IBM Support

IV77565: JAVA.SECURITY.POLICY.GETPOLICY().GETPERMISSIONS CHECKS THE PERMI SSION OF ORIGINAL PATH INSTEAD OF SYMBOLIC LINK PATH

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.
1) A class is loaded by a URLClassLoader (the WAS loader here
extends URLClassLoader and uses its implementations of findClass
and findResources) from a jar that is actually a symbolic link
to another jar file.
2) That class then performs a getResources call for a file that
is contained in another jar in that URLClassLoader's classpath
(this jar is also a symbolic link).
3) The getResources call does not find the file.
We have found that placing the first class's jar in the
classpath location (so the URLClassLoader references the jar
directly, rather than referencing the symbolic link) works
successfully - the getResources call works, even though the jar
it loads from is still a symbolic link.  It appears that the
issue only manifests when the class making the call is in a
symbolically-linked jar file, regardless of the target.

Local fix

  • 



Problem summary


    

  • As part of APAR IV69616,  the normalization of active codesource
 was done in order to convert JAR URL to a local jar file URL.
As part of the normalization of the code source,  the canonical
path of the codesource path is taken. The normalization of code
source  handles two URL protocols - 'file' and 'jar'. For
symbolic link files, the canonical path returns the original
file path instead of the symbolic link path  and that cause the
change in behavior in Java 6.

    



Problem conclusion


    

  • The JDK has been updated to restrict the normalization of the
code source only to 'jar' URL protocols and there by 'file' URL
protocol continue to validate the symbolic link itself.
.
This APAR will be fixed in the following Java Releases:
   6    SR16 FP25 (6.0.16.25)
   6 R1 SR8 FP20  (6.1.8.20)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
           https://www.ibm.com/developerworks/java/jdk/

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV77565
    • 

  • Reported component name
    JAVA CLASS LIBS
    • 

  • Reported component ID
    620700130
    • 

  • Reported release
    600
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-09-29
    • 

  • Closed date
    2016-02-04
    • 

  • Last modified date
    2016-02-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA CLASS LIBS
    • 

  • Fixed component ID
    620700130
    • 



Applicable component levels


    

  • R600  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVQ3Y","label":"Java Class Libraries"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 February 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback