but once we test with JDK 8 we are getting the following exception
      Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")
      at java.security.AccessControlContext.checkPermission(Unknown Source)
      at java.security.AccessController.checkPermission(Unknown Source)
      at java.lang.SecurityManager.checkPermission(Unknown Source)
      at java.lang.SecurityManager.checkConnect(Unknown Source)
      at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
      at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source)
      at java.net.Socket.connect(Unknown Source)
      at iyp.simplegameapplet.d.f.a(Unknown Source)
      at iyp.b.a.b$c.run(Unknown Source)

      We have an applet, which will open a socket connection to communicate with the server socket application here is the applet code which used to open the socket communication

      Socket sock = new Socket();
      InputStream is;
      OutputStream os;
      try {
        sock.connect(serverAddr, timeoutMs);
      } catch(SocketTimeoutException ex) {
         return false;
      }
      is = sock.getInputStream();
      os = sock.getOutputStream();

      We are using signed applets, I tested with a java client program from eclipse, this works fine, only with Applet we have issue. may be Applet security need to use full permissions we try with MANIFEST.MF with Permissions: all-permissions and object parameters for applet which doesn't solve the problem.

      When we grant in the client machine java.policy to full permissions it was worked fine, but this is not correct way to go ahead forcing to change client machine java.policy

      REGRESSION. Last worked in version 7u72

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Create a signed applet and that will open a Socket to communicate the server.

      http://www.cuesportz.com/

      Go to this site and register yourself then you can play the pool game. We have designed an applet which can be launched to play the game and will communicate to game server with a socket from applet. You can play the multiplay with any opponent or can use speed pool to play alone.


      As I review the source of JDK and JRE 8 changes here is my analysis let me know if am wrong.

      1. JRE 8 has introduced the Java.net.URLPermission class before was using SocketPermissions, which will take care about the permissions to URL's in the applet security
      2. As we review the java/net/Socket.java implementation for the connect method it has the following code
      SecurityManager security = System.getSecurityManager();
              if (security != null) {
                  if (epoint.isUnresolved())
                      security.checkConnect(epoint.getHostName(), port);
                  else
                      security.checkConnect(addr.getHostAddress(), port);
              }
      Then the checkConnect method of SecurityManager is using SocketPermission
      if (port == -1) {
                  checkPermission(new SocketPermission(host,
                      SecurityConstants.SOCKET_RESOLVE_ACTION));
              } else {
                  checkPermission(new SocketPermission(host+":"+port,
                      SecurityConstants.SOCKET_CONNECT_ACTION));
              }
      I think the Socket connection is referring to the SocketPermission where the security is giving only the URL permission

      Here is another observation from JDK 7 and 8, In the Java console log from client browser, I find this difference

      JRE 7 has the following entry in the log:
      security: Grant socket perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@1ae5edf (
      ("java.net.SocketPermission" "cuesportz.net" "connect,accept,resolve")
      )

      JRE 8 has the following entry in the log:
      security: Grant connect perm for http://cuesportz.net/iypapplets/iypRoomGameApplet_3.jar : java.security.Permissions@e51286 (
      ("java.net.URLPermission" "http://cuesportz.net:80" "*:*")
      ("java.net.URLPermission" "http://cuesportz.net:80/-" "*:*")
      )


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Should connect to the ServerSocket for the communication
      ACTUAL -
      Is giving Exception in thread "cth" java.security.AccessControlException: access denied ("java.net.SocketPermission" "IP:PORT" "connect,resolve")

      REPRODUCIBILITY :
      This bug can be reproduced always.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                robm Robert Mckenna
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: