Discussions
Categories
- 197K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.8K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 556 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.4K SQL Developer
- 296.4K Development
- 17 Developer Projects
- 139 Programming Languages
- 293.1K Development Tools
- 111 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 161 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 205 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 475 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
Applet accidentally requests Java Core API classes from network
875478
Member Posts: 1
Hi,
starting an applet from a customers client machine (IE7, Windows XP, Standard JRE Installation of Java 1.6.0_26), I see in the tomcat access log entries signalizing that core java api classes are accidentally requested from the server:
...
"GET /mywebapp/applet/java/lang/StringBuilder.class HTTP/1.1" 404 1156 0
"GET /mywebapp/applet/javax/swing/JPanel.class HTTP/1.1" 404 1141 0
"GET /mywebapp/applet/java/net/JarURLConnection.class HTTP/1.1" 404 1162 0
"GET /mywebapp/applet/java/util/jar/JarEntry.class HTTP/1.1" 404 1153 0
"GET /mywebapp/applet/java/util/jar/JarFile.class HTTP/1.1" 404 1150 0
...
Although tomcat responses with HTTP 404, the applet works fine.
Questions:
1. For me, it looks like a security risk when the browser tries to load system classes from the network instead of using the local files from the jre dir, doesn't it?
2. When starting the applet from my local machine (different network), no tomcat logfile entries are generated. An interesting fact is, that in the customer network, the applet "codebase" parameter in the HTML source gets modifed by a proxy server for whatever reason like the following:
<applet codebase="http://mydomain.org/mywebapp/applet">
becomes some kind of:
<applet codebase="http://mydomain.org/mywebapp/applet/+sgrkjkrlgjklJKLjekrr4jewlkfjkerlkrelkjgregkjerlkgljkeglkjgjelkLKJLKefjei55435ijjkl=+">
It seems that such codebases confuse the classloader. Any ideas about that?
Thank you so much for any hints!
starting an applet from a customers client machine (IE7, Windows XP, Standard JRE Installation of Java 1.6.0_26), I see in the tomcat access log entries signalizing that core java api classes are accidentally requested from the server:
...
"GET /mywebapp/applet/java/lang/StringBuilder.class HTTP/1.1" 404 1156 0
"GET /mywebapp/applet/javax/swing/JPanel.class HTTP/1.1" 404 1141 0
"GET /mywebapp/applet/java/net/JarURLConnection.class HTTP/1.1" 404 1162 0
"GET /mywebapp/applet/java/util/jar/JarEntry.class HTTP/1.1" 404 1153 0
"GET /mywebapp/applet/java/util/jar/JarFile.class HTTP/1.1" 404 1150 0
...
Although tomcat responses with HTTP 404, the applet works fine.
Questions:
1. For me, it looks like a security risk when the browser tries to load system classes from the network instead of using the local files from the jre dir, doesn't it?
2. When starting the applet from my local machine (different network), no tomcat logfile entries are generated. An interesting fact is, that in the customer network, the applet "codebase" parameter in the HTML source gets modifed by a proxy server for whatever reason like the following:
<applet codebase="http://mydomain.org/mywebapp/applet">
becomes some kind of:
<applet codebase="http://mydomain.org/mywebapp/applet/+sgrkjkrlgjklJKLjekrr4jewlkfjkerlkrelkjgregkjerlkgljkeglkjgjelkLKJLKefjei55435ijjkl=+">
It seems that such codebases confuse the classloader. Any ideas about that?
Thank you so much for any hints!
Tagged:
Answers
-
How do you observe the "mangled" codebase? If possible could you provide more details simple data and steps to reproduce the behavior. If these have to involve private information, you might want to open a bug or support case. At very least please provide the HTML snippet for the applet.
Edited by: ntn on Aug 1, 2011 2:18 PM
Edited by: ntn on Aug 1, 2011 2:27 PM -
<applet codebase="http://mydomain.org/mywebapp/applet">So you're loading individual .class files from the codebase? Don't do that, put them into a JAR and specify the JAR file(s) as the codebase. Much more efficient and it may solve this problem too.
This discussion has been closed.