This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 738811

Summary: access denied (java.net.NetPermission getProxySelector)
Product: [Fedora] Fedora Reporter: Omair Majid <omajid>
Component: icedtea-webAssignee: Omair Majid <omajid>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dbhole, don-redhat-z6y, omajid
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-20 16:13:01 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Omair Majid 2011-09-15 17:04:57 EDT
Originally reported as part of bug 524387

Running an applet in firefox causes this stack trace:

firefox
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10.2) (fedora-58.1.10.2.fc15-i386)
OpenJDK Client VM (build 20.0-b11, mixed mode)
system look and feel class: javax.swing.plaf.metal.MetalLookAndFeel
java.security.AccessControlException: access denied (java.net.NetPermission
getProxySelector)
 at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
 at java.security.AccessController.checkPermission(AccessController.java:553)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
 at
net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:261)
 at java.net.ProxySelector.getDefault(ProxySelector.java:90)
 at Sonario.readProxySettings(Sonario.java:68)
 at Sonario.init(Sonario.java:182)
 at sun.applet.AppletPanel.run(AppletPanel.java:436)
 at net.sourceforge.jnlp.NetxPanel.run(NetxPanel.java:68)
 at java.lang.Thread.run(Thread.java:679)
Comment 1 Omair Majid 2011-09-19 12:26:47 EDT
Is this applet public? Do you have a url to it?
Comment 2 Donald Cohen 2011-09-19 15:55:10 EDT
ok, finally reconstituted fc15 in a vm, updated all software, installed java, java plugin, here's what I see.
(I had to be root to install all that stuff...)
[root@number11 ~]# firefox 
failed to create drawable
failed to create drawable
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10.3) (fedora-59.1.10.3.fc15-i386)
OpenJDK Client VM (build 20.0-b11, mixed mode)
system look and feel class: javax.swing.plaf.metal.MetalLookAndFeel
free: 10070 allocated: 17136 max: 496960 total free memory: 489894
hostname saturn.spicenet.net port 443
javax.net.ssl.SSLException: java.security.AccessControlException: access denied (java.security.AllPermission <all permissions> <all actions>)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1665)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1611)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1192)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1169)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440)

etc.

The url is
http://saturnids.spicenet.net/sonario/develop081125/develop081125-mysql.html

I think you can get this behavior by just clicking on login without supplying any user or password info, but I'll check.
If necessary I can give you such data.  (D. Lila I think already has it for previous debugging activity.)
Comment 3 Donald Cohen 2011-09-19 16:21:15 EDT
This url is even better:
http://saturnids.spicenet.net/sonario/develop081125/develop081125-ids.html
Without any input other than putting the url into the browser:

[don@number11 ~]$ firefox &
[1] 31650
[don@number11 ~]$ failed to create drawable
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10.3) (fedora-59.1.10.3.fc15-i386)
OpenJDK Client VM (build 20.0-b11, mixed mode)
system look and feel class: com.sun.java.swing.plaf.gtk.GTKLookAndFeel
java.security.AccessControlException: access denied (java.net.NetPermission getProxySelector)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
	at java.security.AccessController.checkPermission(AccessController.java:553)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:261)
	at java.net.ProxySelector.getDefault(ProxySelector.java:90)
	at Sonario.readProxySettings(Sonario.java:89)
	at Sonario.init(Sonario.java:205)
	at sun.applet.AppletPanel.run(AppletPanel.java:436)
	at net.sourceforge.jnlp.NetxPanel.run(NetxPanel.java:68)
	at java.lang.Thread.run(Thread.java:679)
Comment 4 Donald Cohen 2011-09-19 16:32:56 EDT
Ignore comment 2:
> The url is
> http://saturnids.spicenet.net/sonario/develop081125/develop081125-mysql.html

Sorry, that's the url for the other bug, 738814 - that one does require login
Comment 5 Omair Majid 2011-09-20 16:13:01 EDT
On further investigation, it looks like one of the applet's jars, mysql-connector-java-5.1.5-bin.jar, contains an unsigned entry: META-INF/INDEX.LIST

The "fix" explained here makes it work:
http://thread.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/12020

*** This bug has been marked as a duplicate of bug 675271 ***
Comment 6 Donald Cohen 2011-09-20 17:19:57 EDT
I was wondering whether replacing that jar with a more recent version would help.
I just tried the latest version (5.1.17) and I seem to still get the same thing.
Can you verify that the new jar has the same problem?
I now realize that this particular url, using ids driver, does not even need
the mysql driver.  When I remove the jar from the list it works!
However, I would then expect the same problem to affect the other url which does use the mysql driver.  And yet that one gets much further -- why is that?

BTW,
Doesn't this seem the sort of thing that mysql (now oracle!) really should fix?
Or is it possible that all other java implementation accept unsigned index files?

Finally
The fix above seems to require changing my java distribution, which means that the applet still would not work for others using the standard dist, right?
I was hoping that I could at least arrange to sign the unsigned entry and then
have that new jar work for everyone.
Comment 7 Omair Majid 2011-09-21 11:42:50 EDT
(In reply to comment #6)
> I was wondering whether replacing that jar with a more recent version would
> help.
> I just tried the latest version (5.1.17) and I seem to still get the same
> thing.
> Can you verify that the new jar has the same problem?

Actually, the new jar is completely unsigned (or at least it was last I checked).

> I now realize that this particular url, using ids driver, does not even need
> the mysql driver.  When I remove the jar from the list it works!
> However, I would then expect the same problem to affect the other url which
> does use the mysql driver.  And yet that one gets much further -- why is that?
> 

I dont have the code for the applets, so I cant give a definite answer. FWIW, the stack trace shows that the two applets are suffering from completely different problems.

The ids applet tries to access proxy settings and runs into an error. This is because of the not-completely-signed jar. The entire applet is determined to be unsigned/untrusted code. The code is not granted permission to access proxy settings.

The mysql applet, on the other hand, (as far as I can tell) does not try to access proxy settings. It tries to establish https connections and runs into a problem with that. A code path that I had not considered is taken which needs more permissions to execute.

So the two problems seem very different to me.

> BTW,
> Doesn't this seem the sort of thing that mysql (now oracle!) really should fix?

Looking at mysql-connector-java-5.1.5-bin.jar, it is not signed by oracle, but by "IsComp Systems, Inc."

> Or is it possible that all other java implementation accept unsigned index
> files?

As far as I know, there is just one implementation of plugin/webstart - Oracle's (previously Sun's). And as far as I know, it accepts other unsigned files too:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=722

> Finally
> The fix above seems to require changing my java distribution, which means that
> the applet still would not work for others using the standard dist, right?

Yes, the fix, if applied locally, would only work for you. However, if the patch was committed to icedtea-web (of which there is a good chance, but other things need to happen first) then the applet will work for other users too.

> I was hoping that I could at least arrange to sign the unsigned entry and then
> have that new jar work for everyone.

The correct fix, IMHO, is to indeed sign all entries in the jar. Given that you (or your company?) signed all the other entries in the jar, signing the INDEX.LIST should not be too difficult.
Comment 8 Donald Cohen 2011-09-21 17:02:19 EDT
(In reply to comment #7)
> Actually, the new jar is completely unsigned (or at least it was last I
> checked).
Ok, this makes sense - I had forgotten that I'm the one that has to sign it!
I have now seen this same error in windows using 
JRE version 1.6.0_26-b03 Java HotSpot(TM) Client VM 
and that was in the version using the mysql driver.

> The correct fix, IMHO, is to indeed sign all entries in the jar. Given that you
> (or your company?) signed all the other entries in the jar, signing the
> INDEX.LIST should not be too difficult.

I believe that the original jar, mysql-connector-java-5.1.5-bin.jar, was signed 
like this:
jarsigner -storepass ... [jar file] [alias]
I thought this was supposed to sign the jar as a unit, not individual files in it.
How can I tell that a given entry is signed?
I've just resigned the 5.1.5 jar and signed the 5.1.17 jar and I still get the same error.  Is the problem in jarsigner?  Maybe I can remove INDEX.LIST and resign?
Comment 9 Omair Majid 2011-09-21 17:25:32 EDT
(In reply to comment #8)
> I believe that the original jar, mysql-connector-java-5.1.5-bin.jar, was signed 
> like this:
> jarsigner -storepass ... [jar file] [alias]
> I thought this was supposed to sign the jar as a unit, not individual files in
> it.

You cant actually sign a jar file itself; only the files inside the jar file are signed. But that command should sign everything necessary inside the jar.

> How can I tell that a given entry is signed?

$ jarsigner -verify -verbose [jar file]

All files (not directories) with the exception of signature-related files should be marked as 'sm' 

The openjdk code lists signature-related files as:
    /**
     * signature-related files include:
     * . META-INF/MANIFEST.MF
     * . META-INF/SIG-*
     * . META-INF/*.SF
     * . META-INF/*.DSA
     * . META-INF/*.RSA
     */

> I've just resigned the 5.1.5 jar and signed the 5.1.17 jar and I still get the
> same error.  Is the problem in jarsigner?  Maybe I can remove INDEX.LIST and
> resign?

I just tested signing the unsigned 5.1.17 jar (with a custom certificate) and the META-INF/INDEX.LIST file shows up as signed.

If all the files in the jar are signed and you are still running into this error, please let me know.
Comment 10 Donald Cohen 2011-09-21 17:58:13 EDT
$ jarsigner -verify -verbose mysql-connector-java-5.1.5-bin.jar

       23406 Tue Nov 25 09:35:02 GMT-08:00 2008 META-INF/MANIFEST.MF
       23208 Wed Sep 21 12:43:38 GMT-08:00 2011 META-INF/SATURNKE.SF
        1140 Wed Sep 21 12:43:38 GMT-08:00 2011 META-INF/SATURNKE.DSA
           0 Fri Oct 05 21:08:44 GMT-08:00 2007 META-INF/
         443 Fri Oct 05 21:08:44 GMT-08:00 2007 META-INF/INDEX.LIST
           0 Fri Oct 05 21:08:20 GMT-08:00 2007 com/
after that the results look better for non-directories, e.g.,
smk     4758 Fri Oct 05 21:08:30 GMT-08:00 2007 com/mysql/jdbc/Blob.class

So maybe my version of jarsigner erroneously views all META-INF as signature related.
So far I don't see an option to delete a file from the jar.
I guess I could extract it all, delete the file I don't want and then
jar it again.  (Would I have to resign it?)

5.1.17 looks even worse:
$ jarsigner -verify -verbose mysql-connector-java-5.1.17-bin.jar | more

       27600 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/MANIFEST.MF
       25758 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.SF
        1140 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.DSA
           0 Mon Jul 04 16:24:08 GMT-08:00 2011 META-INF/
           0 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/services/
          21 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/services/java.sql.Driv\
er
         463 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/INDEX.LIST
           0 Mon Jul 04 16:23:42 GMT-08:00 2011 com/
 ...
Comment 11 Omair Majid 2011-09-21 18:06:04 EDT
(In reply to comment #10)
> $ jarsigner -verify -verbose mysql-connector-java-5.1.5-bin.jar
> 
>        23406 Tue Nov 25 09:35:02 GMT-08:00 2008 META-INF/MANIFEST.MF
>        23208 Wed Sep 21 12:43:38 GMT-08:00 2011 META-INF/SATURNKE.SF
>         1140 Wed Sep 21 12:43:38 GMT-08:00 2011 META-INF/SATURNKE.DSA
>            0 Fri Oct 05 21:08:44 GMT-08:00 2007 META-INF/
>          443 Fri Oct 05 21:08:44 GMT-08:00 2007 META-INF/INDEX.LIST
>            0 Fri Oct 05 21:08:20 GMT-08:00 2007 com/
> after that the results look better for non-directories, e.g.,
> smk     4758 Fri Oct 05 21:08:30 GMT-08:00 2007 com/mysql/jdbc/Blob.class
> 

Yup, that's exactly what I get on my machine.

> So maybe my version of jarsigner erroneously views all META-INF as signature
> related.

What jarsigner are you using? 
$ rpm -qf $(readlink -f $(which jarsigner))

From the list, only META-INF/INDEX.LIST should be signed - the other META-INF/* files are expected to be not signed (though OpenJDK7 might consider MANIFEST.MF as signed too).

> So far I don't see an option to delete a file from the jar.
> I guess I could extract it all, delete the file I don't want and then
> jar it again.  (Would I have to resign it?)

I am not sure if that works. You can try it out and use jarsigner -verify to check. 

Perhaps it might be easier to grab a new mysql jar and sign it to see if INDEX.LIST gets signed?

> 
> 5.1.17 looks even worse:
> $ jarsigner -verify -verbose mysql-connector-java-5.1.17-bin.jar | more
> 
>        27600 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/MANIFEST.MF
>        25758 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.SF
>         1140 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.DSA
>            0 Mon Jul 04 16:24:08 GMT-08:00 2011 META-INF/
>            0 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/services/
>           21 Mon Jul 04 16:24:06 GMT-08:00 2011
> META-INF/services/java.sql.Driv\
> er
>          463 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/INDEX.LIST
>            0 Mon Jul 04 16:23:42 GMT-08:00 2011 com/
>  ...

Have you signed it? The results look completely standard for unsigned jars.
Comment 12 Donald Cohen 2011-09-21 18:16:50 EDT
(In reply to comment #11)
> $ rpm -qf $(readlink -f $(which jarsigner))
java-1_4_2-sun-devel-1.4.2.17-0.2

> Perhaps it might be easier to grab a new mysql jar and sign it to see if
> INDEX.LIST gets signed?
That's what 5.1.17 was.

> > 5.1.17 looks even worse:
> > $ jarsigner -verify -verbose mysql-connector-java-5.1.17-bin.jar | more
> > 
> >        27600 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/MANIFEST.MF
> >        25758 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.SF
> >         1140 Wed Sep 21 12:50:58 GMT-08:00 2011 META-INF/SATURNKE.DSA
> >            0 Mon Jul 04 16:24:08 GMT-08:00 2011 META-INF/
> >            0 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/services/
> >           21 Mon Jul 04 16:24:06 GMT-08:00 2011
> > META-INF/services/java.sql.Driv\
> > er
> >          463 Mon Jul 04 16:24:06 GMT-08:00 2011 META-INF/INDEX.LIST
> >            0 Mon Jul 04 16:23:42 GMT-08:00 2011 com/
> >  ...
> 
> Have you signed it? The results look completely standard for unsigned jars.
After the META-INF, all the non-directories are signed:
           0 Fri Oct 05 21:08:20 GMT-08:00 2007 com/mysql/
           0 Fri Oct 05 21:08:38 GMT-08:00 2007 com/mysql/jdbc/
smk      914 Fri Oct 05 21:08:30 GMT-08:00 2007 com/mysql/jdbc/AssertionFailedException.class
smk     4758 Fri Oct 05 21:08:30 GMT-08:00 2007 com/mysql/jdbc/Blob.class
smk     2116 Fri Oct 05 21:08:32 GMT-08:00 2007 com/mysql/jdbc/BlobFromLocator$
LocatorInputStream.class
smk     8761 Fri Oct 05 21:08:32 GMT-08:00 2007 com/mysql/jdbc/BlobFromLocator.
Comment 13 Omair Majid 2011-09-21 18:29:10 EDT
(In reply to comment #12)
> (In reply to comment #11)
> > $ rpm -qf $(readlink -f $(which jarsigner))
> java-1_4_2-sun-devel-1.4.2.17-0.2
> 

Ahhhh... That explains a lot. Thanks for tracking it down. Would it be possible, at all, to use a newer jarsigner? Just to check, at least?

> > Perhaps it might be easier to grab a new mysql jar and sign it to see if
> > INDEX.LIST gets signed?
> That's what 5.1.17 was.
> 

Oh, I didn't see that. So it looks like your jarsigner is not signing INDEX.LIST files :/
Comment 14 Donald Cohen 2011-09-21 18:51:00 EDT
Ok, found another version
java-1.5.0-sun-1.5.0_03
This problem is now solved.
(But now I wonder whether that windows user still has this problem... - will ask)