[FIXED] Access denied org.lwjgl.util.Debug

Started by ajr_1, October 16, 2013, 11:15:04

Previous topic - Next topic

ajr_1

Hi folks. After the most recent Java update, 7u45, my app no longer works.  I think it's a security issue, but not sure how it's come about. All my jars are signed with the same certificate. The error in the console is:

java.lang.reflect.InvocationTargetException
	at java.awt.EventQueue.invokeAndWait(Unknown Source)
	at java.awt.EventQueue.invokeAndWait(Unknown Source)
	at org.lwjgl.util.applet.AppletLoader.run(AppletLoader.java:906)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ExceptionInInitializerError
	at org.lwjgl.Sys.createImplementation(Sys.java:124)
	at org.lwjgl.Sys.<clinit>(Sys.java:111)
	at org.lwjgl.opengl.Display.<clinit>(Display.java:135)
	at com.jme.system.lwjgl.LWJGLDisplaySystem.setVSyncEnabled(LWJGLDisplaySystem.java:109)
	at cohort.Utilities.CohortApplet.init(CohortApplet.java:105)
	at avc.TackFoot3D.AVC_Applet.init(AVC_Applet.java:167)
	at org.lwjgl.util.applet.AppletLoader.switchApplet(AppletLoader.java:1330)
	at org.lwjgl.util.applet.AppletLoader$2.run(AppletLoader.java:909)
	at java.awt.event.InvocationEvent.dispatch(Unknown Source)
	at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
	at java.awt.EventQueue.access$200(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue.dispatchEvent(Unknown Source)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.lwjgl.util.Debug" "read")
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
	at java.lang.System.getProperty(Unknown Source)
	at java.lang.Boolean.getBoolean(Unknown Source)
	at org.lwjgl.LWJGLUtil$4.run(LWJGLUtil.java:454)
	at org.lwjgl.LWJGLUtil$4.run(LWJGLUtil.java:452)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.lwjgl.LWJGLUtil.getPrivilegedBoolean(LWJGLUtil.java:452)
	at org.lwjgl.LWJGLUtil.<clinit>(LWJGLUtil.java:265)
	... 22 more


I've got no idea what org.lwjgl.util.Debug is doing - I can't find any reference to it in the code. Can anyone point me in the right direction?

Faust

Hi,

we have the same problem over here...

spasi

There's been more security related changes in u45, this might help.

Pignic

I found a creepy workaround to avoid this problem due to the AppletLoader from lwjgl_util_applet.jar that override the security context by replacing the default classLoader. So we need to patch it :

1 - Download the class HERE

2 - Replace this:
classLoader = new URLClassLoader(urls) {

with this:
classLoader = new URLClassLoader(urls, Thread.currentThread().getContextClassLoader()) {


And this:
Thread.currentThread().setContextClassLoader(classLoader);
Class appletClass = classLoader.loadClass(getParameter("al_main"));

with this:
Class appletClass = Thread.currentThread().getContextClassLoader().loadClass(getParameter("al_main"));



3 - Compile and override the .class of the lwjgl_util_applet.jar with the new one.

4 - Remove the signature of all your jars (if exist) and re-sign all with those atributes in the MANIFEST.MF
Manifest-Version: 1.0
Trusted-Library: true
Application-Library-Allowable-Codebase: *
Trusted-Only: false
Application-Name: My app
Permissions: all-permissions
Created-By: 1.6.0_16 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: *


5 - In the applet tag, put this :
<param name="permissions" value="all-permissions">
<param name="codebase_lookup" value="true">
<param name="classloader_cache" value="false">
<param name="al_version" value="0.1">"


6 - (The creepy part) Put all the jars in the param "al_jars" in the param "archive" (just put a white space in al_jars),

7 - Clean your cache (java & browser) and set your java cache active (like the future users of your app),

8 - Run your applet and keep you fingers crossed.

- This solution works for me : win7 x64, java 1.7_45 32 and 64 bits, Firefox ans Chrome
- On another computer (win7 x64, java 1.7_45 32 bit, Firefox), there is this :
Exception in thread "AWT-EventQueue-2" java.lang.UnsatisfiedLinkError: org.lwjgl.opengl.AWTSurfaceLock.lockAndInitHandle(Ljava/nio/ByteBuffer;Ljava/awt/Canvas;Z)Z
- On another computer, the java cache load many times the jars and works good after few minutes (load nearly 500Mb in the cache).

I am waiting for your feedback.

Best regards,
Nicolas.
Nicolas PIGNOL - IT Consultant - FRANCE

Faust

Hi,

just a quick question: Is the LWJGL-Team working on a solution for this problem?
We now switched everything from being deployed as an applet to web-apps using jnlp-files (which works because it doesn't use the AppletLoader class).

If there isn't an appropriate solution being released in the near future we will have to rewrite the AppletLoader ourself or maybe just get rid of it (sadly)...

Kinds Regards,
Faust

Matzon

I'm running into a
QuoteCaused by: java.lang.NullPointerException
   at sun.plugin2.applet.Plugin2ClassLoader.loadAllowedCodebases(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
   at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source)
   ... 35 more
tbh, it seems like Oracle really f*cked up the .45 release. Many breaking changes related to these security fixes.

kappa

This should be fixed in the nightly builds now, seems that jar files now require the use of new jar file manifests as listed here. I've added the necessary ones to lwjgl_util_applet.jar and lzma.jar which allows LWJGL applets to run now.

However a problem I ran into was a change made by Oracle in 7u25 which blocks use of the AppletLoader when running locally (makes debugging a real pain). The Applet.getCodeBase() method will return null (even when applet is running with full permissions) and seems to be an intentional change as indicated here. The article "Java Security Clusterf*ck" sums up the issue and highlights the absurdity of this change. The issue could be fixed by simply overriding the Applet.getCodeBase() method with one of the workaround mentioned in the article above but not sure if such "expected behaviour" should be changed in this way.