[RFC] PR568: LWJGL Applets fail to work with IcedTea Plugin

Omair Majid omajid at redhat.com
Wed Oct 13 08:32:33 PDT 2010


The attached patch attempts to fix PR568.

The LWJGL applet downloads a jar to /tmp/ and then calls 
getPermissions() using that jar as the CodeSource. Currently, since 
there is no SecurityDesc for this new location, an exception is thrown. 
A comment from the source code of LWJGL is:
// getPermissions from original classloader is important as it checks // 
for signed jars and shows any security dialogs needed
The attached patch modifies JNLPClassLoader.getPermissions() to treat 
the new jar the same way it would be treated if it was loaded by 
initializeResources(). Currently, it checks that the jar is on the local 
machine and the plugin is being used.

The check for a local jar means that any jar on the local machine can 
now be accessed by an applet (can untrusted applets do this? - they do 
not have any file permissions). Even though a security dialog will tell 
the user if the jar is unsigned (or any of the cases that can happen in 
initializeResources), I am not sure if this is the best solution.

I would also like to extend this to all JNLPs in general, but two things 
are keeping me
1. I have not seen any JNLP applications using this.
2. I cant see a way to figure out what SecurityDesc should be used 
(since there is no JNLP file to describe the security permissions that 
should be granted).

Any thoughts or comments?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icedtea6-jnlp-classloader-load-new-codesources-01.patch
Type: text/x-patch
Size: 12756 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101013/cb041cf0/icedtea6-jnlp-classloader-load-new-codesources-01.patch 

More information about the distro-pkg-dev mailing list