modules/graphics/src/main/java/javafx/concurrent/Task.java

Print this page
rev 8410 : RT-39421: Security exception in Service.cancel when running sandboxed applet

@@ -23,10 +23,13 @@
  * questions.
  */
 
 package javafx.concurrent;
 
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
 import javafx.application.Platform;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.DoubleProperty;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.ReadOnlyBooleanProperty;

@@ -992,13 +995,24 @@
 
     @Override public final boolean cancel() {
         return cancel(true);
     }
 
+    // Need to assert the modifyThread permission so an app can cancel
+    // a task that it created (the default executor for the service runs in
+    // its own thread group)
+    // Note that this is needed when running as an applet or a web start app.
+    private static final Permission modifyThreadPerm = new RuntimePermission("modifyThread");
+
     @Override public boolean cancel(boolean mayInterruptIfRunning) {
         // Delegate to the super implementation to actually attempt to cancel this thing
-        boolean flag = super.cancel(mayInterruptIfRunning);
+        // Assert the modifyThread permission
+        boolean flag = AccessController.doPrivileged(
+            (PrivilegedAction<Boolean>) () -> super.cancel(mayInterruptIfRunning),
+            null,
+            modifyThreadPerm);
+
         // If cancel succeeded (according to the semantics of the Future cancel method),
         // then we need to make sure the State flag is set appropriately
         if (flag) {
             // If this method was called on the FX application thread, then we can
             // just update the state directly and this will make sure that after