[icedtea-web] RFC: fix RH677772 - NoSuchAlgorithmException using SSL/TLS in javaws
Omair Majid
omajid at redhat.com
Wed Feb 23 08:35:34 PST 2011
Hi,
I have attached a patch to fix RH677772 [1]. Please note that I am
particularly concerned as it is reverting a patch [2] that was added to
fix another (quite similar) bug, RH524387 [3].
As this new bug shows, there are issues with the current system. To fix
these, we will have to whitelist all possible classes/method that are
allowed at this place. And I am not sure at all how to determine these
classes/methods. I especially dont think this is maintainable (all the
more so if you consider third party code which we have no idea about).
The real problem, I think, is that we are not granting full permissions
to code originating from jre/lib/ext (which the default java.policy file
does). If we do that, then all code that's installed there (3rd party
JCE providers, proprietary jars, or really anything) will run with
proper permissions, and we wont even need to deal with the current
system of whitelisting. This is what the proposed patch does.
I hope that explains why we should just grant appropriate permissions to
code loaded from jre/lib/ext and let java's normal security mechanism
handle everything from then on.
Any thoughts or comments on the patch?
Thanks,
Omair
[1] https://bugzilla.redhat.com/show_bug.cgi?id=677772
[2] http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=6d1e2fae468a
[3] https://bugzilla.redhat.com/show_bug.cgi?id=524387
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nosuchalgorithmexception-03.patch
Type: text/x-patch
Size: 4964 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110223/309ab6d0/nosuchalgorithmexception-03.patch
More information about the distro-pkg-dev
mailing list