Some users gets Security Exception: Attempted to to open a sandboxed jar as a Trusted-Library

java securityexception
KEBAN picture KEBAN · Aug 9, 2013 · Viewed 26.3k times · Source

We use applet on our application login page. Applet contains 2 classes. Jar is signed (ca certificate). Manifest file contains: "Trusted-Library: true.

It works for most of the users but some of them have problems with applet because JVM report Security Exception: Attempted to to open a sandboxed jar as a Trusted-Library.

Have you any idea why it wont work for them?

For exaple User1 has Java Plug-in 10.21.2.11 JRE version 1.7.0_21-b11 Java HotSpot(TM) Client VM. He try Firefox 21 and IE 8.0.6001.18702.

JVM report General Exception:

basic: Plugin2ClassLoader.addURL parent called for 

https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar
basic: Plugin2ClassLoader.addURL parent called for 

https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar

security: Accessing keys and certificate in Mozilla user profile: null
security: JSS is not configured
security: Blacklist revocation check is enabled
security: blacklist: created: NEED_LOAD, lastModified: 1374827364000
security: blacklist: hasBeenModifiedSince 1374827396921 (we have 1374827364000)
security: Trusted libraries list check is enabled
security: blacklist: hasBeenModifiedSince 1374827583375 (we have 1374827364000)
network: Cache entry found [url: https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar, version: null] prevalidated=false/0
cache: Adding MemoryCache entry: https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar
cache: Resource https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar has expired.
network: Connecting https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar with proxy=DIRECT
security: blacklist: hasBeenModifiedSince 1374827435937 (we have 1374827364000)
security: blacklist: hasBeenModifiedSince 1374827390640 (we have 1374827364000)
security: blacklist: hasBeenModifiedSince 1374827583375 (we have 1374827364000)
network: CleanupThread used 268961 us
network: Connecting http://www.sod.pfron.org.pl:443/ with proxy=DIRECT
security: Loading Root CA certificates from C:\Program Files\Java\jre1.7.0_21\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files\Java\jre1.7.0_21\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files\Java\jre1.7.0_21\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files\Java\jre1.7.0_21\lib\security\cacerts
security: Loading Deployment SSL certificates from C:\Documents and Settings\Marek\Dane aplikacji\Sun\Java\Deployment\security\trusted.jssecerts
security: Loaded Deployment SSL certificates from C:\Documents and Settings\Marek\Dane aplikacji\Sun\Java\Deployment\security\trusted.jssecerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Check if certificate can be verified using certificates in Root CA certificate store
security: Certificate to be verified:
[
<.....>
]
security: Certificate has been verified with Root CA certificates successfully
security: Invalid certificate from HTTPS server
basic: Dialog type is not candidate for embedding
security: Saving certificates in Deployment session certificate store
security: Saved certificates in Deployment session certificate store
network: ResponseCode for https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar : 304
network: Encoding for https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar : null
network: Disconnect connection to https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar
cache: Reading Signers from 3935 https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar | C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Sun\Java\Deployment\cache\6.0\60\6283407c-46587e7d.idx
cache: Done readSigners(https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar)
cache:  Read manifest for https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar: read=273 full=273
basic: Plugin2ClassLoader.isTrustedByPolicy called 
basic: Plugin2ClassLoader.isTrustedByPolicy returns false 
security: resource name "pl/computerland/sod/prezentacja/klient/cienki/applet/JavaVersion.class" in https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar : java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
security: resource name "pl/computerland/sod/prezentacja/klient/cienki/applet/JavaVersion.class" in https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar : java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
basic: exception: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library.
java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
    at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Ignored exception: java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
basic: exception: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library.
java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
    at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Ignored exception: java.lang.SecurityException: attempted to open sandboxed jar https://www.sod.pfron.org.pl/_applet/Logowanie_8.32.2.48.jar as a Trusted-Library
basic: Dialog type is not candidate for embedding
basic: Dialog type is not candidate for embedding
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@5dcf43
security: Reset deny session certificate store
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@1b93cf8
security: Reset deny session certificate store

Answer

bdaniliuc picture bdaniliuc · Oct 22, 2013

We have a similar problem. For us the issue was that the jre\lib\security\java.policy file on the client machine was modified with the addition of: 

grant {
    permission java.security.AllPermission;
};

If this was removed the error disappeared. Also in our test the error disappeared if we removed Trusted-Library: true, but that is not really an option considering the new Java applet rules.

We've also posted the information here https://forums.oracle.com/message/11238296#11238296 but with no reply for now.

Related questions

Java SecurityException: signer information does not match

I recompiled my classes as usual, and suddenly got the following error message. Why? How can I fix it? java.lang.SecurityException: class "Chinese_English_Dictionary"'s signer information does not match signer information of other classes in the same …

Read More
Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Exception in thread "main" java.lang.SecurityException: Invalid signature file d igest for Manifest main attributes at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVeri fier.java:240) at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier .java:193) at java.util.jar.JarVerifier.processEntry(JarVerifier.…

Read More
java.lang.SecurityException: class "XYZ"'s signer information does not match signer information of other classes in the same package

I have an applet which runs in a browser and is called from Javascript. There are 2 classes: PortalLauncher and ParamSplitter and these are in the default package. Javascript calls a method in PortalLauncher which in turn calls a function in …

Read More