2 Replies Latest reply: Feb 15, 2012 10:45 PM by 917826 RSS

    AccessControlException in JavaSE update 29

    917826
      Hi.
      I have a qustion about Critical Patch Updates in JavaSE update 29.

      I created a web application to access web Server using ssh.
      And I made options to anual certificate check by next source.

      ---
      HttpsURLConnection httpsconnection = (HttpsURLConnection) url.openConnection();

      KeyManager[] km = null;
      +TrustManager[] tm = { new X509TrustManager() {+
      public void checkClientTrusted(X509Certificate[] arg0, String arg1)
      +throws CertificateException {+
      +}+
      public void checkServerTrusted(X509Certificate[] arg0, String arg1)
      +throws CertificateException {+
      +}+
      +public X509Certificate[] getAcceptedIssuers() {+
      return null;
      +}+
      +} };+

      SSLContext sslcontext = null;
                
      +try {+
      sslcontext = SSLContext.getInstance(config.getProtocol());
                                    
      sslcontext.init(km, tm, null);
      httpsconnection.setSSLSocketFactory(sslcontext.getSocketFactory());
      httpsconnection.connect();
                     
      +:::+
      ---

      This function ran in JavaSE update 27,
      but It threw error in JavaSE update 29 with stacktrace.

      ---
      java.security.AccessControlException: access denied (java.lang.RuntimePermission setFactory)
       +at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)+
       +at java.security.AccessController.checkPermission(AccessController.java:546)+
       +at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)+
       +at java.lang.SecurityManager.checkSetFactory(SecurityManager.java:1612)+
       +at javax.net.ssl.HttpsURLConnection.setSSLSocketFactory(HttpsURLConnection.java:356)+
      ----

      Is this error a effect of CPU, CVE-2011-3560?
      Is that correct to add the server policy "Runtime Permission setFactory"?

      Regards.