Reputation: 11
Custom SecureClassLoader and permissions in JavaFX Web Start application
I'm migrating an applet-based application into a Web Start application.
In the application a custom ClassLoader is needed in order to fetch resources and classes from different media. It also uses a JavaFX layer on the top.
All permissions are granted to the WebStart application, the manifest is complete and the jar is signed with a valid certificate. In fact, if I don't fetch the classes from the media and I load them with the default ClassLoader, everything works. But if I use the custom ClassLoader, we face problems like:
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "www.mydomain.com:443" "connect,resolve")
For testing proposals, the custom SecureClassLoader is granting all permissions. That does not help.
I'm also trying to replace the Security Manager, but I cannot:
java.lang.SecurityException: JVM Shared, not allowed to set security manager
even if I add the parameter to the applet descriptor inside the jnlp:
PARAM name="separate_jvm" value="true"
I cannot replace the manager.
Can anyone point what can I do to be able to grant permissions to those classes? It is not possible to change the policy files on the client side.
Here I add the stacktrace to point where the calls are coming from:
java.security.AccessControlException: access denied ("java.net.SocketPermission" "www.mydomian.com" "resolve")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.addAccess(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.allowNoAccess(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.FXAppletSecurityManager.checkConnect(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getByName(Unknown Source)
at java.net.URLStreamHandler.getHostAddress(Unknown Source)
at java.net.URLStreamHandler.hashCode(Unknown Source)
at java.net.URL.hashCode(Unknown Source)
at java.util.HashMap.hash(Unknown Source)
at java.util.HashMap.get(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.getDefaultCodeSource(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler.access$1400(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.<init>(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildCallback.openClassPathElement(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getCodebaseLookup(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getResourceAsResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassLoader.getResourceAsStream(Unknown Source)
at java.lang.Class.getResourceAsStream(Unknown Source)
at mypackage.Util.readResource(Util.java:42)
at mypackage.CustomClassLoader.encryptedLookup(CustomClassLoader.java:101)
at mypackage.ClassLoader.findClass(CustomClassLoader.java:78)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at customUtil.ParametersGetter.getRole(ParametersGetter.java:80)
at com.application.ModuleConfig.main(ModConfig.java:448)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at mypackage.CustomClassLoader.launch(CustomClassLoader.java:126)
at mypackage.Browser$1.call(Browser.java:54)
at mypackage.Browser$1.call(Browser.java:45)
at javafx.concurrent.Task$TaskCallable.call(Task.java:1423)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Thanks.
Upvotes: 1
Views: 292
Answers (1)
Reputation: 11
Finally the problem was detected.
The System Classloader was set as the parent classloader of our custom classloader instead of using the classloader that loaded our classloader class.
As a result, other classloaders cascaded by a library of our application where lost in the flow, and that created a conflict on the permission resolution.
Upvotes: 0
Related Questions
- using javafx client with spring boot and spring security
- Using Spring Security extras with Spring Boot in JavaFX application
- java.lang.SecurityException: JAR manifest requested to run in all-permissons only
- Javafx - Security concern while deploying App using Fxlauncher vs Java Web Start
- JVM Security Manager File permissions - custom policy
- Java web start security issue
- Webstart application: SecurityException: setContextClassLoader
- Permission to access classes in Java WebStart
- Java class loader security handling
- Java security policy: granting access depending on classloader