Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Contributor
Posts: 20
Registered: ‎04-19-2010
My Device: supporting 4.6 upwards
My Carrier: any
Accepted Solution

SecurityException when calling Connector.open()

I'm developing a client application which uses the REST API of the corresponding server application, which is build by our company.

 

We are targeting devices with system software 4.5 and up, although we may drop support for 4.5 in the near future and making 4.6 the new lower limit. Currently, dropping support for anything below 5.0 altogether is not an opption for us as we are urged to support devices which are actually in use.

 

Therefore, I'm building with the SDK version 4.5.0.28, but I also tried with 4.6.0.23 and got the same results.

 

The current REST API of our server application uses GET, POST and DELETE requests, so I had to use SocketConnection and build my own HTTP handling code to implement the DELETE method.

 

There are different instances of the server application (testing, staging, productive) with different hostnames, but for the standard use case from the end user point of view the app would stick with one host. Therefore I designed the code, which handles the application permissions related with network access, to just ask for the permission to access the currently configured host (-> getPermission(permission, domainname)).

 

Upto now, I used mostly just one host for the tests. I switched once the host when I had to use a host with a newer version of the server application software. Despite of carrier/network related issues I had never any problems to access the hosts.

 

But now, while testing the new code I suddenly ran into unexpected trouble.

 

At one point, I changed the hostname to use another server host and since then, I get a SecurityException whenever Connector.open() for a https-URL is called. I even get it after changing back to the previous hostname. The reason string is just "Permission denied".

 

I checked so far:

  • This is not a ControlledAccessException. I checked both, but only SecurityException got catched.
  • The ApplicationPermission API returns true when I check the permissions. The permissions are checked at startup and the permission request dialog is shown if they are not appropriate. They are also checked before trying network access via a specific transport.
  • The firewall seems not to be related: this Exception is thrown even than the firewall is disabled.
  • I'm currently testing with a Bold 9000 and software version 4.6 and a Torch 9800 with software version 6.0. The Bold is connected with a BES and the IT Policies don't allow me to disable the firewall. The Torch is "standalone" and the firewall is disabled by default.
  • I tried this with a Torch Simulator and found that it will work when I disable "device security". The Exception is also thrown in the simulator when I enable it (and running the signed app).
  • I compared the *.csl files of earlier builds with the current build and found no missing entries.
  • I changed my code to ask for network access permissions without limiting it to some specific domain.
  • I deleted the app on the devices and installed it again - and still get the same result.

I find it rather suspicious, that I don't get the usual "application requests to establish a https connection" dialog when I use the https-URL.

 

I actually get the similar dialog when I change the code to use the SocketConnection for GET using a ssl-URL. The network access even works in this case, but my HTTP implementation is still too rudimentary to be useful for this case.

 

So, my question is: What may trigger this SecurityException? Which component actually does "deny the permission"?

 

And may be related: Is the permission to access a specific server via http/https or socket/ssl stored somewhere on the device in a way that it will even survive the de-installation of the corresponding app?

 

Am I looking in the wrong direction and there is something other going on here?

 

I would appreciate any help to get this case solved.

 

Thanks in advance,

webbasan.

 

Senior Software Engineer
Lindenbaum GmbH
http://www.lindenbaum.eu/
Contributor
Posts: 20
Registered: ‎04-19-2010
My Device: supporting 4.6 upwards
My Carrier: any

Re: SecurityException when calling Connector.open()

I did some more elaboration on this subject.

 

I could reproduce this behaviour in the simulators for 9700 / 5.0.0.400 T-MobileEU and 9800 / 6.0.0.284:

 

  • When I start the simulators without device security and with MDS-CS, I get network access as expected: everything works as intended.
  • When I start the simulators with device security enabled and with MDS-CS, I get the SecurityException when calling Connector.open()!
  • Not enough: additionally, when I start the simulators with "Reset file system on startup" and "Reset NVRAM on startup" and MDS-CS, the simulator behaves as if it has no connection to the MDS and therefore can't connect to the internet.
    Afterwards, the simulators are broken - they never get a connection to the MDS-CS again, even if those two flags are reset to disabled state!!!

PLEASE! Is anybody out there, who can explain this to me and tell me how I can work around this issue???

 

Thanks in advance!

webbasan.

 

Senior Software Engineer
Lindenbaum GmbH
http://www.lindenbaum.eu/
Highlighted
BlackBerry Development Advisor
Posts: 15,693
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: SecurityException when calling Connector.open()

How was the application loaded on the BlackBerry Smartphone?
Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
Contributor
Posts: 20
Registered: ‎04-19-2010
My Device: supporting 4.6 upwards
My Carrier: any

Re: SecurityException when calling Connector.open()

[ Edited ]

I'm using mostly the Desktop Manager to deploy the application during testing. But some of my "Beta-Testers" get it via OTA.

 

But I found the real cause yesterday: due to some changes at another place, I got uppercase scheme names when creating the connection URLs.

 

Unfortunately, this "SecurityException: Permission denied" message doesn't point to the real issue, therefore I was searching at the wrong places.

 

Why not throwing an IllegalArgumentException instead? Accepting uppercase scheme names would be another option, as this is the recommended behaviour by the corresponding RFCs. (Ok, the RFC also states that a client should use lowercase scheme names, so this would direct the issue again at me. But then again - a correct description of the real cause would help very much...)

 

After all I found during this bug-hunt that HttpConnection actually does accept "DELETE" even with the SDKs for 4.5 and 4.6. At least enough that it works for my use cases. So my own SocketConnection based HTTP implementation wasn't so much necessary after all...

 

Thank you for giving some feedback after all!

webbasan.

 

 

P.S.: If somebody would just look into my other big show-stopper and could give me some feedback, I would be glad:

http://supportforums.blackberry.com/t5/Java-Development/PIM-calendar-handling-How-do-I-get-the-corre... (see also: JAVAAPI-1701).

Senior Software Engineer
Lindenbaum GmbH
http://www.lindenbaum.eu/