69466 - NoProxyFor: AccessControlException: access denied appears when applet "phones home"

Status: VERIFIED FIXED

(Core Graveyard :: Java: OJI, defect)

Description

[udoo]

I reported the same bug to Sun's bug parade.

description: Java Console reports:
  Java(TM) Plug-In: Version 1.3.0_01

java -version reports:
  java version "1.3.0_01"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_01)
  Java HotSpot(TM) Client VM (build 1.3.0_01, mixed mode)

1. Steps to reproduce the problem:

i) Use a small applet which opens an inputstream for a url which points to the
same host the applet was loaded from.
ii) Try this applet inside Netscape 6.01 [Mozilla/5.0 (Windows; U; WinNT4.0; en-
US; m18) Gecko/20010131 Netscape6/6.01] or Mozilla M18 [Mozilla/5.0 (Windows;
U; WinNT4.0; en-US; m18) Gecko/20010131]
iii) The Java Console shows the Exception
     java.security.AccessControlException: access denied
(java.net.SocketPermission [myhost] resolve)

2a. sample applet:
import java.applet.*;
import java.net.*;
import java.io.*;

public class APhoneHome2 extends Applet {

  public String start() {
    String result = null;
    try {
      URL url = new URL( this.getDocumentBase(), "applet.html" );
      InputStreamReader rin = new InputStreamReader( url.openStream() );
      StringBuffer buf = new StringBuffer();
      int chr;
      while ( -1 != (chr = rin.read() ) ) {
        buf.append( (char) chr );
      }
      result = buf.toString();
      System.out.println( result );
    } catch (Exception ex) {
      ex.printStackTrace();
    }
    return result;
  }
}

2b. sample HTML page (called "applet.html"):
<HTML>
<HEAD>
<script>
  function run() {
    var loApplet = document.applets["applet1"];
    alert( loApplet.get( "applet.html" ) );
  }
</script>
</HEAD>
<BODY onload="run()">
<APPLET
  CODEBASE = "."
  CODE     = "APhoneHome2.class"
  NAME     = "applet1"
  WIDTH    = 400
  HEIGHT   = 300
  HSPACE   = 0
  VSPACE   = 0
  ALIGN    = middle
>
</APPLET>
</BODY>
</HTML>

3. Error mesage:
ava.security.AccessControlException: access denied (java.net.SocketPermission
p49985.wdf.sap-ag.de resolve)

	at java.security.AccessControlContext.checkPermission(Unknown Source)

	at java.security.AccessController.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkConnect(Unknown Source)

	at sun.plugin.protocol.jdk12.http.HttpURLConnection.connectStep1
(Unknown Source)

	at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream
(Unknown Source)

	at java.net.URL.openStream(Unknown Source)

	at APhoneHome2.get(APhoneHome2.java:46)

	at java.lang.reflect.Method.invoke(Native Method)

	at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source)

	at java.security.AccessController.doPrivileged(Native Method)

	at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)

4. trace (at level 5)
Registered modality listener

Referencing classloader: sun.plugin.ClassLoaderInfo@33f8f6, refcount=1

Added trace listener: sun.plugin.navig.win32.AppletPluginPanel
[applet1,0,0,400x300,invalid,layout=java.awt.BorderLayout]

Sending events to applet. LOAD

Sending events to applet. INIT

Sending events to applet. START

Determine if the applet requests to install any HTML page

HTML Installation finished.

Determine if the applet requests to install any JAR

Jar cache option: null
Jar archive(s): null
Jar cache version(s): null

Applet Installation finished.

JavaScript: calling Java system code

JavaScript: default security policy = http://p49985.wdf.sap-ag.de

JavaScript: calling Java system code

JavaScript: default security policy = http://p49985.wdf.sap-ag.de

JavaScript: UniversalBrowserRead enabled

JavaScript: UniversalJavaPermission enabled

Wird ge?ffnethttp://p49985.wdf.sap-
ag.de/weblab/com.sap.weblab/classes/APhoneHome2.html

Check for (java.net.SocketPermission p49985.wdf.sap-ag.de resolve) in
JavaScriptProtectionDomain: java.security.AllPermissionCollection@51e730 (
)

5. additional configuration
The applet resides exactly inside the same loaction (host *and* folder) as the
HTML page. The URLconnection is opened to this location too.

We tried to lower the security settings inside the java.policy file:

grant {
  ...
  permission java.net.SocketPermission "*.sap-ag.de", "accept, connect, listen,
resolve";
  ...
}

and
grant codeBase "http://p49985.wdf.sap-ag.de" {
  permission java.net.SocketPermission "*.sap-ag.de", "accept, connect, listen,
resolve";
};

without success.

The same applet inside NN 4.x and MSIE 5.x (with the original browser built-in
JVM) works fine.
workaround: none
comments: (company - SAP AG , email - udo.offermann@sap.com)

Comment 1

[Boris Zbarsky [:bzbarsky]]

Over to OJI

Comment 2

[edburns]

This is a result of the stricter security present in Java2.  Stanley or Jeff,
can you please explain, or point the reporter to a document that explains, what
one has to do to get this to work?  I know that putting a .java.policy file in
your home directory like this will do the trick, but I think there is a less
severe option:

grant {
  permission java.security.AllPermission;
};

Comment 3

[udoo]

Even with a .java.policy file with

grant {
  permission java.security.AllPermission;
};

inside my profile directory (c:\winnt\profiles\foobar\.java.policy) I am not 
able to get the applet to work. 
I think the problem is, that the applet is unable to resolve the servers IP 
address. The server that I use has a fix IP address (no DHCP) and DNS is 
working well.

Comment 4

[edburns]

Can you try hard coding the ip instead of using getDocumentBase(), just to 
isolate the problem.  There is a known problem with getDocumentBase, please see 
bug 59430.

Ed

Comment 5

[Peter Lubczynski]

I'd gladly try my patch for GetDocumentBase():

http://bugzilla.mozilla.org/showattachment.cgi?attach_id=25449

...on this bug if someone could attach the .class files and a testcase. 

I have re-loaded my system at home and haven't installed a java compiler yet. 
Thanks.

Comment 6

[edburns]

Attachment: Tar.gz of compiled source and test case.

Comment 7

[udoo]

Sorry, but I'm unable to download your testcase (it seems that the server tries 
to send a cgi script instead of process it). 

I changed my testcase and replaced getDocumentBase() with the server'S IP 
address:
      URL ipaddr = new URL
( "http://10.18.84.25/weblab/Mozilla_Bug_Area/applet_phones_home/" );
      url    = new URL( ipaddr, address );

The testcase produces the following output inside the console:
>USE URL: 
http://10.18.84.25/weblab/Mozilla_Bug_Area/applet_phones_home/APhoneHome.html

>OPENED CONNECTION: 
sun.plugin.protocol.jdk12.http.HttpURLConnection:http://10.18.84.25/weblab/Mozil
la_Bug_Area/applet_phones_home/APhoneHome.html

java.security.PrivilegedActionException: 
java.lang.reflect.InvocationTargetException: 
java.security.AccessControlException: access denied (java.net.SocketPermission 
10.18.84.25 resolve)

	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkConnect(Unknown Source)
	at sun.plugin.protocol.jdk12.http.HttpURLConnection.connectStep1
(Unknown Source)
	at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream
(Unknown Source)
	at java.net.URL.openStream(Unknown Source)
	at com.sap.weblab.APhoneHome.phoneHome(APhoneHome.java:61)
	at java.lang.reflect.Method.invoke(Native Method)
	at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)

Comment 8

[edburns]

Attachment: Tar.gz of testcase, second try

Comment 9

[Peter Lubczynski]

My patch from bug 69466 does nothing for this. Please try with a recent build 
from mozilla.org as the output in the console I see is an HTML page instead of 
the access error.

Comment 10

[udoo]

I downloaded Mozilla 0.9 (20010310) but I wasn't able to get the java plugin to 
work (in opposition to Mozilla 0.8 where it worked fine). 

When I navigate to a page which contains an applet, I am asked to install the 
plugin. After clicking on the jigsaw piece -> "Get the Plugin" -> "Java 2 
Windows Plug-In" the plugin is downloaded and installed successfully, but the 
browser still ignores it and asks again to install the plugin. All reboots 
uninstallations and reinstallations didn't help.

I noticed that sun provides a new version j2re-1.3.0.02. Is it possible to 
download this separately and force Mozilla to use this without doing 
the "jigsaw steps"? I found nothing in the browser menus where I can setup the 
plugin.

Comment 11

[edburns]

Attachment: tar.gz of Another testcase. Modify the HTML to suit your environment.

Comment 12

[edburns]

Works for me with TRUNK build.

Try attachment 26844 [details] on this bug. 
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=26844

Comment 13

[udoo]

I tried testcase 26844 with Gecko/20010215 and Java(TM) Plug-In: Version 1.3.0_01.
The Proxy-settings inside the Plugin Control Panel are set to "use browser
settings".
I put the files 'NoProxyFor.html' and 'NoProxyFor.class' on my webserver (Linux
PC, p49985.wdf.sap-ag.de with fix IP address). There is no proxy between my
client pc and the server.

a) If I set the browser proxy settings to "Direct connecting to the internet"
than the applet is able to phone home (to enable this setting, you have to
restart the browser).

b) If I set the browser proxy settings to "Manual proxy configuration", "HTTP
proxy" to "proxy:8080" which is our main proxy and inside "No Proxy for" the
value ".sap-ag.de" than the applet is not loaded (bug 48336?):
load: class NoProxyFor.class not found.

java.lang.ClassNotFoundException: java.io.FileNotFoundException:
http://p49985.wdf.sap-ag.de/weblab/Mozilla_Bug_Area/Mozilla_samples/NoProxyFor/class.class

Comment 14

[edburns]

Udo, please specify the no proxy for value as "p49985.wdf.sap-ag.de" without the
quotes and post if that works.  I think what we have here is a failure to
communicate...actually if that works, I need to modify the code in
nsPluginHostImpl.cpp to be smarter about what a valid hostname pattern is.

I think you may be on to something, so I'm re-opening the bug.

Comment 15

[udoo]

I specified p49985.wdf.sap-ag.de as no proxy value and ... I worked :-)

Neither .wdf.sap-ag.de nor .sap-ag.de work. Also it is necessary to restart the 
browser to make changes of the no-proxy-for value active.

Comment 16

[edburns]

Vielen Dank Udo,

Es scheint als ob wir eine eigentliches bug haben.

Marking assigned.

Comment 17

[edburns]

Removing Jeff and Stanley from list to save them from getting some mail.

Comment 18

[edburns]

Added [oji_working] keyword.

Comment 19

[edburns]

mod summary

Comment 20

[edburns]

*** Bug 70443 has been marked as a duplicate of this bug. ***

Comment 21

[edburns]

Attachment: cvs diff -u of fix for this bug, first iteration.

Comment 22

[av (gone)]

ra=av

Comment 23

[Chris Waterson]

good catch. sr=waterson

Comment 24

[edburns]

Fix checked in.

Comment 25

[John Unruh]

Verified per edburn's comments.