openjdk team mailing list archive

Thread
Date

Bug#642598: w/ new javaws.policy HDtracks Download Manager no longer works

To: 642734-submitter@xxxxxxxxxxxxxxx, 642598-submitter@xxxxxxxxxxxxxxx
From: "Damien Raude-Morvan" <drazzib@xxxxxxxxxx>
Date: Thu, 29 Sep 2011 10:56:53 +0200
Cc: 642734@xxxxxxxxxxxxxxx, control@xxxxxxxxxxxxxxx, 642598@xxxxxxxxxxxxxxx
In-reply-to: <20110924110227.GA32758@cucamonga.audible.transient.net>
Reply-to: Damien Raude-Morvan <drazzib@xxxxxxxxxx>, 642598@xxxxxxxxxxxxxxx
Resent-cc: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Thu, 29 Sep 2011 09:00:05 +0000
Resent-from: "Damien Raude-Morvan" <drazzib@xxxxxxxxxx>
Resent-message-id: <handler.642598.B642598.13172866246421@xxxxxxxxxxxxxxx>
Resent-sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx
User-agent: KMail/1.13.7 (Linux/3.0.0-1-amd64; KDE/4.6.5; x86_64; ; )

reassign 642598 openjdk-6-jre 6b23~pre8-2
affects 642598 icedtea-netx 1.1.2-1
tags 642598 + pending
thanks

Hi,

Thanks for yours reports.

Le samedi 24 septembre 2011 13:02:27, Jamie Heilman a écrit :
> The downloader Web Start application HDtracks (www.hdtracks.com) uses
> for purchases used to work as recently as version 1.1-1, but now it
> just kicks out an error about not being able to connect to their
> service.  Using Oracle's javaws from the 1.7.0 JRE, the app works fine.

I think it used to work with a previous openjdk-6.

[...]
> It all appears to be related to the addition of the javaws.policy
> file.  So after fumbling around and reading up on things I applied:
> 
> --- /etc/icedtea-web/javaws.policy.orig 2011-09-24 03:44:41.856667471 -0700
> +++ /etc/icedtea-web/javaws.policy      2011-09-24 03:42:38.473334213 -0700
> @@ -11,4 +11,7 @@
> 
>     permission java.lang.RuntimePermission
>     "accessClassInPackage.sun.security.internal.interfaces";
> +
> +   permission java.lang.RuntimePermission
> +   "accessClassInPackage.sun.security.rsa";
>  };
> 
> 
> ...and everything worked again.  So, might wanna take a harder look at
> https://bugzilla.redhat.com/show_bug.cgi?id=471413 or evaluate why
> Oracle ships with "permission java.security.AllPermission;" in their
> default javaws policy file.

Yes, but uptream use a specific codeBase for this java.policy :
grant codeBase "file:/usr/share/icedtea-web/netx.jar" {
    permission java.security.AllPermission;
};
(I've uploaded icedtea-web-1.1.3 with this policy to be closer to upstream)

In fact, it's an issue with openjdk-6 where he didn't allow it's own 
sunpkcs11.jar library to access internal classes. I'm preparing an update for 
this. In the mean time, you can edit /etc/java-6-openjdk/security/java.policy 
and replace  :
------
grant codeBase "file:/usr/lib/jvm/java-6-openjdk-amd64/ext/*" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/lib/jvm/java-6-openjdk-common/ext/*" {
        permission java.security.AllPermission;
};
------
by this policy : 
------
grant codeBase "file:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/ext/*" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/lib/jvm/java-6-openjdk-common/jre/lib/ext/*" {
        permission java.security.AllPermission;
};
------

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan

Follow ups

Bug#642734: Bug#642598: w/ new javaws.policy HDtracks Download Manager no longer works
From: Jörg-Volker Peetz, 2011-09-29

References

Bug#642598: w/ new javaws.policy HDtracks Download Manager no longer works
From: Jamie Heilman, 2011-09-24