Closed Bug 69466 Opened 24 years ago Closed 24 years ago

NoProxyFor: AccessControlException: access denied appears when applet "phones home"

Categories

(Core Graveyard :: Java: OJI, defect)

Product:
Core Graveyard
Component:
Java: OJI
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: udo.offermann, Assigned: edburns)

References

Details

(Whiteboard: [oji_working])

Attachments

(4 files)

Tar.gz of compiled source and test case.
10.00 KB, application/octet-stream
Details
Tar.gz of testcase, second try
1.39 KB, application/octet-stream
Details
tar.gz of Another testcase. Modify the HTML to suit your environment.
2.15 KB, application/octet-stream
Details
cvs diff -u of fix for this bug, first iteration.
684 bytes, patch
Details | Diff | Splinter Review
I reported the same bug to Sun's bug parade. description: Java Console reports: Java(TM) Plug-In: Version 1.3.0_01 java -version reports: java version "1.3.0_01" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_01) Java HotSpot(TM) Client VM (build 1.3.0_01, mixed mode) 1. Steps to reproduce the problem: i) Use a small applet which opens an inputstream for a url which points to the same host the applet was loaded from. ii) Try this applet inside Netscape 6.01 [Mozilla/5.0 (Windows; U; WinNT4.0; en- US; m18) Gecko/20010131 Netscape6/6.01] or Mozilla M18 [Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20010131] iii) The Java Console shows the Exception java.security.AccessControlException: access denied (java.net.SocketPermission [myhost] resolve) 2a. sample applet: import java.applet.*; import java.net.*; import java.io.*; public class APhoneHome2 extends Applet { public String start() { String result = null; try { URL url = new URL( this.getDocumentBase(), "applet.html" ); InputStreamReader rin = new InputStreamReader( url.openStream() ); StringBuffer buf = new StringBuffer(); int chr; while ( -1 != (chr = rin.read() ) ) { buf.append( (char) chr ); } result = buf.toString(); System.out.println( result ); } catch (Exception ex) { ex.printStackTrace(); } return result; } } 2b. sample HTML page (called "applet.html"): <HTML> <HEAD> <script> function run() { var loApplet = document.applets["applet1"]; alert( loApplet.get( "applet.html" ) ); } </script> </HEAD> <BODY onload="run()"> <APPLET CODEBASE = "." CODE = "APhoneHome2.class" NAME = "applet1" WIDTH = 400 HEIGHT = 300 HSPACE = 0 VSPACE = 0 ALIGN = middle > </APPLET> </BODY> </HTML> 3. Error mesage: ava.security.AccessControlException: access denied (java.net.SocketPermission p49985.wdf.sap-ag.de resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin.protocol.jdk12.http.HttpURLConnection.connectStep1 (Unknown Source) at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream (Unknown Source) at java.net.URL.openStream(Unknown Source) at APhoneHome2.get(APhoneHome2.java:46) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source) 4. trace (at level 5) Registered modality listener Referencing classloader: sun.plugin.ClassLoaderInfo@33f8f6, refcount=1 Added trace listener: sun.plugin.navig.win32.AppletPluginPanel [applet1,0,0,400x300,invalid,layout=java.awt.BorderLayout] Sending events to applet. LOAD Sending events to applet. INIT Sending events to applet. START Determine if the applet requests to install any HTML page HTML Installation finished. Determine if the applet requests to install any JAR Jar cache option: null Jar archive(s): null Jar cache version(s): null Applet Installation finished. JavaScript: calling Java system code JavaScript: default security policy = http://p49985.wdf.sap-ag.de JavaScript: calling Java system code JavaScript: default security policy = http://p49985.wdf.sap-ag.de JavaScript: UniversalBrowserRead enabled JavaScript: UniversalJavaPermission enabled Wird ge?ffnethttp://p49985.wdf.sap- ag.de/weblab/com.sap.weblab/classes/APhoneHome2.html Check for (java.net.SocketPermission p49985.wdf.sap-ag.de resolve) in JavaScriptProtectionDomain: java.security.AllPermissionCollection@51e730 ( ) 5. additional configuration The applet resides exactly inside the same loaction (host *and* folder) as the HTML page. The URLconnection is opened to this location too. We tried to lower the security settings inside the java.policy file: grant { ... permission java.net.SocketPermission "*.sap-ag.de", "accept, connect, listen, resolve"; ... } and grant codeBase "http://p49985.wdf.sap-ag.de" { permission java.net.SocketPermission "*.sap-ag.de", "accept, connect, listen, resolve"; }; without success. The same applet inside NN 4.x and MSIE 5.x (with the original browser built-in JVM) works fine. workaround: none comments: (company - SAP AG , email - udo.offermann@sap.com)
Over to OJI
Assignee: idk → edburns
Component: Java-Implemented Plugins → OJI
QA Contact: geetha.vaidyanaathan → shrir
This is a result of the stricter security present in Java2. Stanley or Jeff, can you please explain, or point the reporter to a document that explains, what one has to do to get this to work? I know that putting a .java.policy file in your home directory like this will do the trick, but I think there is a less severe option: grant { permission java.security.AllPermission; };
Even with a .java.policy file with grant { permission java.security.AllPermission; }; inside my profile directory (c:\winnt\profiles\foobar\.java.policy) I am not able to get the applet to work. I think the problem is, that the applet is unable to resolve the servers IP address. The server that I use has a fix IP address (no DHCP) and DNS is working well.
Can you try hard coding the ip instead of using getDocumentBase(), just to isolate the problem. There is a known problem with getDocumentBase, please see bug 59430. Ed
I'd gladly try my patch for GetDocumentBase(): http://bugzilla.mozilla.org/showattachment.cgi?attach_id=25449 ...on this bug if someone could attach the .class files and a testcase. I have re-loaded my system at home and haven't installed a java compiler yet. Thanks.
Sorry, but I'm unable to download your testcase (it seems that the server tries to send a cgi script instead of process it). I changed my testcase and replaced getDocumentBase() with the server'S IP address: URL ipaddr = new URL ( "http://10.18.84.25/weblab/Mozilla_Bug_Area/applet_phones_home/" ); url = new URL( ipaddr, address ); The testcase produces the following output inside the console: >USE URL: http://10.18.84.25/weblab/Mozilla_Bug_Area/applet_phones_home/APhoneHome.html >OPENED CONNECTION: sun.plugin.protocol.jdk12.http.HttpURLConnection:http://10.18.84.25/weblab/Mozil la_Bug_Area/applet_phones_home/APhoneHome.html java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException: java.security.AccessControlException: access denied (java.net.SocketPermission 10.18.84.25 resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source) at sun.plugin.protocol.jdk12.http.HttpURLConnection.connectStep1 (Unknown Source) at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream (Unknown Source) at java.net.URL.openStream(Unknown Source) at com.sap.weblab.APhoneHome.phoneHome(APhoneHome.java:61) at java.lang.reflect.Method.invoke(Native Method) at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)
My patch from bug 69466 does nothing for this. Please try with a recent build from mozilla.org as the output in the console I see is an HTML page instead of the access error.
I downloaded Mozilla 0.9 (20010310) but I wasn't able to get the java plugin to work (in opposition to Mozilla 0.8 where it worked fine). When I navigate to a page which contains an applet, I am asked to install the plugin. After clicking on the jigsaw piece -> "Get the Plugin" -> "Java 2 Windows Plug-In" the plugin is downloaded and installed successfully, but the browser still ignores it and asks again to install the plugin. All reboots uninstallations and reinstallations didn't help. I noticed that sun provides a new version j2re-1.3.0.02. Is it possible to download this separately and force Mozilla to use this without doing the "jigsaw steps"? I found nothing in the browser menus where I can setup the plugin.
Works for me with TRUNK build. Try attachment 26844 [details] on this bug. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=26844
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
I tried testcase 26844 with Gecko/20010215 and Java(TM) Plug-In: Version 1.3.0_01. The Proxy-settings inside the Plugin Control Panel are set to "use browser settings". I put the files 'NoProxyFor.html' and 'NoProxyFor.class' on my webserver (Linux PC, p49985.wdf.sap-ag.de with fix IP address). There is no proxy between my client pc and the server. a) If I set the browser proxy settings to "Direct connecting to the internet" than the applet is able to phone home (to enable this setting, you have to restart the browser). b) If I set the browser proxy settings to "Manual proxy configuration", "HTTP proxy" to "proxy:8080" which is our main proxy and inside "No Proxy for" the value ".sap-ag.de" than the applet is not loaded (bug 48336?): load: class NoProxyFor.class not found. java.lang.ClassNotFoundException: java.io.FileNotFoundException: http://p49985.wdf.sap-ag.de/weblab/Mozilla_Bug_Area/Mozilla_samples/NoProxyFor/class.class
Udo, please specify the no proxy for value as "p49985.wdf.sap-ag.de" without the quotes and post if that works. I think what we have here is a failure to communicate...actually if that works, I need to modify the code in nsPluginHostImpl.cpp to be smarter about what a valid hostname pattern is. I think you may be on to something, so I'm re-opening the bug.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
I specified p49985.wdf.sap-ag.de as no proxy value and ... I worked :-) Neither .wdf.sap-ag.de nor .sap-ag.de work. Also it is necessary to restart the browser to make changes of the no-proxy-for value active.
Vielen Dank Udo, Es scheint als ob wir eine eigentliches bug haben. Marking assigned.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Removing Jeff and Stanley from list to save them from getting some mail.
Added [oji_working] keyword.
Whiteboard: [oji_working]
mod summary
Summary: AccessControlException: access denied appears when applet "phones home" → NoProxyFor: AccessControlException: access denied appears when applet "phones home"
*** Bug 70443 has been marked as a duplicate of this bug. ***
ra=av
good catch. sr=waterson
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Verified per edburn's comments.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: