RFC: Proxy support for IcedTea Java Plugin
Deepak Bhole
dbhole at redhat.com
Fri Mar 13 14:55:03 PDT 2009
Hi,
Attached patch adds proxy support to the IcedTea plugin.
With this patch, the plugin can now read proxy settings from the browser
and use those to connect to the remote server for fetching jars,
applet communication (SOCKS proxy), etc. The patch also adds support
for proxy (and web) servers that require http authentication by
displaying a credential input dialog to the user.
Initially I also started adding support for fetching cached authentication
information from mozilla directly, but then I decided to disable it as
it felt like a security risk to pass usernames/passwords over a FIFO
pipe. If the communication system is changed in the future, that code
can be enabled again. It is about 80% done.
In addition, there are a few minor fixes here and there -- see ChangeLog
diff for more details.
Please let me know if you find any problems.
Thanks!
Deepak
-------------- next part --------------
diff -r ebdc89c68af2 ChangeLog
--- a/ChangeLog Fri Mar 13 17:02:59 2009 -0400
+++ b/ChangeLog Fri Mar 13 17:44:03 2009 -0400
@@ -1,3 +1,26 @@
+2009-03-13 Deepak Bhole <dbhole at redhat.com>
+
+ * IcedTeaPlugin.cc: Incremented timeout to 3 minutes. Added functions to
+ process proxy and auth info requests (the latter is unused).
+ * plugin/icedtea/sun/applet/PasswordAuthenticationDialog.java: New file.
+ Displays a username/password input dialog to users for sites and proxies
+ requiring http auth.
+ * plugin/icedtea/sun/applet/PluginAppletViewer.java: Fix wait mechanism to
+ detect applet initialization failures correctly. Add support for
+ requesting proxy information from the browser.
+ * plugin/icedtea/sun/applet/PluginCallRequestFactory.java: Add support for
+ PluginProxyInfoRequest objects.
+ * plugin/icedtea/sun/applet/PluginMain.java: Wire in custom authenticator
+ and proxy selector.
+ * plugin/icedtea/sun/applet/PluginProxyInfoRequest.java: New file. Object
+ representing proxy information request from browser.
+ * plugin/icedtea/sun/applet/PluginProxySelector.java: Custom proxy
+ selector that requests information from browser and uses it.
+ * plugin/icedtea/sun/applet/PluginStreamHandler.java: Improve handling
+ code for "plugin specific" messages on the wire.
+ * rt/net/sourceforge/jnlp/NetxPanel.java: Add support for improved
+ initialization failure detection.
+
2009-03-13 Omair Majid <omajid at redhat.com>
* patches/icedtea-jtreg-6592792.patch: New file. Makes the
diff -r ebdc89c68af2 IcedTeaPlugin.cc
--- a/IcedTeaPlugin.cc Fri Mar 13 17:02:59 2009 -0400
+++ b/IcedTeaPlugin.cc Fri Mar 13 17:44:04 2009 -0400
@@ -85,7 +85,7 @@
// #14 0x0153fdbf in ProxyJNIEnv::CallObjectMethod (env=0xa8b8040, obj=0x9dad690, methodID=0xa0ed070) at ProxyJNI.cpp:641
// timeout (in seconds) for various calls to java side
-#define TIMEOUT 20
+#define TIMEOUT 180
#define NOT_IMPLEMENTED() \
PLUGIN_DEBUG_1ARG ("NOT IMPLEMENTED: %s\n", __PRETTY_FUNCTION__)
@@ -1007,6 +1007,8 @@
nsresult StartAppletviewer ();
void ProcessMessage();
void ConsumeMsgFromJVM();
+ nsresult GetAuthInfo(const char* scheme, const char* host, PRUint32 port, const char* type, const char* realm, char** user, char** pass);
+ nsresult GetProxyInfo(const char* siteAddr, char** proxyScheme, char** proxyHost, char** proxyPort);
nsCOMPtr<IcedTeaEventSink> sink;
nsCOMPtr<nsISocketTransport> transport;
nsCOMPtr<nsIProcess> applet_viewer_process;
@@ -1792,7 +1794,7 @@
NS_IMETHODIMP
IcedTeaPluginFactory::Show (void)
{
- nsCString msg("showconsole");
+ nsCString msg("plugin showconsole");
this->SendMessageToAppletViewer(msg);
return NS_OK;
}
@@ -1800,7 +1802,7 @@
NS_IMETHODIMP
IcedTeaPluginFactory::Hide (void)
{
- nsCString msg("hideconsole");
+ nsCString msg("plugin hideconsole");
this->SendMessageToAppletViewer(msg);
return NS_OK;
}
@@ -2658,6 +2660,130 @@
return factory->GetJavaObject (instance_identifier, object);
}
+#include <nsIDNSRecord.h>
+#include <nsIDNSService.h>
+#include <nsIHttpAuthManager.h>
+#include <nsIProxyInfo.h>
+#include <nsIProtocolProxyService.h>
+#include <nsILoginManager.h>
+#include <nsILoginInfo.h>
+
+/**
+ *
+ * Returns the proxy information for the given url
+ *
+ * The proxy query part of this function can be made much smaller by using
+ * nsIPluginManager2::FindProxyForURL() .. however, because we need to parse
+ * the return components in various ways, it is easier to query
+ * nsIProtocolProxyService directly
+ *
+ * @param siteAddr The URL to check
+ * @param proxyScheme Return parameter containing the proxy URI scheme (http/socks/etc.)
+ * @param proxyHost Return parameter containing the proxy host
+ * @param proxyPort Return parameter containing the proxy port
+ */
+
+NS_IMETHODIMP
+IcedTeaPluginFactory::GetProxyInfo(const char* siteAddr, char** proxyScheme, char** proxyHost, char** proxyPort)
+{
+ nsresult rv;
+
+ // Initialize service variables
+ nsCOMPtr<nsIProtocolProxyService> proxy_svc = do_GetService(NS_PROTOCOLPROXYSERVICE_CONTRACTID, &rv);
+
+ if (!proxy_svc) {
+ printf("Cannot initialize proxy service\n");
+ return rv;
+ }
+
+ nsCOMPtr<nsIIOService> io_svc = do_GetService(NS_IOSERVICE_CONTRACTID, &rv);
+
+ if (NS_FAILED(rv) || !io_svc) {
+ printf("Cannot initialize io service\n");
+ return NS_ERROR_FAILURE;
+ }
+
+ // uri which needs to be accessed
+ nsCOMPtr<nsIURI> uri;
+ io_svc->NewURI(nsCString(siteAddr), NULL, NULL, getter_AddRefs(uri));
+
+ // find the proxy address if any
+ nsCOMPtr<nsIProxyInfo> info;
+ proxy_svc->Resolve(uri, 0, getter_AddRefs(info));
+
+ // if there is no proxy found, return immediately
+ if (!info) {
+ PLUGIN_DEBUG_1ARG("%s does not need a proxy\n", siteAddr);
+ return NS_ERROR_FAILURE;
+ }
+
+ // if proxy info is available, extract it
+ nsCString phost;
+ PRInt32 pport;
+ nsCString ptype;
+
+ info->GetHost(phost);
+ info->GetPort(&pport);
+ info->GetType(ptype);
+
+ // resolve the proxy address to an IP
+ nsCOMPtr<nsIDNSService> dns_svc = do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
+
+ if (!dns_svc) {
+ printf("Cannot initialize DNS service\n");
+ return rv;
+ }
+
+ nsCOMPtr<nsIDNSRecord> record;
+ dns_svc->Resolve(phost, 0U, getter_AddRefs(record));
+
+ // TODO: Add support for multiple ips
+ nsDependentCString ipAddr;
+ record->GetNextAddrAsString(ipAddr);
+
+ // pack information in return variables
+ snprintf(*proxyScheme, sizeof(char)*32, "%s", ptype.get());
+ snprintf(*proxyHost, sizeof(char)*64, "%s", ipAddr.get());
+ snprintf(*proxyPort, sizeof(char)*8, "%d", pport);
+
+ PLUGIN_DEBUG_4ARG("Proxy info for %s: %s %s %s\n", siteAddr, *proxyScheme, *proxyHost, *proxyPort);
+
+ return NS_OK;
+}
+
+/**
+ * Returns cached http auth info for given URL
+ *
+ * This function is currently unused due to possible security issues with
+ * passing auth info to java over a FIFO pipe
+ *
+ * @param scheme Scheme of the site being accessed
+ * @param host Host of the site
+ * @param type Type of authentication used (basic, digest, etc.)
+ * @param realm The authentication realm
+ * @param user Return paramater with username for the site
+ * @param pass Return paramater with password for the site
+ *
+ */
+
+NS_IMETHODIMP
+IcedTeaPluginFactory::GetAuthInfo(const char* scheme, const char* host, PRUint32 port, const char *type, const char* realm, char** user, char** pass)
+{
+ nsresult rv;
+ nsCOMPtr<nsIHttpAuthManager> http_auth_man = do_GetService(NS_HTTPAUTHMANAGER_CONTRACTID, &rv);
+ nsDependentCString schemeStr(scheme);
+ nsDependentCString hostStr(host);
+ nsDependentCString typeStr(type);
+ nsDependentCString realmStr(realm);
+ nsDependentCString pathStr("");
+ nsAutoString domainString, username, password;
+
+ http_auth_man->GetAuthIdentity ( schemeStr , hostStr , port , typeStr , realmStr , pathStr , domainString, username, password );
+
+ *user = ToNewUTF8String(username);
+ *pass = ToNewUTF8String(password);
+ PLUGIN_DEBUG_3ARG("Authinfo: %s %s %s\n", domainString.get(), ToNewUTF8String(username), ToNewUTF8String(password));
+}
NS_IMETHODIMP
IcedTeaPluginInstance::GetCookie(const char* siteAddr, char** cookieString)
@@ -2677,8 +2803,8 @@
return NS_ERROR_FAILURE;
}
- nsIURI *uri;
- io_svc->NewURI(nsCString(siteAddr), NULL, NULL, &uri);
+ nsCOMPtr<nsIURI> uri;
+ io_svc->NewURI(nsCString(siteAddr), NULL, NULL, getter_AddRefs(uri));
nsCOMPtr<nsICookieService> cookie_svc = do_GetService(NS_COOKIESERVICE_CONTRACTID, &rv);
@@ -2902,6 +3028,13 @@
nsDependentCSubstring prefix(pch, strlen(pch));
pch = strtok (NULL, " ");
PRUint32 identifier = nsDependentCSubstring(pch, strlen(pch)).ToInteger (&conversionResult);
+
+ /* Certain prefixes may not have an identifier. if they don't. we have a command here */
+ nsDependentCSubstring command;
+ if (NS_FAILED(conversionResult)) {
+ command.Rebind(pch, strlen(pch));
+ }
+
PRUint32 reference = -1;
if (strstr(message.get(), "reference") != NULL) {
@@ -2910,8 +3043,11 @@
reference = nsDependentCSubstring(pch, strlen(pch)).ToInteger (&conversionResult);
}
- pch = strtok (NULL, " ");
- nsDependentCSubstring command(pch, strlen(pch));
+ if (command.Length() == 0) {
+ pch = strtok (NULL, " ");
+ command.Rebind(pch, strlen(pch));
+ }
+
pch = strtok (NULL, " ");
nsDependentCSubstring rest("", 0);
@@ -3344,6 +3480,134 @@
// Do nothing for: SetStaticField, SetField, ExceptionClear,
// DeleteGlobalRef, DeleteLocalRef
}
+ else if (prefix == "plugin")
+ {
+
+ /* This is currently unimplemented on the java side due to potential security implications of passing user info over a FIFO */
+
+ if (command == "GetAuthInfo") {
+
+ // First, decode the info (it arrives encoded in UTF-8 from java side)
+ nsCString authRequest("");
+
+ // Read byte stream into return value.
+ PRUint32 offset = 0;
+ PRUint32 previousOffset = 0;
+
+ // decode the message
+ offset = rest.FindChar (' ');
+ int length = Substring (rest, 0,
+ offset).ToInteger (&conversionResult);
+ PLUGIN_CHECK ("parse integer", conversionResult);
+
+ for (int i = 0; i < length; i++)
+ {
+ previousOffset = offset + 1;
+ offset = rest.FindChar (' ', previousOffset);
+ authRequest += static_cast<char>
+ (Substring (rest, previousOffset,
+ offset - previousOffset).ToInteger (&conversionResult, 16));
+ if (NS_FAILED(conversionResult))
+ PLUGIN_DEBUG_0ARG("Integer parse failed for authinfo request");
+ }
+
+ PLUGIN_DEBUG_1ARG ("PLUGIN GOT RETURN UTF-8 STRING: %s\n", authRequest.get ());
+
+ // parse decoded request
+ char msg[authRequest.Length()];
+ strcpy(msg, authRequest.get());
+
+ pch = strtok (msg, " ");
+ nsDependentCSubstring scheme(pch, strlen(pch));
+ pch = strtok (NULL, " ");
+ nsDependentCSubstring host(pch, strlen(pch));
+ pch = strtok (NULL, " ");
+ PRUint32 port = nsDependentCSubstring(pch, strlen(pch)).ToInteger(&conversionResult);
+ pch = strtok (NULL, " ");
+ nsDependentCSubstring type(pch, strlen(pch));
+ pch = strtok (NULL, " ");
+
+ nsDependentCSubstring realm("", 0);
+ while (pch != NULL) {
+ realm += pch;
+ pch = strtok (NULL, " ");
+
+ if (pch != NULL)
+ realm += " ";
+ }
+
+ // fetch the information
+ char* user;
+ char* pw;
+
+ GetAuthInfo(((nsCString) scheme).get(), ((nsCString) host).get(), port, ((nsCString) type).get(), ((nsCString) realm).get(), &user, &pw);
+
+ PLUGIN_DEBUG_2ARG("Auth info acquired: %s %s", user, pw);
+
+ nsCString authInfo;
+ authInfo += scheme;
+ authInfo += "://";
+ authInfo += user;
+ authInfo += ":";
+ authInfo += pw;
+ authInfo += "@";
+ authInfo += host;
+
+ nsresult rv;
+ nsCOMPtr<nsINetUtil> net_util = do_GetService(NS_NETUTIL_CONTRACTID, &rv);
+
+ if (!net_util)
+ printf("Error instantiating NetUtil service.\n");
+
+ // FIXME: We should probably use byte encoding instead of encoding as a URL
+ nsCString encodedAuthInfo;
+ net_util->EscapeString(authInfo, 0, encodedAuthInfo);
+
+ nsCString toSend("plugin AuthInfo");
+ toSend += encodedAuthInfo;
+
+ SendMessageToAppletViewer(toSend);
+
+ } else if (command == "PluginProxyInfo") {
+
+ nsresult rv;
+ nsCOMPtr<nsINetUtil> net_util = do_GetService(NS_NETUTIL_CONTRACTID, &rv);
+
+ if (!net_util)
+ printf("Error instantiating NetUtil service.\n");
+
+ // decode the url
+ nsDependentCSubstring url;
+ net_util->UnescapeString(rest, 0, url);
+
+ char* proxyScheme = (char*) malloc(sizeof(char)*32);
+ char* proxyHost = (char*) malloc(sizeof(char)*64);
+ char* proxyPort = (char*) malloc(sizeof(char)*8);
+
+ nsCString proxyInfo("plugin PluginProxyInfo ");
+
+ // get proxy info
+ if (GetProxyInfo(((nsCString) url).get(), &proxyScheme, &proxyHost, &proxyPort) == NS_OK)
+ {
+ proxyInfo += proxyScheme;
+ proxyInfo += " ";
+ proxyInfo += proxyHost;
+ proxyInfo += " ";
+ proxyInfo += proxyPort;
+
+ PLUGIN_DEBUG_4ARG("Proxy for %s is %s %s %s\n", ((nsCString) url).get(), proxyScheme, proxyHost, proxyPort);
+ } else {
+ PLUGIN_DEBUG_1ARG("No suitable proxy found for %s\n", ((nsCString) url).get());
+ }
+
+ // send back what we found
+ SendMessageToAppletViewer (proxyInfo);
+
+ // free allocated memory
+ delete proxyScheme, proxyHost, proxyPort;
+
+ }
+ }
}
void IcedTeaPluginFactory::ProcessMessage ()
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PasswordAuthenticationDialog.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/plugin/icedtea/sun/applet/PasswordAuthenticationDialog.java Fri Mar 13 17:44:04 2009 -0400
@@ -0,0 +1,241 @@
+/* PasswordAuthenticationDialog -- requests authentication information from users
+ Copyright (C) 2009 Red Hat
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+package sun.applet;
+
+import java.awt.Dimension;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.awt.Insets;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.net.PasswordAuthentication;
+
+import javax.swing.JButton;
+import javax.swing.JDialog;
+import javax.swing.JLabel;
+import javax.swing.JPasswordField;
+import javax.swing.JTextField;
+import javax.swing.SwingUtilities;
+
+/**
+ * Modal non-minimizable dialog to request http authentication credentials
+ */
+
+public class PasswordAuthenticationDialog extends JDialog {
+
+ private JLabel jlInfo = new JLabel("");
+ private JTextField jtfUserName = new JTextField();
+ private JPasswordField jpfPassword = new JPasswordField();
+ private boolean userCancelled;
+
+ public PasswordAuthenticationDialog() {
+ initialize();
+ }
+
+ /**
+ * Initialized the dialog components
+ */
+
+ public void initialize() {
+
+ setTitle("IcedTea Java Plugin - Authorization needed to proceed");
+
+ setLayout(new GridBagLayout());
+
+ JLabel jlUserName = new JLabel("Username: ");
+ JLabel jlPassword = new JLabel("Password: ");
+ JButton jbOK = new JButton("OK");
+ JButton jbCancel = new JButton("Cancel");
+
+ jtfUserName.setSize(20, 10);
+ jpfPassword.setSize(20, 10);
+
+ GridBagConstraints c;
+
+ c = new GridBagConstraints();
+ c.fill = c.HORIZONTAL;
+ c.gridx = 0;
+ c.gridy = 0;
+ c.gridwidth = 2;
+ c.insets = new Insets(10, 5, 3, 3);
+ add(jlInfo, c);
+
+ c = new GridBagConstraints();
+ c.gridx = 0;
+ c.gridy = 1;
+ c.insets = new Insets(10, 5, 3, 3);
+ add(jlUserName, c);
+
+ c = new GridBagConstraints();
+ c.fill = c.HORIZONTAL;
+ c.gridx = 1;
+ c.gridy = 1;
+ c.insets = new Insets(10, 5, 3, 3);
+ c.weightx = 1.0;
+ add(jtfUserName, c);
+
+
+ c = new GridBagConstraints();
+ c.gridx = 0;
+ c.gridy = 2;
+ c.insets = new Insets(5, 5, 3, 3);
+ add(jlPassword, c);
+
+ c = new GridBagConstraints();
+ c.fill = c.HORIZONTAL;
+ c.gridx = 1;
+ c.gridy = 2;
+ c.insets = new Insets(5, 5, 3, 3);
+ c.weightx = 1.0;
+ add(jpfPassword, c);
+
+ c = new GridBagConstraints();
+ c.anchor = c.SOUTHEAST;
+ c.gridx = 1;
+ c.gridy = 3;
+ c.insets = new Insets(5, 5, 3, 70);
+ c.weightx = 0.0;
+ add(jbCancel, c);
+
+ c = new GridBagConstraints();
+ c.anchor = c.SOUTHEAST;
+ c.gridx = 1;
+ c.gridy = 3;
+ c.insets = new Insets(5, 5, 3, 3);
+ c.weightx = 0.0;
+ add(jbOK, c);
+
+ setMinimumSize(new Dimension(400,150));
+ setMaximumSize(new Dimension(1024,150));
+ setAlwaysOnTop(true);
+
+ setSize(400,150);
+ setLocationRelativeTo(null);
+
+ // OK => read supplied info and pass it on
+ jbOK.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ userCancelled = false;
+ dispose();
+ }
+ });
+
+ // Cancel => discard supplied info and pass on an empty auth
+ jbCancel.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ userCancelled = true;
+ dispose();
+ }
+ });
+
+ // "return" key in either user or password field => OK
+
+ jtfUserName.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ userCancelled = false;
+ dispose();
+ }
+ });
+
+ jpfPassword.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ userCancelled = false;
+ dispose();
+ }
+ });
+ }
+
+ /**
+ * Present a dialog to the user asking them for authentication information
+ *
+ * @param hostThe host for with authentication is needed
+ * @param port The port being accessed
+ * @param prompt The prompt (realm) as presented by the server
+ * @param type The type of server (proxy/web)
+ * @return PasswordAuthentication containing the credentials (empty credentials if user cancelled)
+ */
+ protected PasswordAuthentication askUser(String host, int port, String prompt, String type) {
+ PasswordAuthentication auth = null;
+
+ host += port != -1 ? ":" + port : "";
+
+ // This frame is reusable. So reset everything first.
+ userCancelled = true;
+ jlInfo.setText("<html>The " + type + " server at " + host + " is requesting authentication. It says \"" + prompt + "\"</html>");
+
+ try {
+ SwingUtilities.invokeAndWait( new Runnable() {
+ public void run() {
+ // show dialog to user
+ setVisible(true);
+ }
+ });
+
+ PluginDebug.debug("password dialog shown");
+
+ // wait until dialog is gone
+ while (this.isShowing()) {
+ try {
+ Thread.sleep(200);
+ } catch (InterruptedException ie) {
+ }
+ }
+
+ PluginDebug.debug("password dialog closed");
+
+ if (!userCancelled) {
+ auth = new PasswordAuthentication(jtfUserName.getText(), jpfPassword.getText().toCharArray());
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+
+ // Nothing else we can do. Empty auth will be returned
+ }
+
+ return auth;
+ }
+
+ public static void main(String[] args) {
+ PasswordAuthenticationDialog frame = new PasswordAuthenticationDialog();
+
+ PasswordAuthentication auth = frame.askUser("127.0.0.1", 3128, "Password for local proxy", "proxy");
+
+ System.err.println("Auth info: " + auth.getUserName() + ":" + new String(auth.getPassword()));
+ System.exit(0);
+ }
+}
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginAppletViewer.java
--- a/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Mar 13 17:02:59 2009 -0400
+++ b/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Mar 13 17:44:04 2009 -0400
@@ -87,6 +87,7 @@
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.SocketPermission;
+import java.net.URI;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
@@ -99,14 +100,14 @@
import javax.swing.SwingUtilities;
-import com.sun.jndi.toolkit.url.UrlUtil;
-
import net.sourceforge.jnlp.NetxPanel;
import net.sourceforge.jnlp.runtime.JNLPClassLoader;
import sun.awt.AppContext;
import sun.awt.SunToolkit;
import sun.awt.X11.XEmbeddedFrame;
import sun.misc.Ref;
+
+import com.sun.jndi.toolkit.url.UrlUtil;
/**
* Lets us construct one using unix-style one shot behaviors
@@ -177,7 +178,7 @@
private static PluginCallRequestFactory requestFactory;
private static HashMap<Integer, String> siteCookies = new HashMap<Integer,String>();
-
+
private double proposedHeightFactor;
private double proposedWidthFactor;
@@ -309,7 +310,7 @@
// Wait for the panel to initialize
// (happens in a separate thread)
Applet a;
- while ((a = panel.getApplet()) == null && panel.getAppletHandlerThread().isAlive()) {
+ while ((a = panel.getApplet()) == null && ((NetxPanel) panel).isAlive()) {
try {
Thread.sleep(2000);
PluginDebug.debug("Waiting for applet to initialize... ");
@@ -493,7 +494,7 @@
// Wait for the panel to initialize
// (happens in a separate thread)
- while ((o = panel.getApplet()) == null && panel.getAppletHandlerThread().isAlive()) {
+ while ((o = panel.getApplet()) == null && ((NetxPanel) panel).isAlive()) {
try {
Thread.sleep(2000);
PluginDebug.debug("Waiting for applet to initialize...");
@@ -1005,6 +1006,49 @@
return request.getObject();
}
+ public static Object requestPluginProxyInfo(URI uri) {
+
+ String requestURI = null;
+
+ try {
+
+ // there is no easy way to get SOCKS proxy info. So, we tell mozilla that we want proxy for
+ // an HTTP uri in case of non http/ftp protocols. If we get back a SOCKS proxy, we can
+ // use that, if we get back an http proxy, we fallback to DIRECT connect
+
+ String scheme = uri.getScheme();
+ String port = uri.getPort() != -1 ? ":" + uri.getPort() : "";
+ if (!uri.getScheme().startsWith("http") && !uri.getScheme().equals("ftp"))
+ scheme = "http";
+
+ requestURI = UrlUtil.encode(scheme + "://" + uri.getHost() + port + "/" + uri.getPath(), "UTF-8");
+ } catch (Exception e) {
+ PluginDebug.debug("Cannot construct URL from " + uri.toString() + " ... falling back to DIRECT proxy");
+ e.printStackTrace();
+ return null;
+ }
+
+ PluginCallRequest request = requestFactory.getPluginCallRequest("proxyinfo",
+ "plugin PluginProxyInfo " + requestURI,
+ "plugin");
+ streamhandler.postCallRequest(request);
+ streamhandler.write(request.getMessage());
+ try {
+ PluginDebug.debug ("wait call request 1");
+ synchronized(request) {
+ PluginDebug.debug ("wait call request 2");
+ while (request.isDone() == false)
+ request.wait();
+ PluginDebug.debug ("wait call request 3");
+ }
+ } catch (InterruptedException e) {
+ throw new RuntimeException("Interrupted waiting for call request.",
+ e);
+ }
+ PluginDebug.debug (" Call DONE");
+ return request.getObject();
+ }
+
public static void JavaScriptFinalize(long internal)
{
// Prefix with dummy instance for convenience.
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginCallRequestFactory.java
--- a/plugin/icedtea/sun/applet/PluginCallRequestFactory.java Fri Mar 13 17:02:59 2009 -0400
+++ b/plugin/icedtea/sun/applet/PluginCallRequestFactory.java Fri Mar 13 17:44:04 2009 -0400
@@ -49,7 +49,9 @@
return new VoidPluginCallRequest(message, returnString);
} else if (id == "window") {
return new GetWindowPluginCallRequest(message, returnString);
- } else {
+ } else if (id == "proxyinfo") {
+ return new PluginProxyInfoRequest(message, returnString);
+ } else {
throw new RuntimeException ("Unknown plugin call request type requested from factory");
}
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginMain.java
--- a/plugin/icedtea/sun/applet/PluginMain.java Fri Mar 13 17:02:59 2009 -0400
+++ b/plugin/icedtea/sun/applet/PluginMain.java Fri Mar 13 17:44:04 2009 -0400
@@ -67,15 +67,17 @@
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
-import java.net.Socket;
+import java.net.Authenticator;
+import java.net.PasswordAuthentication;
+import java.net.ProxySelector;
import java.util.Enumeration;
+import java.util.HashMap;
import java.util.Properties;
+import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
-
-import javax.net.ssl.HttpsURLConnection;
import net.sourceforge.jnlp.security.VariableX509TrustManager;
@@ -212,6 +214,10 @@
System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
e.printStackTrace();
}
+
+ // plug in a custom authenticator and proxy selector
+ Authenticator.setDefault(new CustomAuthenticator());
+ ProxySelector.setDefault(new PluginProxySelector());
}
static boolean messageAvailable() {
@@ -220,6 +226,67 @@
static String getMessage() {
return streamHandler.getMessage();
+ }
+
+ static class CustomAuthenticator extends Authenticator {
+
+ public PasswordAuthentication getPasswordAuthentication() {
+
+ // No security check is required here, because the only way to
+ // set parameters for which auth info is needed
+ // (Authenticator:requestPasswordAuthentication()), has a security
+ // check
+
+ String type = this.getRequestorType() == RequestorType.PROXY ? "proxy" : "web";
+
+ // request auth info from user
+ PasswordAuthenticationDialog pwDialog = new PasswordAuthenticationDialog();
+ PasswordAuthentication auth = pwDialog.askUser(this.getRequestingHost(), this.getRequestingPort(), this.getRequestingPrompt(), type);
+
+ // send it along
+ return auth;
+
+ /*
+ * The below was intended to fetch authinfo from mozilla directly.
+ * However, it has been temporarily disabled due to the security
+ * implications of passing sensitive info over a FIFO pipe. Should
+ * the transfer mechanism become more secure in the future, the
+ * code can be uncommented and completed (it is 80% done, with
+ * full support on the c++ side -- only the authinfo
+ * reception/processing needs to be added on Java side)
+ *
+ */
+
+ /*
+
+ PasswordAuthentication proxyAuth = new PasswordAuthentication("", new char[] {});
+
+ try {
+ String msg = "plugin GetAuthInfo ";
+
+ byte[] b = null;
+
+ String msgToEncode = this.getRequestingProtocol() + " " + this.getRequestingHost() + " " + this.getRequestingPort() + " " + this.getRequestingScheme() + " " + this.getRequestingPrompt();
+
+ b = msgToEncode.getBytes("UTF-8");
+
+ StringBuffer buf = new StringBuffer(b.length * 2);
+ buf.append(b.length);
+
+ for (int i = 0; i < b.length; i++) {
+ buf.append(" " + Integer.toString(((int) b[i]) & 0x0ff, 16));
+ }
+
+ msg += buf.toString();
+
+ streamHandler.write(msg);
+
+ return proxyAuth;
+ } catch (UnsupportedEncodingException uee) {
+ return proxyAuth;
+ }
+ */
+ }
}
/**
@@ -264,7 +331,9 @@
@Override
public void write(byte[] buf, int off, int len) {
logFile.write(buf, off, len);
- super.write(buf, off, len);
+
+ if (!redirectStreams)
+ super.write(buf, off, len);
}
@Override
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginProxyInfoRequest.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/plugin/icedtea/sun/applet/PluginProxyInfoRequest.java Fri Mar 13 17:44:04 2009 -0400
@@ -0,0 +1,85 @@
+/* PluginProxyInfoRequest -- Object representing a request for proxy information from the browser
+ Copyright (C) 2009 Red Hat
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+package sun.applet;
+
+import java.net.MalformedURLException;
+import java.net.URI;
+
+/**
+ * This class represents a request object for proxy information for a given URI
+ */
+
+public class PluginProxyInfoRequest extends PluginCallRequest {
+
+ URI internal = null;
+
+ public PluginProxyInfoRequest(String message, String returnString) {
+ super(message, returnString);
+ }
+
+ public void parseReturn(String proxyInfo) {
+
+ // try to parse the proxy information. If things go wrong, do nothing ..
+ // this will keep internal = null which forces a direct connection
+
+ PluginDebug.debug ("PluginProxyInfoRequest GOT: " + proxyInfo);
+ String[] messageComponents = proxyInfo.split(" ");
+
+ try {
+ internal = new URI(messageComponents[2], null, messageComponents[3], Integer.parseInt(messageComponents[4]), null, null, null);
+ } catch (Exception e) {
+ // do nothing
+ }
+
+ setDone(true);
+ }
+
+ /**
+ * Returns whether the given message is serviceable by this object
+ *
+ * @param message The message to service
+ * @return boolean indicating if message is serviceable
+ */
+ public boolean serviceable(String message) {
+ return message.startsWith("plugin ProxyInfo");
+ }
+
+ public URI getObject() {
+ return this.internal;
+ }
+}
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginProxySelector.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/plugin/icedtea/sun/applet/PluginProxySelector.java Fri Mar 13 17:44:04 2009 -0400
@@ -0,0 +1,195 @@
+/* PluginProxySelector -- proxy selector for all connections from applets and the plugin
+ Copyright (C) 2009 Red Hat
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+package sun.applet;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.Proxy;
+import java.net.ProxySelector;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.util.Date;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+/**
+ * Proxy selector implementation for plugin network functions.
+ *
+ * This class fetches proxy information from the web browser and
+ * uses that information in the context of all network connection
+ * (plugin specific and applet connections) as applicable
+ *
+ */
+
+public class PluginProxySelector extends ProxySelector {
+
+ private TimedHashMap<String, Proxy> proxyCache = new TimedHashMap<String, Proxy>();
+
+
+ @Override
+ public void connectFailed(URI uri, SocketAddress sa, IOException ioe) {
+ // If the connection fails, there is little we can do here. Just print the exception
+ ioe.printStackTrace();
+ }
+
+ /**
+ * Selects the appropriate proxy (or DIRECT connection method) for the given URI
+ *
+ * @param uri The URI being accessed
+ * @return A list of Proxy objects that are usable for this URI
+ */
+ @Override
+ public List<Proxy> select(URI uri) {
+
+ List<Proxy> proxyList = new ArrayList<Proxy>();
+
+ // check cache first
+ Proxy cachedProxy = checkCache(uri);
+ if (cachedProxy != null) {
+ proxyList.add(cachedProxy);
+ return proxyList;
+ }
+
+ // Nothing usable in cache. Fetch info from browser
+ Proxy proxy = Proxy.NO_PROXY;
+ Object o = PluginAppletViewer.requestPluginProxyInfo(uri);
+
+ // If the browser returned anything, try to parse it. If anything in the try block fails, the fallback is direct connection
+ try {
+ if (o != null) {
+ PluginDebug.debug("Proxy URI = " + o);
+ URI proxyURI = (URI) o;
+
+ // If origin uri is http/ftp, we're good. If origin uri is not that, the proxy _must_ be socks, else we fallback to direct
+ if (uri.getScheme().startsWith("http") || uri.getScheme().equals("ftp") || proxyURI.getScheme().startsWith("socks")) {
+
+ Proxy.Type type = proxyURI.getScheme().equals("http") ? Proxy.Type.HTTP : Proxy.Type.SOCKS;
+ InetSocketAddress socketAddr = new InetSocketAddress(proxyURI.getHost(), proxyURI.getPort());
+
+ proxy = new Proxy(type, socketAddr);
+
+ String uriKey = uri.getScheme() + "://" + uri.getHost();
+ proxyCache.put(uriKey, proxy);
+ } else {
+ PluginDebug.debug("Proxy " + proxyURI + " cannot be used for " + uri + ". Falling back to DIRECT");
+ }
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ proxyList.add(proxy);
+
+ PluginDebug.debug("Proxy for " + uri.toString() + " is " + proxy);
+
+ return proxyList;
+ }
+
+ /**
+ * Checks to see if proxy information is already cached.
+ *
+ * @param uri The URI to check
+ * @return The cached Proxy. null if there is no suitable cached proxy.
+ */
+ private Proxy checkCache(URI uri) {
+
+ String uriKey = uri.getScheme() + "://" + uri.getHost();
+ if (proxyCache.get(uriKey) != null) {
+ return proxyCache.get(uriKey);
+ }
+
+ return null;
+ }
+
+ /**
+ * Simple utility class that extends HashMap by adding an expiry to the entries.
+ *
+ * This map stores entries, and returns them only if the entries were last accessed within time t=10 seconds
+ *
+ * @param <K> The key type
+ * @param <V> The Object type
+ */
+
+ private class TimedHashMap<K,V> extends HashMap<K,V> {
+
+ HashMap<K, Long> timeStamps = new HashMap<K, Long>();
+ Long expiry = 10000L;
+
+ /**
+ * Store the item in the map and associate a timestamp with it
+ *
+ * @param key The key
+ * @param value The value to store
+ */
+ public V put(K key, V value) {
+ timeStamps.put(key, new Date().getTime());
+ return super.put(key, value);
+ }
+
+ /**
+ * Return cached item if it has not already expired.
+ *
+ * Before returning, this method also resets the "last accessed"
+ * time for this entry, so it is good for another 10 seconds
+ *
+ * @param key The key
+ */
+ public V get(Object key) {
+
+ Long now = new Date().getTime();
+
+ if (super.containsKey(key)) {
+ Long age = now - timeStamps.get(key);
+
+ // Item exists. If it has not expired, renew its access time and return it
+ if (age <= expiry) {
+ PluginDebug.debug("Returning proxy " + super.get(key) + " from cache for " + key);
+ timeStamps.put((K) key, (new Date()).getTime());
+ return super.get(key);
+ } else {
+ PluginDebug.debug("Proxy cache for " + key + " has expired (age=" + age/1000.0 + " seconds)");
+ }
+ }
+
+ return null;
+ }
+ }
+
+}
diff -r ebdc89c68af2 plugin/icedtea/sun/applet/PluginStreamHandler.java
--- a/plugin/icedtea/sun/applet/PluginStreamHandler.java Fri Mar 13 17:02:59 2009 -0400
+++ b/plugin/icedtea/sun/applet/PluginStreamHandler.java Fri Mar 13 17:44:04 2009 -0400
@@ -134,7 +134,7 @@
long b4 = new Date().getTime();
String s = read();
-
+
long after = new Date().getTime();
totalWait += (after - b4);
@@ -228,7 +228,12 @@
if (msgComponents.length < 2)
return;
-
+
+ if (msgComponents[0].startsWith("plugin")) {
+ handlePluginMessage(message);
+ return;
+ }
+
// type and identifier are guaranteed to be there
String type = msgComponents[0];
final int identifier = Integer.parseInt(msgComponents[1]);
@@ -295,6 +300,17 @@
} catch (Exception e) {
throw new PluginException(this, identifier, reference, e);
}
+ }
+
+ private void handlePluginMessage(String message) {
+ if (message.equals("plugin showconsole")) {
+ showConsole();
+ } else if (message.equals("plugin hideconsole")) {
+ hideConsole();
+ } else {
+ // else this is something that was specifically requested
+ finishCallRequest(message);
+ }
}
public void postCallRequest(PluginCallRequest request) {
@@ -382,10 +398,6 @@
AppletSecurityContextManager.dumpStore(0);
PluginDebug.debug("APPLETVIEWER: exiting appletviewer");
System.exit(0);
- } else if (message.equals("showconsole")) {
- showConsole();
- } else if (message.equals("hideconsole")) {
- hideConsole();
}
} catch (IOException e) {
e.printStackTrace();
diff -r ebdc89c68af2 rt/net/sourceforge/jnlp/JNLPFile.java
--- a/rt/net/sourceforge/jnlp/JNLPFile.java Fri Mar 13 17:02:59 2009 -0400
+++ b/rt/net/sourceforge/jnlp/JNLPFile.java Fri Mar 13 17:44:04 2009 -0400
@@ -106,7 +106,7 @@
// null values will still work, and app can set defaults later
}
}
-
+
/**
* Empty stub, allowing child classes to override the constructor
*/
diff -r ebdc89c68af2 rt/net/sourceforge/jnlp/NetxPanel.java
--- a/rt/net/sourceforge/jnlp/NetxPanel.java Fri Mar 13 17:02:59 2009 -0400
+++ b/rt/net/sourceforge/jnlp/NetxPanel.java Fri Mar 13 17:44:04 2009 -0400
@@ -42,6 +42,7 @@
private boolean exitOnFailure = true;
private AppletInstance appInst = null;
private String cookieStr;
+ private boolean appletAlive;
public NetxPanel(URL documentURL, Hashtable atts)
{
@@ -54,6 +55,7 @@
this(documentURL, atts);
this.exitOnFailure = exitOnFailure;
this.cookieStr = cookieStr;
+ this.appletAlive = true;
}
//Overriding to use Netx classloader. You might need to relax visibility
@@ -121,10 +123,11 @@
validate();
}
} catch (Exception e) {
+ this.appletAlive = false;
e.printStackTrace();
}
}
-
+
// Reminder: Relax visibility in sun.applet.AppletPanel
protected synchronized void createAppletThread() {
handler = new Thread(this);
@@ -139,5 +142,9 @@
public ClassLoader getAppletClassLoader() {
return appInst.getClassLoader();
}
+
+ public boolean isAlive() {
+ return handler.isAlive() && this.appletAlive;
+ }
}
More information about the distro-pkg-dev
mailing list