/hg/icedtea-web: RH677772: NoSuchAlgorithmException using SSL/TL...
omajid at icedtea.classpath.org
omajid at icedtea.classpath.org
Wed Feb 23 10:06:36 PST 2011
changeset 11a9a305dd44 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=11a9a305dd44
author: Omair Majid <omajid at redhat.com>
date: Wed Feb 23 13:04:02 2011 -0500
RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
Grant AllPermission to CodeSource originating from jre/lib/ext, and
let Java's security model work. The cryptography code already does a
doPrivilegedAction when initialzing cryptography providers which
takes care of everything.
2011-02-23 Omair Majid <omajid at redhat.com>
RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
* NEWS: Update with bugfix.
* netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add new field
jreExtDir. (JNLPPolicy): Initialize jreExtDir.
(getPermissions): Grant AllPermissions if the CodeSourse is a system
jar. (isSystemJar): New method.
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
(checkPermission): Remove special casing of
SecurityPermission("putProviderProperty.SunJCE") and SecurityPer
mission("accessClassInPackage.sun.security.internal.spec").
(inTrustedCallChain): Remove.
diffstat:
4 files changed, 42 insertions(+), 49 deletions(-)
ChangeLog | 15 +++
NEWS | 1
netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java | 26 ++++++
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 49 ------------
diffs (163 lines):
diff -r f14bd72dbb29 -r 11a9a305dd44 ChangeLog
--- a/ChangeLog Tue Feb 22 19:15:05 2011 -0500
+++ b/ChangeLog Wed Feb 23 13:04:02 2011 -0500
@@ -1,3 +1,18 @@ 2011-02-22 Omair Majid <omajid at redhat.
+2011-02-23 Omair Majid <omajid at redhat.com>
+
+ RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
+ * NEWS: Update with bugfix.
+ * netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add new field
+ jreExtDir.
+ (JNLPPolicy): Initialize jreExtDir.
+ (getPermissions): Grant AllPermissions if the CodeSourse is a system jar.
+ (isSystemJar): New method.
+ * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
+ (checkPermission): Remove special casing of
+ SecurityPermission("putProviderProperty.SunJCE") and
+ SecurityPermission("accessClassInPackage.sun.security.internal.spec").
+ (inTrustedCallChain): Remove.
+
2011-02-22 Omair Majid <omajid at redhat.com>
Mark Greenwood <mark at dcs.shef.ac.uk>
diff -r f14bd72dbb29 -r 11a9a305dd44 NEWS
--- a/NEWS Tue Feb 22 19:15:05 2011 -0500
+++ b/NEWS Wed Feb 23 13:04:02 2011 -0500
@@ -16,6 +16,7 @@ New in release 1.1 (2011-XX-XX):
- IcedTea-Web now installs to a FHS-compliant location
* Common Fixes and Improvements
- PR638: JNLPClassLoader.loadClass(String name) can return null
+ - RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
* NetX
- Use Firefox's proxy settings if possible
- RH669942: javaws fails to download version/packed files (missing support for jnlp.packEnabled and jnlp.versionEnabled)
diff -r f14bd72dbb29 -r 11a9a305dd44 netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Tue Feb 22 19:15:05 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java Wed Feb 23 13:04:02 2011 -0500
@@ -16,6 +16,7 @@
package net.sourceforge.jnlp.runtime;
+import java.io.File;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.*;
@@ -44,6 +45,8 @@ public class JNLPPolicy extends Policy {
/** the previous policy */
private static Policy systemPolicy;
+ private final String jreExtDir;
+
/** the system level policy for jnlps */
private Policy systemJnlpPolicy = null;
@@ -57,6 +60,9 @@ public class JNLPPolicy extends Policy {
systemJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_SYSTEM_SECURITY_POLICY);
userJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_USER_SECURITY_POLICY);
+
+ String jre = System.getProperty("java.home");
+ jreExtDir = jre + File.separator + "lib" + File.separator + "ext";
}
/**
@@ -66,6 +72,10 @@ public class JNLPPolicy extends Policy {
public PermissionCollection getPermissions(CodeSource source) {
if (source.equals(systemSource) || source.equals(shellSource))
return getAllPermissions();
+
+ if (isSystemJar(source)) {
+ return getAllPermissions();
+ }
// if we check the SecurityDesc here then keep in mind that
// code can add properties at runtime to the ResourcesDesc!
@@ -123,6 +133,22 @@ public class JNLPPolicy extends Policy {
}
/**
+ * Returns true if the CodeSource corresponds to a system jar. That is,
+ * it's part of the JRE.
+ */
+ private boolean isSystemJar(CodeSource source) {
+ // anything in JRE/lib/ext is a system jar and has full permissions
+ String sourceProtocol = source.getLocation().getProtocol();
+ String sourcePath = source.getLocation().getPath();
+ if (sourceProtocol.toUpperCase().equals("FILE") &&
+ sourcePath.startsWith(jreExtDir)) {
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
* Constructs a delegate policy based on a config setting
* @param key a KEY_* in DeploymentConfiguration
* @return a policy based on the configuration set by the user
diff -r f14bd72dbb29 -r 11a9a305dd44 netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Tue Feb 22 19:15:05 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Wed Feb 23 13:04:02 2011 -0500
@@ -306,27 +306,6 @@ class JNLPSecurityManager extends AWTSec
}
}
}
-
- } else if (perm instanceof SecurityPermission) {
- tmpPerm = perm;
-
- // JCE's initialization requires putProviderProperty permission
- if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
- if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) {
- return;
- }
- }
-
- } else if (perm instanceof RuntimePermission) {
- tmpPerm = perm;
-
- // KeyGenerator's init method requires internal spec access
- if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {
- if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) {
- return;
- }
- }
-
} else {
tmpPerm = perm;
}
@@ -348,34 +327,6 @@ class JNLPSecurityManager extends AWTSec
}
throw ex;
}
- }
-
- /**
- * Returns weather the given class and method are in the current stack,
- * and whether or not everything upto then is trusted
- *
- * @param className The name of the class to look for in the stack
- * @param methodName The name of the method for the given class to look for in the stack
- * @return Weather or not class::method() are in the chain, and everything upto there is trusted
- */
- private boolean inTrustedCallChain(String className, String methodName) {
-
- StackTraceElement[] stack = Thread.currentThread().getStackTrace();
-
- for (int i = 0; i < stack.length; i++) {
-
- // Everything up to the desired class/method must be trusted
- if (!stack[i].getClass().getProtectionDomain().implies(new AllPermission())) {
- return false;
- }
-
- if (stack[i].getClassName().equals(className) &&
- stack[i].getMethodName().equals(methodName)) {
- return true;
- }
- }
-
- return false;
}
/**
More information about the distro-pkg-dev
mailing list