Bug 498224 - [F-11] Lots of javaws failures
[F-11] Lots of javaws failures
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: java-1.6.0-openjdk (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Deepak Bhole
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-29 10:11 EDT by Denis Leroy
Modified: 2009-05-05 11:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 13:35:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Stack trace (2.37 KB, text/plain)
2009-04-29 10:11 EDT, Denis Leroy
no flags Details
Stack trace, different app (2.61 KB, text/plain)
2009-04-29 10:12 EDT, Denis Leroy
no flags Details

  None (edit)
Description Denis Leroy 2009-04-29 10:11:08 EDT
Created attachment 341754 [details]
Stack trace

I'm unable to use any of my Java WebStart applications since I upgraded to F-11 (worked fined with F-10). I keep getting these failures:

net.sourceforge.jnlp.LaunchException: Fatal: Launch Error: Could not launch JNLP file.
[cut]


Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)


(couple of full outputs attached).

One of the javaws app I'm trying is to is the Sun Server ILOM Remote Console, which used to work fine with F-10.
Comment 1 Denis Leroy 2009-04-29 10:12:36 EDT
Created attachment 341756 [details]
Stack trace, different app
Comment 2 Deepak Bhole 2009-04-29 10:25:04 EDT
This is not a bug. The IcedTea plugin has stricter policies, which prevent applets from accessing properties among other things. The way to fix this is to add an exception in the java.policy file in /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/java.policy

At the moment though, there is a bug that prevents that policy from being enforced correctly. It has been fixed upstream, and will be in F-10/Rawhide in the next update soon.

I am not sure how it worked for you under F-10 though, that is odd. It should have failed there too..
Comment 3 Denis Leroy 2009-04-29 12:10:12 EDT
That's interesting. That's a pretty huge deviation from the Sun package. Is this a RedHat only thing, or just OpenJDK in general ?

Indeed, I was able to make the apps work again by adding 2 or 3 lines to the java.policy file. I didn't seem to run into the bug you mentioned actually.

Should I close this then ?
Comment 4 Deepak Bhole 2009-04-29 13:35:06 EDT
Yeah, the Sun implementation is a bit more lax. I have not seen any information with regards to security restrictions for plugins/webstart though.. so it is not like IcedTea is doing it wrong.. just, differently.

The policy enforcement bug only manifests when the policy needs to be set for a non file:/.../- location. Perhaps you are using a file based location?

Anyway, yeah if it is working for you I think this issue should be closed as there is nothing more we can change on the code side.
Comment 5 Denis Leroy 2009-04-29 13:51:39 EDT
If I understand correctly, IcedTea chosses to run webstart apps in a more strict environment, while the Sun implementation is more trusting. I'm curious how many webstart apps out there might be affected by this. I'm going to raise this issue internally here at Sun, at least for the ILOM remote console app.

Thanks for your help.
Comment 6 Deepak Bhole 2009-05-04 16:33:20 EDT
Hi Denis. Do you know which property the application is trying to access? There are certain that should be allowed according to the spec (and I am pretty sure they are). But if the application you are using is trying to access one of these properties and it is failing, it is a bug in IcedTea/NetX:

java.util.PropertyPermission java.version               read
java.util.PropertyPermission java.vendor                read
java.util.PropertyPermission java.vendor.url            read
java.util.PropertyPermission java.class.version         read
java.util.PropertyPermission os.name                    read
java.util.PropertyPermission os.version                 read
java.util.PropertyPermission os.arch                    read
java.util.PropertyPermission file.separator             read
java.util.PropertyPermission path.separator             read
java.util.PropertyPermission line.separator             read
java.util.PropertyPermission java.specification.version read
java.util.PropertyPermission java.specification.vendor  read
java.util.PropertyPermission java.specification.name      read
java.util.PropertyPermission java.vm.specification.vendor read
java.util.PropertyPermission java.vm.specification.name   read
java.util.PropertyPermission java.vm.version              read
java.util.PropertyPermission java.vm.vendor               read
java.util.PropertyPermission java.vm.name                 read
Comment 7 Denis Leroy 2009-05-04 17:38:45 EDT
Hmm, how can I tell ? The stack trace is not particularly informative. The interesting bits:

Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
[cut]
	at java.lang.System.getProperties(System.java:599)
	at com.sun.sunit.bugtraq.client.swing.Main.main(Main.java:133)

Coming from java.lang, is it maybe trying to read some locale-related info ?

The ILOM app also fails because by default it creates an "ilom.log" log file in the user directory, which IcedTea doesn't allow.
Comment 8 Deepak Bhole 2009-05-04 19:36:52 EDT
Ah sorry, my mistake. I re checked the logs and they do show the error. The first one failed because getProperties() was denied. That is correct behaviour according to the spec. The second one failed because of "java.util.PropertyPermission MAX_LOG_SIZE read" .. that too, is correct. Both of these failures should also happen with the Sun plugin/Webstart..

As for writing files, that permission is being correctly denied as well, and it would be denied by the Sun plugin too. 

The only ways to get around these issues is to explicitly trust the domain for those items, or sign the application jars.
Comment 9 Denis Leroy 2009-05-05 04:47:37 EDT
I have never seen them fail with the Sun webstart plugin, although I may have had to click on a Security dialog box once...
Comment 10 Deepak Bhole 2009-05-05 11:55:24 EDT
Does the IcedTea plugin show any security dialogs? If it does and you did trust it, the exceptions are a bug.

Note You need to log in before you can comment on or make changes to this bug.