Reviewer needed - fix for Re: Strange behaviour during javaws -about

[Omair Majid]

On 02/24/2011 11:43 AM, Jiri Vanek wrote:
> On 02/24/2011 12:36 AM, Omair Majid wrote:
>
> So, this patch expects fixed about.jnlp to have code base of
> file://$DEST_DIR/share
>
> Then removes all-permissions, and lunched fixed window without them. The
> window is not running in invoke later(which probably caused the hang)
> but runs in javaws's own thread. Also points directly to correct jnlp
> local file and runs offline.
>
>> On 02/23/2011 12:51 PM, Dr Andrew John Hughes wrote:
>>> What is the motivation for this change? Assuming it still runs without
>>> all-permissions, the change looks fine.
>>>
>>
>>  From my very limited testing, it doesnt :(
>  >
>> snip

Contrary to what I had expected, this patch works just fine. I am still 
not sure if we want to do it this way, but it works. The comments below 
are an attempt to explain why it works.

> @@ -112,24 +105,8 @@
>       }
>
>   	public static void main(String[] args) {
> -		javax.swing.SwingUtilities.invokeLater(new Runnable() {
> -			public void run() {
> -				createAndShowGUI();
> -			}
> -		});
> -	}
> +					createAndShowGUI();
> +		}
>

This was what was really confusing me. The "new Runnable() {...}" bit is 
really an inner class, Main$1. Main and HTMLPanel are loaded by netx 
itself (which has permissions to access any package), but Main$1 is 
loaded by Main, which does not have access to the package 
net.sourceforge.jnlp.about. So keeping the invokeLater causes an 
AccessControlException (as Main tries to access 
net.sourceforge.jnlp.about.Main$1), while removing it makes the 
untrusted about application work.

The correct fix, IMHO, would be to change the package of about, so 
about.jar can access all it's own classes without security exceptions. 
On the other hand, I think that may be an overly complex solution; 
removing invokeLater works for now (thought it may break at some point).

Does anyone else have any thoughts about this?

Cheers,
Omair