[RFC[PATCH]: Patch fix for algorithm that verifies signed JNLP file s

Saad Mohammad smohamma at redhat.com
Tue Aug 2 14:06:32 PDT 2011 

I have read all the comments and reviews on my previous patch that added the algorithm of checking signed JNLP files. I want to thank you all for your input, it was a big help to me.

Since I have committed one of the patches, I have attached a new patch that addresses the issues we had with the previous patch.

CHANGELOG:

2011-08-02  Saad Mohammad  <smohammad at redhat.com>

	* netx/net/sourceforge/jnlp/JNLPMatcher.java:
	  (JNLPMatcher): Removed NullPointerException from being thrown, caught and 
	  then thrown again via JNLPMatcherException. This was replaced by throwing 
	  a checked exception [JNLPMatcherException] directly. 
  	  (JNLPMatcher): Removed unused code [getters]
	  (JNLPMatcher): Closed Input/Output streams that were opened.
	  (isMatch): Removed caching of return value
	  (closeInputStream): Added this method to close input streams
	  (closeOutputStream): Added this method to close output streama
	* netx/net/sourceforge/jnlp/Node.java:
	  Removed getAttributeNames() method from the commented section

FYI,
I have not attached the implementation of verifying signed JNLP file when launching the application 
(Patch 2 from previous emails with subject: [RFC][PATCH][icedtea-web]: Added support for signed JNLP file- Updated Patch]).

I have discovered some new changes that should be implemented:

    -  The main jar file is ONLY checked for a signed JNLP file (It should not check other jar resource; just the jar with the main class)

    -  As Omair pointed out, we have to handle "lazy" jars differently. At the moment, there is a bug that I will need to fix before I can continue: all 'lazy' jars are automatically considered unsigned by 
       IcedTea-Web (even ones with valid signatures)
       [http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=765]

    -  Applications with a valid signed JNLP file have special security privileges and also allows special arguments to be passed though using  "java-vm-args" attribute within the js2e element. I have also read 
       that special properties can be used with a signed JNLP file application. I am uncertain if there are any properties or vm arguments that IcedTea-Web has restricted unless the application has certain 
       permissions.
       [http://forums.oracle.com/forums/thread.jspa?threadID=1359245&tstart=0]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Patch1d.patch
Type: text/x-patch
Size: 6093 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110802/514d06a5/Patch1d.patch

More information about the distro-pkg-dev mailing list