This discussion is archived
1 2 Previous Next 21 Replies Latest reply: Nov 14, 2011 9:48 AM by 899552 RSS

Applet altering value of JSESSIONID cookie in Java 6 Update 29

895541 Newbie
Currently Being Moderated
After upgrading to Java 6 Update 29 (1.6.0_29) we started to encounter problems with users loosing their session in our web application once the user navigated to a page that contained an applet. The applet communicates with our server. We have traced the issue to a new value being set for the JSESSIONID cookie. This happens shortly after the applet loads. We also observed the same behavior when using the java.com website and its 'Verify Java Version' applet. (http://java.com/en/download/installed.jsp).

When using a previous version of Java (such as Update 22 or 27) we do NOT see this JSESSIONID altering issue. Downgrading the Java client version is our only known workaround.

Has anyone else experienced similar behavior since using update 29? Is this a new security feature or fix that was introduced in update 29?

We've also seen the following stack traces thrown in the client-side Java Console. Still trying to determine if they are more of a side effect or the root cause.

java.security.AccessControlException: access denied (com.sun.deploy.security.SecureCookiePermission origin.https://172.xxx.xxx.xxx:8443)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
.....

java.io.IOException: Not in GZIP format
at java.util.zip.GZIPInputStream.readHeader(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
....
  • 1. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895548 Newbie
    Currently Being Moderated
    We are experiencing the same problem after applying Java 6 Update 29 - it's faling to allow any alteration to a secure cookie Applet altering value of JSESSIONID cookie
  • 2. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    817264 Journeyer
    Currently Being Moderated
    Could you provide more detailed description of how things are deployed and what is wrong (and ideally full trace file).
    See http://download.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf for details on how get full trace log.

    Questions:
    a) where applet code is loaded from? It is the same domain/ip (as string)? Is it using https protocol?
    Is applet signed?

    b) JSESSIONID cookie - is it set for particular domain? Is it the same domain as applet origin? i assume it is secure cookie?

    Please post an example cookie (with domain), part of log showing where applet is loaded from, etc.

    c) Do you use liveconnect to initiate attempt to connect back to server?

    d) Could you please explain steps needed to reproduce the problem using http://java.com/en/download/installed.jsp ?
  • 3. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895565 Newbie
    Currently Being Moderated
    We are also facing the same problem because of the update Version 6 Update 29 .for now as work around we are working with the Version 6 Update 26.
    getting the below messages in console.

    java.security.AccessControlException: access denied (com.sun.deploy.security.SecureCookiePermission origin.http://address)
         at java.security.AccessControlContext.checkPermission(Unknown Source)
         at java.security.AccessController.checkPermission(Unknown Source)
         at java.lang.SecurityManager.checkPermission(Unknown Source)
         at com.sun.deploy.net.cookie.DeployCookieSelector.canServeCookies(Unknown Source)
         at com.sun.deploy.net.cookie.DeployCookieSelector.get(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.setCookieHeader(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  • 4. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    817264 Journeyer
    Currently Being Moderated
    This is not necessary a bug per se. Starting 6u29 Java will not send secure cookies over http connection. Only over https.
    Workarounds: load applet through https and connect back using https, or sign applet.
  • 5. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895565 Newbie
    Currently Being Moderated
    By changing the permissions in the java.policy to give all permissions helps to reoslve the problem. But dont think its the feasible solution. Is there any browser setting to override these permissions?
  • 6. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895565 Newbie
    Currently Being Moderated
    We are facing the same problem. Was anyone able to find a resolution for this
  • 7. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    thomasng Newbie
    Currently Being Moderated
    What's the exact problem that you are running into ? Can you provide a test case or full stack trace please ? what's the applet operation/code that triggered the exception ? Is the applet signed or not ?

    The exception message printed in Java console:

    java.security.AccessControlException: access denied ("com.sun.deploy.security.SecureCookiePermission" "origin.<protocol + host part of url>")

    Means that when the Java applet connect to the URL - the secure cookies will not be sent because the applet does not have the permission to do so. The connection is still being made without the secure cookies.

    In order for applet to access secure cookie - for unsigned sandbox applet, it must be hosted at HTTPS document base, and connect back to the document base host using HTTPS ; for signed applet, it should have all permission already and will have access to secure cookie.
  • 8. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895722 Newbie
    Currently Being Moderated
    The exact problem that we are running into is that our JSESSIONID is changing, we believed this was because our cookie is invalidated due to:
    java.security.AccessControlException: access denied (com.sun.deploy.security.SecureCookiePermission origin.https://172.xxx.xxx.xxx:8443)

    This assumption may be completely false. But there is something about the applet and update 29 that is causing the JSESSIONID to change.
    We see the same thing with the verify Java Version applet on java.com/en/download/installed.jsp
    This JSESSIONID change did not happen with previous updates with the check Java Version applet, or with our own applet. But it does occur now with both applet, we're assuming this change is due to the same cause in both applets.

    We can sign our applet (it's not currently signed), but it's interacting with JavaScript code, which from my understanding of:
    http://download.oracle.com/javase/tutorial/deployment/applet/security.html which says the following:
    JavaScript code is treated like unsigned code. When a signed applet is accessed from JavaScript code in an HTML page, the applet is executed within the
    security sandbox. This implies that the signed applet essentially behaves likes an unsigned applet.
    means that it wouldn't even help to sign the applet.

    Additionally, the URL, as you can see from the above exception is using https://

    We really appreciate any information you can give us to help with this issue. We can provide further information from the java console, but I wanted to make sure that the AccessControlException isn't a red herring since what we really care about is the JSESSIONID change.
  • 9. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895541 Newbie
    Currently Being Moderated
    From what we've seen the applet itself isn't directly changing the value of the JSESSIONID. But in an applet request to the server the header value for cookie is null/empty, so the server creates a new session and then the new JSESSIONID is returned, set and used by both the browser and the applet in future requests. So the client is now effectively cut off from their old session.

    The interesting thing is that looking at the requests coming into the server, in the header value for the cookie string the correct JSESSIONID is sent by the applet on the first few requests to the server. However, it then nullifies or clears the cookie value on a subsequent call which causes the problem.
  • 10. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895749 Newbie
    Currently Being Moderated
    Agreed, that's what it does look like. We're experiencing the same problem, mainly using remote scripting (MS implementation with rs.htm, rs.asp, and rsproxy.class). Once we make a single remote scripting call (invoking the APPLET), the IIS session ID in the calling page becomes altered, essentially logging our users out (since we store their session info in the ASP session object).

    As others have stated, this appears to be a completely new behavior with update 29.

    Any solution to the problem, or even further information, would be greatly appreciated.

    I should mention that since the class (rsproxy.class) was provided as-is by MS, signing the applet is not an option since we don't have the jar file.

    Edited by: 892746 on Oct 21, 2011 2:08 PM
  • 11. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    823590 Newbie
    Currently Being Moderated
    892719 wrote:
    We see the same thing with the verify Java Version applet on java.com/en/download/installed.jsp
    Can you please elaborate how installed.jsp is affected? What platform and JRE versions do you have, and what behavior do you see?
  • 12. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895811 Newbie
    Currently Being Moderated
    Hi,

    we have exactly the same issue: When a client's machine is upgraded to 1.6.0_29 it raises a java.security.AccessControlException: access denied (com.sun.deploy.security.SecureCookiePermission origin)

    I've looked into the issue, but since we are using a 3D party system (Tomcat, Java-applet to communicate via JavaScript back)...it is difficult for us to find a solution.

    The only feasible solution we have found is to:
    - Downgrade Java to 1.6.0_26: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html#jre-6u26-oth-JPR

    The other not so customer friendly solution is to edit the java.security file on the client's machine.
         //1.6.0_29 fix:
         //Edit the C:\Program Files\Java\jre6\lib\security\java.security file and add the below line to the "grant {" section
         permission com.sun.deploy.security.SecureCookiePermission "*.some.site.com:80-", "listen,accept,connect,resolve";

    I'm expecting that a LOT of other websites will have the same issue, and my only hope is that Oracle comes up with a solution to this problem, before it becomes a support nightmare for Java depended companies.

    MT.
  • 13. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    895811 Newbie
    Currently Being Moderated
    btw....any comments about resolution would be more than welcome!!!
  • 14. Re: Applet altering value of JSESSIONID cookie in Java 6 Update 29
    EJP Guru
    Currently Being Moderated
    This is a user-to-user forum, not an Oracle support channel. You're not all that likely to get informed comments about resolution here, although it has happened occasionally.
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points