There was a thread last week about Java 6 update 24 busting felix apps in webstart/java-plugin. I just submitted the following bug to Oracle, and wanted to let felix team know about it. I think Karl Pauls was following the original thread.
Cheers, Reuben ----------------------------- Full View Your Report (Review ID: 1990127) - SecurityException from all-permissions app - should be ClassNotFoundException From: "[email protected]" <[email protected]> Add to Contacts To: [email protected] ************************************************ Dear Java Developer, Thank you for your interest in improving the quality of Java Technology. Your report has been assigned an internal review ID of 1990127, which is NOT visible on the Sun Developer Network (SDN). Please be aware that the large volume of reports we receive sometimes prevents us from responding individually to each message. If the information is determined to be a new Bug or RFE, or a duplicate of a known Bug or RFE, you will receive a followup email containing a seven digit bug number. You may search for, view, or vote for this bug in the Bug Database at http://bugs.sun.com/. <http://bugs.sun.com/.If> If <http://bugs.sun.com/.If> you just reported an issue that could have a major impact on your project and require a timely response, please consider purchasing one of the support offerings described at http://developers.sun.com/services/.<http://developers.sun.com/services/.The> The <http://developers.sun.com/services/.The> Sun Developer Network (http://developers.sun.com) is a free service that Sun offers. To join, visit http://developers.sun.com/global/join_sdn.html.<http://developers.sun.com/global/join_sdn.html.Thank> Thank <http://developers.sun.com/global/join_sdn.html.Thank> you for using our bug submit page. Regards, Java Developer Bug Report Review Team --------------------------------------------------------------- Date Created: Wed Mar 02 15:43:52 MST 2011 Type: bug Customer Name: Reuben Pasquini Customer Email: [email protected] SDN ID: catdogboy status: Waiting Category: javawebstart Subcategory: other Company: http://frickjack.com release: 6u24 hardware: x86 OSversion: windows_7 priority: 4 Synopsis: SecurityException from all-permissions app - should be ClassNotFoundException Description: FULL PRODUCT VERSION : java version "1.6.0_24" Java(TM) SE Runtime Environment (build 1.6.0_24-b07) Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing) ADDITIONAL OS VERSION INFORMATION : Microsoft Windows [Version 6.1.7600] EXTRA RELEVANT SYSTEM CONFIGURATION : This is a java bug - I have users on WIndows 7 and XP, and also reported on Apache felix mailing list A DESCRIPTION OF THE PROBLEM : The following class, when bundled, signed, and deployed with the .jnlp file below, throws a SecurityException in the new java release - even though the .jnlp specifes "all-permissions". Past releases would throw a ClassNotFoundException - which is great, and is what things like Oracle's thin-client ojdbc6.jar expect. The program bootstraps the Felix OSGi engine - which apparently sets up a URLClassLoader with a custom felix:// URL. The output of running the program with webstart follows below the .jnlp file. Note that this .jnlp file is setup to run off the file system, but the same result follows from web-launched apps, whatever. package littleware.demo; import java.io.PrintWriter; import java.io.StringWriter; import java.net.URL; import java.net.URLClassLoader; import java.sql.Connection; import java.util.HashMap; import java.util.logging.Level; import java.util.logging.Logger; import javax.swing.JFrame; import javax.swing.JOptionPane; import javax.swing.JScrollPane; import javax.swing.JTextArea; import javax.swing.SwingUtilities; import javax.swing.WindowConstants; import org.apache.felix.framework.Felix; public class JavaToy { private static final Logger log = Logger.getLogger( JavaToy.class.getName() ); public static class AppRunner implements Runnable { public void run() { final StringWriter swriter = new StringWriter(); final PrintWriter pwriter = new PrintWriter( swriter ); pwriter.append( "Class path: " ).append( System.getProperty( "java.class.path" ) ).append( "\n\n-------------------------\n" ); final ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); if ( classLoader instanceof URLClassLoader ) { pwriter.append( "URLClassLoader:\n" ); for ( URL url : ((URLClassLoader) classLoader).getURLs() ) { pwriter.append( url.toString() ).append( "\n" ); } pwriter.append( "\n--------------------------------\n" ); } try { Class.forName( "bogus.DoesNotExist" ); pwriter.append( "No exception thrown on bogus class load\n" ); } catch ( Exception ex ) { pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" ); ex.printStackTrace(pwriter); } pwriter.flush(); final JFrame jframe = new JFrame( "Webstart test" ); final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 ); jframe.add( new JScrollPane( jtext ) ); jframe.pack(); jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE); jframe.setVisible(true); } } public static void main( String[] args ) { try { log.log( Level.INFO, "Launching felix!" ); (new Felix(new HashMap<String, Object>())).start(); Thread.sleep( 2000 ); } catch (Exception ex) { log.log(Level.SEVERE, "Caught exception", ex); System.exit(0); } SwingUtilities.invokeLater( new AppRunner() ); } } REGRESSION. Last worked in version 6 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : *. Download felix.jar from http://felix.apache.org *. Build the following code, sign Toy.jar and felix.jar with your key, launch with the following .jnlp or something similar .... ----------------- package littleware.demo; import java.io.PrintWriter; import java.io.StringWriter; import java.net.URL; import java.net.URLClassLoader; import java.sql.Connection; import java.util.HashMap; import java.util.logging.Level; import java.util.logging.Logger; import javax.swing.JFrame; import javax.swing.JOptionPane; import javax.swing.JScrollPane; import javax.swing.JTextArea; import javax.swing.SwingUtilities; import javax.swing.WindowConstants; import org.apache.felix.framework.Felix; public class JavaToy { private static final Logger log = Logger.getLogger( JavaToy.class.getName() ); public static class AppRunner implements Runnable { public void run() { final StringWriter swriter = new StringWriter(); final PrintWriter pwriter = new PrintWriter( swriter ); pwriter.append( "Class path: " ).append( System.getProperty( "java.class.path" ) ).append( "\n\n-------------------------\n" ); final ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); if ( classLoader instanceof URLClassLoader ) { pwriter.append( "URLClassLoader:\n" ); for ( URL url : ((URLClassLoader) classLoader).getURLs() ) { pwriter.append( url.toString() ).append( "\n" ); } pwriter.append( "\n--------------------------------\n" ); } try { Class.forName( "bogus.DoesNotExist" ); pwriter.append( "No exception thrown on bogus class load\n" ); } catch ( Exception ex ) { pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" ); ex.printStackTrace(pwriter); } pwriter.flush(); final JFrame jframe = new JFrame( "Webstart test" ); final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 ); jframe.add( new JScrollPane( jtext ) ); jframe.pack(); jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE); jframe.setVisible(true); } } public static void main( String[] args ) { try { log.log( Level.INFO, "Launching felix!" ); (new Felix(new HashMap<String, Object>())).start(); Thread.sleep( 2000 ); } catch (Exception ex) { log.log(Level.SEVERE, "Caught exception", ex); System.exit(0); } SwingUtilities.invokeLater( new AppRunner() ); } } <?xml version="1.0" encoding="UTF-8" standalone="no"?> <jnlp codebase="file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/" href="launch.jnlp" spec="1.0+"> <information> <title>JavaToy</title> <vendor>pasquini</vendor> <homepage href=""/> <description>JavaToy</description> <description kind="short">JavaToy</description> </information> <update check="always"/> <security> <all-permissions/> </security> <resources> <j2se version="1.5+"/> <jar href="JavaToy.jar" main="true"/> <jar href="lib/felix-2.0.4.jar"/> </resources> <application-desc main-class="littleware.demo.JavaToy"> </application-desc> </jnlp> EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Class path: C:\Program Files\Java\jre6\lib\deploy.jar ------------------------- URLClassLoader: file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar http://felix.extensions:9/ -------------------------------- Caught exception loading bogus class: java.lang.ClassNotFoundException: bogus.DoesNotExist java.lang.ClassNotFoundException: bogus.DoesNotExist at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) ACTUAL - Class path: C:\\Program Files (x86)\\Java\\jre6\\lib\\deploy.jar ------------------------- URLClassLoader: file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar http://felix.extensions:9/ -------------------------------- Caught exception loading bogus class: java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class at com.sun.deploy.security.DeployURLClassPath$UrlLoader.getResource(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$000(Unknown Source) at java.awt.EventQueue$1.run(Unknown Source) at java.awt.EventQueue$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- package littleware.demo; import java.io.PrintWriter; import java.io.StringWriter; import java.net.URL; import java.net.URLClassLoader; import java.sql.Connection; import java.util.HashMap; import java.util.logging.Level; import java.util.logging.Logger; import javax.swing.JFrame; import javax.swing.JOptionPane; import javax.swing.JScrollPane; import javax.swing.JTextArea; import javax.swing.SwingUtilities; import javax.swing.WindowConstants; import org.apache.felix.framework.Felix; public class JavaToy { private static final Logger log = Logger.getLogger( JavaToy.class.getName() ); public static class AppRunner implements Runnable { public void run() { final StringWriter swriter = new StringWriter(); final PrintWriter pwriter = new PrintWriter( swriter ); pwriter.append( "Class path: " ).append( System.getProperty( "java.class.path" ) ).append( "\n\n-------------------------\n" ); final ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); if ( classLoader instanceof URLClassLoader ) { pwriter.append( "URLClassLoader:\n" ); for ( URL url : ((URLClassLoader) classLoader).getURLs() ) { pwriter.append( url.toString() ).append( "\n" ); } pwriter.append( "\n--------------------------------\n" ); } try { Class.forName( "bogus.DoesNotExist" ); pwriter.append( "No exception thrown on bogus class load\n" ); } catch ( Exception ex ) { pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" ); ex.printStackTrace(pwriter); } pwriter.flush(); final JFrame jframe = new JFrame( "Webstart test" ); final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 ); jframe.add( new JScrollPane( jtext ) ); jframe.pack(); jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE); jframe.setVisible(true); } } public static void main( String[] args ) { try { log.log( Level.INFO, "Launching felix!" ); (new Felix(new HashMap<String, Object>())).start(); Thread.sleep( 2000 ); } catch (Exception ex) { log.log(Level.SEVERE, "Caught exception", ex); System.exit(0); } SwingUtilities.invokeLater( new AppRunner() ); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : I can work around the problem by installing the app locally, so web-start is not necessary. I ran into this problem with an app that connects to Oracle via ojdbc6.jar - ojdbc6.jar invokes "Class.forName" to check for optional i18n classes on the class path. The Oracle code correctly handles the correct ClassNotFoundException, but the new SecurityException is breaking my app. workaround:
