4 Replies Latest reply: Mar 2, 2011 4:51 PM by 844237 RSS

    JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)

    841256
      Hi,
      I'm currently working on some JWS application, which heavily relies on Apache Felix. It was working spotless until recent security update which comes along with Java 1.6u24. Now my application dies just when Apache Felix is starting to work.

      The exception being thrown is:

      SEVERE: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.parsers.SAXParserFactory
      java.lang.SecurityException: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.parsers.SAXParserFactory
           at com.sun.deploy.security.DeployURLClassPath$UrlLoader.findResource(Unknown Source)
           at com.sun.deploy.security.DeployURLClassPath.findResource(Unknown Source)
           at java.net.URLClassLoader$2.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at java.net.URLClassLoader.findResource(Unknown Source)
           at com.sun.jnlp.JNLPClassLoader.findResource(Unknown Source)
           at java.lang.ClassLoader.getResource(Unknown Source)
           at com.sun.jnlp.JNLPClassLoader.access$001(Unknown Source)
           at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.jnlp.JNLPClassLoader.getResource(Unknown Source)
           at java.lang.ClassLoader.getResource(Unknown Source)
           at com.sun.jnlp.JNLPClassLoader.access$001(Unknown Source)
           at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.jnlp.JNLPClassLoader.getResource(Unknown Source)
           at java.lang.ClassLoader.getResourceAsStream(Unknown Source)
           at javax.xml.parsers.SecuritySupport$4.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.xml.parsers.SecuritySupport.getResourceAsStream(Unknown Source)
           at javax.xml.parsers.FactoryFinder.findJarServiceProvider(Unknown Source)
           at javax.xml.parsers.FactoryFinder.find(Unknown Source)
           at javax.xml.parsers.SAXParserFactory.newInstance(Unknown Source)     
      (...)     
           at com.sun.javaws.Launcher.executeApplication(Unknown Source)
           at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
           at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
           at com.sun.javaws.Launcher.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)

      In javaws.policy, java.policy I have set up proper security rules to enable JWS to work out of sandbox by specifying:
      grant {
      permission java.security.AllPermission;
      }

      grant codeBase "http://felix.extensions:9/" {
      permission java.security.AllPermission;
      };

      Also, I'm using maven's webstart-maven-plugin to create a JWS jnlp file. It's being property signed with security certificate. My resulting jnlp file has this part of configuration embedded:
      <security>
      <all-permissions />
      </security>

      Do You have any ideas what might be the problem?
      Cheers
        • 1. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
          841371
          same here..
          maybe felix should fix this? https://issues.apache.org/jira/browse/FELIX-2780
          after update to java update 24 in javaws:

          Caused by: java.lang.SecurityException: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.datatype.DatatypeFactory
               at com.sun.deploy.security.DeployURLClassPath$UrlLoader.findResource(DeployURLClassPath.java:535)
               at com.sun.deploy.security.DeployURLClassPath.findResource(DeployURLClassPath.java:207)
               at java.net.URLClassLoader$2.run(URLClassLoader.java:385)
               at java.security.AccessController.doPrivileged(Native Method)
               at java.net.URLClassLoader.findResource(URLClassLoader.java:382)
               at com.sun.jnlp.JNLPClassLoader.findResource(JNLPClassLoader.java:351)
               at java.lang.ClassLoader.getResource(ClassLoader.java:1003)
               at com.sun.jnlp.JNLPClassLoader.access$001(JNLPClassLoader.java:61)
               at com.sun.jnlp.JNLPClassLoader$1.run(JNLPClassLoader.java:275)
               at java.security.AccessController.doPrivileged(Native Method)
               at com.sun.jnlp.JNLPClassLoader.getResource(JNLPClassLoader.java:270)
               at java.lang.ClassLoader.getResource(ClassLoader.java:998)
               at com.sun.jnlp.JNLPClassLoader.access$001(JNLPClassLoader.java:61)
               at com.sun.jnlp.JNLPClassLoader$1.run(JNLPClassLoader.java:275)
               at java.security.AccessController.doPrivileged(Native Method)
               at com.sun.jnlp.JNLPClassLoader.getResource(JNLPClassLoader.java:270)
               at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1193)
               at javax.xml.datatype.SecuritySupport$4.run(SecuritySupport.java:92)
               at java.security.AccessController.doPrivileged(Native Method)
               at javax.xml.datatype.SecuritySupport.getResourceAsStream(SecuritySupport.java:85)
               at javax.xml.datatype.FactoryFinder.findJarServiceProvider(FactoryFinder.java:250)
               at javax.xml.datatype.FactoryFinder.find(FactoryFinder.java:223)
               at javax.xml.datatype.DatatypeFactory.newInstance(DatatypeFactory.java:131)
               at com.thoughtworks.xstream.converters.extended.DurationConverter.<init>(DurationConverter.java:33)

          Edited by: 838368 on Feb 21, 2011 1:41 AM
          • 2. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
            thomasng
            We are aware of the issue and a related CR is already filed:

            http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020285
            http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020709

            We are working on a fix for it.
            • 3. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
              841371
              http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020285
              won't be fixed ...

              So I assume that felix needs to fix this?
              • 4. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
                844237
                I just submitted a bug, and got the following e-mail.
                Hope the java guys take a look ...

                ---------------------------
                Full View
                Your Report (Review ID: 1990127) - SecurityException from all-permissions app - should be ClassNotFoundException
                From:     
                "IncidentDaemon@sun.com" <IncidentDaemon@sun.com>
                Add to Contacts
                To:     catdogboy@yahoo.com     
                ************************************************
                Dear Java Developer,

                Thank you for your interest in improving the quality of Java Technology.

                Your report has been assigned an internal review ID of 1990127, which is NOT visible on the Sun Developer Network (SDN).

                Please be aware that the large volume of reports we receive sometimes prevents us from responding individually to each message.

                If the information is determined to be a new Bug or RFE, or a duplicate of a known Bug or RFE, you will receive a followup email containing a seven digit bug number. You may search for, view, or vote for this bug in the Bug Database at http://bugs.sun.com/.

                If you just reported an issue that could have a major impact on your project and require a timely response, please consider purchasing one of the support offerings described at http://developers.sun.com/services/.

                The Sun Developer Network (http://developers.sun.com) is a free service that Sun offers. To join, visit http://developers.sun.com/global/join_sdn.html.

                Thank you for using our bug submit page.

                Regards,
                Java Developer Bug Report Review Team


                ---------------------------------------------------------------


                Date Created: Wed Mar 02 15:43:52 MST 2011
                Type: bug
                Customer Name: Reuben Pasquini
                Customer Email: catdogboy@yahoo.com
                SDN ID: catdogboy
                status: Waiting
                Category: javawebstart
                Subcategory: other
                Company: http://frickjack.com
                release: 6u24
                hardware: x86
                OSversion: windows_7
                priority: 4
                Synopsis: SecurityException from all-permissions app - should be ClassNotFoundException
                Description:
                FULL PRODUCT VERSION :
                java version "1.6.0_24"
                Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
                Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)

                ADDITIONAL OS VERSION INFORMATION :
                Microsoft Windows [Version 6.1.7600]

                EXTRA RELEVANT SYSTEM CONFIGURATION :
                This is a java bug - I have users on WIndows 7 and XP, and also reported on Apache felix mailing list

                A DESCRIPTION OF THE PROBLEM :
                The following class, when bundled, signed, and deployed with the .jnlp file below, throws a
                SecurityException
                in the new java release - even though the .jnlp specifes "all-permissions".

                Past releases would throw a ClassNotFoundException - which is great,
                and is what things like Oracle's thin-client ojdbc6.jar expect.

                The program bootstraps the Felix OSGi engine - which apparently sets up a URLClassLoader with a custom felix:// URL.
                The output of running the program with webstart follows
                below the .jnlp file.
                Note that this .jnlp file is setup to run off the file system, but the same result follows from web-launched apps, whatever.


                package littleware.demo;

                import java.io.PrintWriter;
                import java.io.StringWriter;
                import java.net.URL;
                import java.net.URLClassLoader;
                import java.sql.Connection;
                import java.util.HashMap;
                import java.util.logging.Level;
                import java.util.logging.Logger;
                import javax.swing.JFrame;
                import javax.swing.JOptionPane;
                import javax.swing.JScrollPane;
                import javax.swing.JTextArea;
                import javax.swing.SwingUtilities;
                import javax.swing.WindowConstants;
                import org.apache.felix.framework.Felix;


                public class JavaToy {
                private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

                public static class AppRunner implements Runnable {
                public void run() {
                final StringWriter swriter = new StringWriter();
                final PrintWriter pwriter = new PrintWriter( swriter );
                pwriter.append( "Class path: " ).append(
                System.getProperty( "java.class.path" )
                ).append( "\n\n-------------------------\n" );
                final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
                if ( classLoader instanceof URLClassLoader ) {
                pwriter.append( "URLClassLoader:\n" );
                for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
                pwriter.append( url.toString() ).append( "\n" );
                }
                pwriter.append( "\n--------------------------------\n" );
                }
                try {
                Class.forName( "bogus.DoesNotExist" );
                pwriter.append( "No exception thrown on bogus class load\n" );
                } catch ( Exception ex ) {
                pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
                ex.printStackTrace(pwriter);
                }
                pwriter.flush();
                final JFrame jframe = new JFrame( "Webstart test" );
                final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
                jframe.add( new JScrollPane( jtext ) );
                jframe.pack();
                jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
                jframe.setVisible(true);
                }
                }
                public static void main( String[] args ) {
                try {
                log.log( Level.INFO, "Launching felix!" );
                (new Felix(new HashMap<String, Object>())).start();
                Thread.sleep( 2000 );
                } catch (Exception ex) {
                log.log(Level.SEVERE, "Caught exception", ex);
                System.exit(0);
                }
                SwingUtilities.invokeLater( new AppRunner() );
                }
                }



                REGRESSION. Last worked in version 6

                STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
                *. Download felix.jar from
                http://felix.apache.org

                *. Build the following code, sign Toy.jar and felix.jar with your key,
                launch with the following .jnlp or something similar ....
                -----------------

                package littleware.demo;

                import java.io.PrintWriter;
                import java.io.StringWriter;
                import java.net.URL;
                import java.net.URLClassLoader;
                import java.sql.Connection;
                import java.util.HashMap;
                import java.util.logging.Level;
                import java.util.logging.Logger;
                import javax.swing.JFrame;
                import javax.swing.JOptionPane;
                import javax.swing.JScrollPane;
                import javax.swing.JTextArea;
                import javax.swing.SwingUtilities;
                import javax.swing.WindowConstants;
                import org.apache.felix.framework.Felix;


                public class JavaToy {
                private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

                public static class AppRunner implements Runnable {
                public void run() {
                final StringWriter swriter = new StringWriter();
                final PrintWriter pwriter = new PrintWriter( swriter );
                pwriter.append( "Class path: " ).append(
                System.getProperty( "java.class.path" )
                ).append( "\n\n-------------------------\n" );
                final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
                if ( classLoader instanceof URLClassLoader ) {
                pwriter.append( "URLClassLoader:\n" );
                for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
                pwriter.append( url.toString() ).append( "\n" );
                }
                pwriter.append( "\n--------------------------------\n" );
                }
                try {
                Class.forName( "bogus.DoesNotExist" );
                pwriter.append( "No exception thrown on bogus class load\n" );
                } catch ( Exception ex ) {
                pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
                ex.printStackTrace(pwriter);
                }
                pwriter.flush();
                final JFrame jframe = new JFrame( "Webstart test" );
                final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
                jframe.add( new JScrollPane( jtext ) );
                jframe.pack();
                jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
                jframe.setVisible(true);
                }
                }
                public static void main( String[] args ) {
                try {
                log.log( Level.INFO, "Launching felix!" );
                (new Felix(new HashMap<String, Object>())).start();
                Thread.sleep( 2000 );
                } catch (Exception ex) {
                log.log(Level.SEVERE, "Caught exception", ex);
                System.exit(0);
                }
                SwingUtilities.invokeLater( new AppRunner() );
                }
                }


                <?xml version="1.0" encoding="UTF-8" standalone="no"?>
                <jnlp codebase="file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/" href="launch.jnlp" spec="1.0+">
                <information>
                <title>JavaToy</title>
                <vendor>pasquini</vendor>
                <homepage href=""/>
                <description>JavaToy</description>
                <description kind="short">JavaToy</description>

                </information>
                <update check="always"/>
                <security>
                <all-permissions/>
                </security>
                <resources>
                <j2se version="1.5+"/>
                <jar href="JavaToy.jar" main="true"/>


                <jar href="lib/felix-2.0.4.jar"/>
                </resources>
                <application-desc main-class="littleware.demo.JavaToy">

                </application-desc>
                </jnlp>

                EXPECTED VERSUS ACTUAL BEHAVIOR :
                EXPECTED -
                Class path: C:\Program Files\Java\jre6\lib\deploy.jar

                -------------------------
                URLClassLoader:
                file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar
                file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar
                http://felix.extensions:9/

                --------------------------------
                Caught exception loading bogus class: java.lang.ClassNotFoundException: bogus.DoesNotExist
                java.lang.ClassNotFoundException: bogus.DoesNotExist
                at java.net.URLClassLoader$1.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at java.net.URLClassLoader.findClass(Unknown Source)
                at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
                at java.lang.ClassLoader.loadClass(Unknown Source)
                at java.lang.ClassLoader.loadClass(Unknown Source)
                at java.lang.Class.forName0(Native Method)
                at java.lang.Class.forName(Unknown Source)
                at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39)
                at java.awt.event.InvocationEvent.dispatch(Unknown Source)
                at java.awt.EventQueue.dispatchEvent(Unknown Source)
                at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
                at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
                at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
                at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.run(Unknown Source)

                ACTUAL -
                Class path: C:\\Program Files (x86)\\Java\\jre6\\lib\\deploy.jar

                -------------------------
                URLClassLoader:
                file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar
                file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar
                http://felix.extensions:9/

                --------------------------------
                Caught exception loading bogus class: java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class
                java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class
                at com.sun.deploy.security.DeployURLClassPath$UrlLoader.getResource(Unknown Source)
                at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
                at java.net.URLClassLoader$1.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at java.net.URLClassLoader.findClass(Unknown Source)
                at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
                at java.lang.ClassLoader.loadClass(Unknown Source)
                at java.lang.ClassLoader.loadClass(Unknown Source)
                at java.lang.ClassLoader.loadClass(Unknown Source)
                at java.lang.Class.forName0(Native Method)
                at java.lang.Class.forName(Unknown Source)
                at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39)
                at java.awt.event.InvocationEvent.dispatch(Unknown Source)
                at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
                at java.awt.EventQueue.access$000(Unknown Source)
                at java.awt.EventQueue$1.run(Unknown Source)
                at java.awt.EventQueue$1.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown Source)
                at java.awt.EventQueue.dispatchEvent(Unknown Source)
                at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
                at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
                at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
                at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
                at java.awt.EventDispatchThread.run(Unknown Source)


                REPRODUCIBILITY :
                This bug can be reproduced always.

                ---------- BEGIN SOURCE ----------
                package littleware.demo;

                import java.io.PrintWriter;
                import java.io.StringWriter;
                import java.net.URL;
                import java.net.URLClassLoader;
                import java.sql.Connection;
                import java.util.HashMap;
                import java.util.logging.Level;
                import java.util.logging.Logger;
                import javax.swing.JFrame;
                import javax.swing.JOptionPane;
                import javax.swing.JScrollPane;
                import javax.swing.JTextArea;
                import javax.swing.SwingUtilities;
                import javax.swing.WindowConstants;
                import org.apache.felix.framework.Felix;


                public class JavaToy {
                private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

                public static class AppRunner implements Runnable {
                public void run() {
                final StringWriter swriter = new StringWriter();
                final PrintWriter pwriter = new PrintWriter( swriter );
                pwriter.append( "Class path: " ).append(
                System.getProperty( "java.class.path" )
                ).append( "\n\n-------------------------\n" );
                final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
                if ( classLoader instanceof URLClassLoader ) {
                pwriter.append( "URLClassLoader:\n" );
                for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
                pwriter.append( url.toString() ).append( "\n" );
                }
                pwriter.append( "\n--------------------------------\n" );
                }
                try {
                Class.forName( "bogus.DoesNotExist" );
                pwriter.append( "No exception thrown on bogus class load\n" );
                } catch ( Exception ex ) {
                pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
                ex.printStackTrace(pwriter);
                }
                pwriter.flush();
                final JFrame jframe = new JFrame( "Webstart test" );
                final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
                jframe.add( new JScrollPane( jtext ) );
                jframe.pack();
                jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
                jframe.setVisible(true);
                }
                }
                public static void main( String[] args ) {
                try {
                log.log( Level.INFO, "Launching felix!" );
                (new Felix(new HashMap<String, Object>())).start();
                Thread.sleep( 2000 );
                } catch (Exception ex) {
                log.log(Level.SEVERE, "Caught exception", ex);
                System.exit(0);
                }
                SwingUtilities.invokeLater( new AppRunner() );
                }
                }

                ---------- END SOURCE ----------

                CUSTOMER SUBMITTED WORKAROUND :
                I can work around the problem by installing the app locally, so web-start is not necessary. I ran into this problem with an app that connects to Oracle via ojdbc6.jar - ojdbc6.jar invokes "Class.forName" to check for optional i18n classes on the class path. The Oracle code correctly handles the correct ClassNotFoundException, but the new SecurityException is breaking my app.
                workaround: