This discussion is archived
4 Replies Latest reply: Mar 2, 2011 2:51 PM by 844237 RSS

JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)

841256 Newbie
Currently Being Moderated
Hi,
I'm currently working on some JWS application, which heavily relies on Apache Felix. It was working spotless until recent security update which comes along with Java 1.6u24. Now my application dies just when Apache Felix is starting to work.

The exception being thrown is:

SEVERE: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.parsers.SAXParserFactory
java.lang.SecurityException: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.parsers.SAXParserFactory
     at com.sun.deploy.security.DeployURLClassPath$UrlLoader.findResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.findResource(Unknown Source)
     at java.net.URLClassLoader$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findResource(Unknown Source)
     at com.sun.jnlp.JNLPClassLoader.findResource(Unknown Source)
     at java.lang.ClassLoader.getResource(Unknown Source)
     at com.sun.jnlp.JNLPClassLoader.access$001(Unknown Source)
     at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.jnlp.JNLPClassLoader.getResource(Unknown Source)
     at java.lang.ClassLoader.getResource(Unknown Source)
     at com.sun.jnlp.JNLPClassLoader.access$001(Unknown Source)
     at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.jnlp.JNLPClassLoader.getResource(Unknown Source)
     at java.lang.ClassLoader.getResourceAsStream(Unknown Source)
     at javax.xml.parsers.SecuritySupport$4.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.xml.parsers.SecuritySupport.getResourceAsStream(Unknown Source)
     at javax.xml.parsers.FactoryFinder.findJarServiceProvider(Unknown Source)
     at javax.xml.parsers.FactoryFinder.find(Unknown Source)
     at javax.xml.parsers.SAXParserFactory.newInstance(Unknown Source)     
(...)     
     at com.sun.javaws.Launcher.executeApplication(Unknown Source)
     at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
     at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
     at com.sun.javaws.Launcher.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)

In javaws.policy, java.policy I have set up proper security rules to enable JWS to work out of sandbox by specifying:
grant {
permission java.security.AllPermission;
}

grant codeBase "http://felix.extensions:9/" {
permission java.security.AllPermission;
};

Also, I'm using maven's webstart-maven-plugin to create a JWS jnlp file. It's being property signed with security certificate. My resulting jnlp file has this part of configuration embedded:
<security>
<all-permissions />
</security>

Do You have any ideas what might be the problem?
Cheers
  • 1. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
    841371 Newbie
    Currently Being Moderated
    same here..
    maybe felix should fix this? https://issues.apache.org/jira/browse/FELIX-2780
    after update to java update 24 in javaws:

    Caused by: java.lang.SecurityException: Permission denied: http://felix.extensions:9/META-INF/services/javax.xml.datatype.DatatypeFactory
         at com.sun.deploy.security.DeployURLClassPath$UrlLoader.findResource(DeployURLClassPath.java:535)
         at com.sun.deploy.security.DeployURLClassPath.findResource(DeployURLClassPath.java:207)
         at java.net.URLClassLoader$2.run(URLClassLoader.java:385)
         at java.security.AccessController.doPrivileged(Native Method)
         at java.net.URLClassLoader.findResource(URLClassLoader.java:382)
         at com.sun.jnlp.JNLPClassLoader.findResource(JNLPClassLoader.java:351)
         at java.lang.ClassLoader.getResource(ClassLoader.java:1003)
         at com.sun.jnlp.JNLPClassLoader.access$001(JNLPClassLoader.java:61)
         at com.sun.jnlp.JNLPClassLoader$1.run(JNLPClassLoader.java:275)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.jnlp.JNLPClassLoader.getResource(JNLPClassLoader.java:270)
         at java.lang.ClassLoader.getResource(ClassLoader.java:998)
         at com.sun.jnlp.JNLPClassLoader.access$001(JNLPClassLoader.java:61)
         at com.sun.jnlp.JNLPClassLoader$1.run(JNLPClassLoader.java:275)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.jnlp.JNLPClassLoader.getResource(JNLPClassLoader.java:270)
         at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1193)
         at javax.xml.datatype.SecuritySupport$4.run(SecuritySupport.java:92)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.xml.datatype.SecuritySupport.getResourceAsStream(SecuritySupport.java:85)
         at javax.xml.datatype.FactoryFinder.findJarServiceProvider(FactoryFinder.java:250)
         at javax.xml.datatype.FactoryFinder.find(FactoryFinder.java:223)
         at javax.xml.datatype.DatatypeFactory.newInstance(DatatypeFactory.java:131)
         at com.thoughtworks.xstream.converters.extended.DurationConverter.<init>(DurationConverter.java:33)

    Edited by: 838368 on Feb 21, 2011 1:41 AM
  • 2. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
    thomasng Newbie
    Currently Being Moderated
    We are aware of the issue and a related CR is already filed:

    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020285
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020709

    We are working on a fix for it.
  • 3. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
    841371 Newbie
    Currently Being Moderated
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020285
    won't be fixed ...

    So I assume that felix needs to fix this?
  • 4. Re: JWS not working after Java updates to JDK 1.6 update 24 (with apache felix)
    844237 Newbie
    Currently Being Moderated
    I just submitted a bug, and got the following e-mail.
    Hope the java guys take a look ...

    ---------------------------
    Full View
    Your Report (Review ID: 1990127) - SecurityException from all-permissions app - should be ClassNotFoundException
    From:     
    "IncidentDaemon@sun.com" <IncidentDaemon@sun.com>
    Add to Contacts
    To:     catdogboy@yahoo.com     
    ************************************************
    Dear Java Developer,

    Thank you for your interest in improving the quality of Java Technology.

    Your report has been assigned an internal review ID of 1990127, which is NOT visible on the Sun Developer Network (SDN).

    Please be aware that the large volume of reports we receive sometimes prevents us from responding individually to each message.

    If the information is determined to be a new Bug or RFE, or a duplicate of a known Bug or RFE, you will receive a followup email containing a seven digit bug number. You may search for, view, or vote for this bug in the Bug Database at http://bugs.sun.com/.

    If you just reported an issue that could have a major impact on your project and require a timely response, please consider purchasing one of the support offerings described at http://developers.sun.com/services/.

    The Sun Developer Network (http://developers.sun.com) is a free service that Sun offers. To join, visit http://developers.sun.com/global/join_sdn.html.

    Thank you for using our bug submit page.

    Regards,
    Java Developer Bug Report Review Team


    ---------------------------------------------------------------


    Date Created: Wed Mar 02 15:43:52 MST 2011
    Type: bug
    Customer Name: Reuben Pasquini
    Customer Email: catdogboy@yahoo.com
    SDN ID: catdogboy
    status: Waiting
    Category: javawebstart
    Subcategory: other
    Company: http://frickjack.com
    release: 6u24
    hardware: x86
    OSversion: windows_7
    priority: 4
    Synopsis: SecurityException from all-permissions app - should be ClassNotFoundException
    Description:
    FULL PRODUCT VERSION :
    java version "1.6.0_24"
    Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
    Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)

    ADDITIONAL OS VERSION INFORMATION :
    Microsoft Windows [Version 6.1.7600]

    EXTRA RELEVANT SYSTEM CONFIGURATION :
    This is a java bug - I have users on WIndows 7 and XP, and also reported on Apache felix mailing list

    A DESCRIPTION OF THE PROBLEM :
    The following class, when bundled, signed, and deployed with the .jnlp file below, throws a
    SecurityException
    in the new java release - even though the .jnlp specifes "all-permissions".

    Past releases would throw a ClassNotFoundException - which is great,
    and is what things like Oracle's thin-client ojdbc6.jar expect.

    The program bootstraps the Felix OSGi engine - which apparently sets up a URLClassLoader with a custom felix:// URL.
    The output of running the program with webstart follows
    below the .jnlp file.
    Note that this .jnlp file is setup to run off the file system, but the same result follows from web-launched apps, whatever.


    package littleware.demo;

    import java.io.PrintWriter;
    import java.io.StringWriter;
    import java.net.URL;
    import java.net.URLClassLoader;
    import java.sql.Connection;
    import java.util.HashMap;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.swing.JFrame;
    import javax.swing.JOptionPane;
    import javax.swing.JScrollPane;
    import javax.swing.JTextArea;
    import javax.swing.SwingUtilities;
    import javax.swing.WindowConstants;
    import org.apache.felix.framework.Felix;


    public class JavaToy {
    private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

    public static class AppRunner implements Runnable {
    public void run() {
    final StringWriter swriter = new StringWriter();
    final PrintWriter pwriter = new PrintWriter( swriter );
    pwriter.append( "Class path: " ).append(
    System.getProperty( "java.class.path" )
    ).append( "\n\n-------------------------\n" );
    final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
    if ( classLoader instanceof URLClassLoader ) {
    pwriter.append( "URLClassLoader:\n" );
    for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
    pwriter.append( url.toString() ).append( "\n" );
    }
    pwriter.append( "\n--------------------------------\n" );
    }
    try {
    Class.forName( "bogus.DoesNotExist" );
    pwriter.append( "No exception thrown on bogus class load\n" );
    } catch ( Exception ex ) {
    pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
    ex.printStackTrace(pwriter);
    }
    pwriter.flush();
    final JFrame jframe = new JFrame( "Webstart test" );
    final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
    jframe.add( new JScrollPane( jtext ) );
    jframe.pack();
    jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
    jframe.setVisible(true);
    }
    }
    public static void main( String[] args ) {
    try {
    log.log( Level.INFO, "Launching felix!" );
    (new Felix(new HashMap<String, Object>())).start();
    Thread.sleep( 2000 );
    } catch (Exception ex) {
    log.log(Level.SEVERE, "Caught exception", ex);
    System.exit(0);
    }
    SwingUtilities.invokeLater( new AppRunner() );
    }
    }



    REGRESSION. Last worked in version 6

    STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
    *. Download felix.jar from
    http://felix.apache.org

    *. Build the following code, sign Toy.jar and felix.jar with your key,
    launch with the following .jnlp or something similar ....
    -----------------

    package littleware.demo;

    import java.io.PrintWriter;
    import java.io.StringWriter;
    import java.net.URL;
    import java.net.URLClassLoader;
    import java.sql.Connection;
    import java.util.HashMap;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.swing.JFrame;
    import javax.swing.JOptionPane;
    import javax.swing.JScrollPane;
    import javax.swing.JTextArea;
    import javax.swing.SwingUtilities;
    import javax.swing.WindowConstants;
    import org.apache.felix.framework.Felix;


    public class JavaToy {
    private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

    public static class AppRunner implements Runnable {
    public void run() {
    final StringWriter swriter = new StringWriter();
    final PrintWriter pwriter = new PrintWriter( swriter );
    pwriter.append( "Class path: " ).append(
    System.getProperty( "java.class.path" )
    ).append( "\n\n-------------------------\n" );
    final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
    if ( classLoader instanceof URLClassLoader ) {
    pwriter.append( "URLClassLoader:\n" );
    for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
    pwriter.append( url.toString() ).append( "\n" );
    }
    pwriter.append( "\n--------------------------------\n" );
    }
    try {
    Class.forName( "bogus.DoesNotExist" );
    pwriter.append( "No exception thrown on bogus class load\n" );
    } catch ( Exception ex ) {
    pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
    ex.printStackTrace(pwriter);
    }
    pwriter.flush();
    final JFrame jframe = new JFrame( "Webstart test" );
    final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
    jframe.add( new JScrollPane( jtext ) );
    jframe.pack();
    jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
    jframe.setVisible(true);
    }
    }
    public static void main( String[] args ) {
    try {
    log.log( Level.INFO, "Launching felix!" );
    (new Felix(new HashMap<String, Object>())).start();
    Thread.sleep( 2000 );
    } catch (Exception ex) {
    log.log(Level.SEVERE, "Caught exception", ex);
    System.exit(0);
    }
    SwingUtilities.invokeLater( new AppRunner() );
    }
    }


    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <jnlp codebase="file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/" href="launch.jnlp" spec="1.0+">
    <information>
    <title>JavaToy</title>
    <vendor>pasquini</vendor>
    <homepage href=""/>
    <description>JavaToy</description>
    <description kind="short">JavaToy</description>

    </information>
    <update check="always"/>
    <security>
    <all-permissions/>
    </security>
    <resources>
    <j2se version="1.5+"/>
    <jar href="JavaToy.jar" main="true"/>


    <jar href="lib/felix-2.0.4.jar"/>
    </resources>
    <application-desc main-class="littleware.demo.JavaToy">

    </application-desc>
    </jnlp>

    EXPECTED VERSUS ACTUAL BEHAVIOR :
    EXPECTED -
    Class path: C:\Program Files\Java\jre6\lib\deploy.jar

    -------------------------
    URLClassLoader:
    file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar
    file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar
    http://felix.extensions:9/

    --------------------------------
    Caught exception loading bogus class: java.lang.ClassNotFoundException: bogus.DoesNotExist
    java.lang.ClassNotFoundException: bogus.DoesNotExist
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39)
    at java.awt.event.InvocationEvent.dispatch(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)

    ACTUAL -
    Class path: C:\\Program Files (x86)\\Java\\jre6\\lib\\deploy.jar

    -------------------------
    URLClassLoader:
    file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/JavaToy.jar
    file:/C:/Users/pasquini/Documents/Code/JavaToy/dist/lib/felix-2.0.4.jar
    http://felix.extensions:9/

    --------------------------------
    Caught exception loading bogus class: java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class
    java.lang.SecurityException: Permission denied: http://felix.extensions:9/bogus/DoesNotExist.class
    at com.sun.deploy.security.DeployURLClassPath$UrlLoader.getResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at littleware.demo.JavaToy$AppRunner.run(JavaToy.java:39)
    at java.awt.event.InvocationEvent.dispatch(Unknown Source)
    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
    at java.awt.EventQueue.access$000(Unknown Source)
    at java.awt.EventQueue$1.run(Unknown Source)
    at java.awt.EventQueue$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)


    REPRODUCIBILITY :
    This bug can be reproduced always.

    ---------- BEGIN SOURCE ----------
    package littleware.demo;

    import java.io.PrintWriter;
    import java.io.StringWriter;
    import java.net.URL;
    import java.net.URLClassLoader;
    import java.sql.Connection;
    import java.util.HashMap;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.swing.JFrame;
    import javax.swing.JOptionPane;
    import javax.swing.JScrollPane;
    import javax.swing.JTextArea;
    import javax.swing.SwingUtilities;
    import javax.swing.WindowConstants;
    import org.apache.felix.framework.Felix;


    public class JavaToy {
    private static final Logger log = Logger.getLogger( JavaToy.class.getName() );

    public static class AppRunner implements Runnable {
    public void run() {
    final StringWriter swriter = new StringWriter();
    final PrintWriter pwriter = new PrintWriter( swriter );
    pwriter.append( "Class path: " ).append(
    System.getProperty( "java.class.path" )
    ).append( "\n\n-------------------------\n" );
    final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
    if ( classLoader instanceof URLClassLoader ) {
    pwriter.append( "URLClassLoader:\n" );
    for ( URL url : ((URLClassLoader) classLoader).getURLs() ) {
    pwriter.append( url.toString() ).append( "\n" );
    }
    pwriter.append( "\n--------------------------------\n" );
    }
    try {
    Class.forName( "bogus.DoesNotExist" );
    pwriter.append( "No exception thrown on bogus class load\n" );
    } catch ( Exception ex ) {
    pwriter.append( "Caught exception loading bogus class: " ).append( ex.toString() ).append( "\n" );
    ex.printStackTrace(pwriter);
    }
    pwriter.flush();
    final JFrame jframe = new JFrame( "Webstart test" );
    final JTextArea jtext = new JTextArea( swriter.toString(), 20, 40 );
    jframe.add( new JScrollPane( jtext ) );
    jframe.pack();
    jframe.setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
    jframe.setVisible(true);
    }
    }
    public static void main( String[] args ) {
    try {
    log.log( Level.INFO, "Launching felix!" );
    (new Felix(new HashMap<String, Object>())).start();
    Thread.sleep( 2000 );
    } catch (Exception ex) {
    log.log(Level.SEVERE, "Caught exception", ex);
    System.exit(0);
    }
    SwingUtilities.invokeLater( new AppRunner() );
    }
    }

    ---------- END SOURCE ----------

    CUSTOMER SUBMITTED WORKAROUND :
    I can work around the problem by installing the app locally, so web-start is not necessary. I ran into this problem with an app that connects to Oracle via ojdbc6.jar - ojdbc6.jar invokes "Class.forName" to check for optional i18n classes on the class path. The Oracle code correctly handles the correct ClassNotFoundException, but the new SecurityException is breaking my app.
    workaround:

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points