Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security-Exception with PAC script in Java 8 #59

Open
GoogleCodeExporter opened this issue May 1, 2015 · 0 comments
Open

Security-Exception with PAC script in Java 8 #59

GoogleCodeExporter opened this issue May 1, 2015 · 0 comments

Comments

@GoogleCodeExporter
Copy link

What steps will reproduce the problem?
1. Bundling proxy-vole in a WebStart application
* signed with a vaild keystore that is trusted by an official CA
* runs with permissions "all-permissions"
2. Deploy application on a distinct server (on localhost it seems to work)
3. Start the application via its JNLP file over a SSL secured connection 
(without SSL it definively works!)

What is the expected output? What do you see instead?
The PAC script is detected and should be exectued but instead an 
(Security-)Exception is thrown on calling the "myIpAddress()" from within the 
PAC script code.

What version of the product are you using? On what operating system?
* current trunk version (r158) of proxy-vole
* Windows 7
* Java 8 (with Java 7 it works)
* SSL secured connection (with plain HTTP it works)

Please provide any additional information below.
It seems that in Java 8 under the described circumstances the calling 
JavaScript code in the PAC script does not have the privilege to call the 
System.getProperty(OVERRIDE_LOCAL_IP) and 
NetworkInterface.getNetworkInterfaces() methods anymore, that are invoked 
during the call of PacScriptMethods.myIpAddress().

Solution proposal
I propose to encapsulate the call to the method getLocalAddressOfType(...)
(from myIpAddress() and myIpAddressEx()) in a PrivilegedAction and call that 
with AccessController.doPrivileged(...) in order to restore the original 
granted privileges of the code (and not running with the reduced privileges 
from the calling JavaScript code).

Please see the attached version of PacScriptMethods including following 
modifications:
* Calls to getLocalAddressOfType(...) are wrapped in PrivilegedActions (as 
previously described)
* The IP-Adresses are cached, since each call takes about 2s on my machine and 
some PAC scripts call this method quite ofen (> 10 times)
* Before all network interfaces are looked up to determine the IP address, the 
first step is to try to resolve the localhost's IP address using 
InetAddress.getLocalHost() (like you did in older versions). This is required 
since it often delivers better results than the scan for the network 
interfaces, which delivers an abitrary order of all interfaces ( this resulted 
on some machines on returing 192.168.x.x addresses).

Original issue reported on code.google.com by [email protected] on 24 Apr 2015 at 7:49

Attachments:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant