[icedtea-web] RFC: use deployment-specific system- and user-level policy files to grant permissions

Deepak Bhole dbhole at redhat.com
Tue Jan 4 11:13:58 PST 2011 

* Omair Majid <omajid at redhat.com> [2010-12-17 18:05]:
> Hi,
> 
> The following patch makes these two properties from
> deployment.properties have effect:
> deployment.user.security.policy
> deployment.system.security.policy
> 
> The patch makes the JNLPPolicy class look for permissions for the
> given code source in the files defined by these two properties as
> well.
> 
> Thoughts?
> 

Looks good! OK for HEAD.

Cheers,
Deepak

> ChangeLog:
> 2010-12-17  Omair Majid  <omajid at redhat.com>
> 
>   * netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add
>   systemJnlpPolicy and userJnlpPolicy.
>   (JNLPPolicy): Initialize the new policies.
>   (getPermissions): Consult the extra policies as well to determine the
>   resulting permissions to be granted.
>   (getPolicyFromConfig): New method. Create a new Policy instance to
>   delegate to for system- and user-level policies.
> 
> Cheers,
> Omair

> diff -r adef5d4159ee netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java	Mon Dec 13 17:28:01 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java	Wed Dec 15 14:44:27 2010 -0500
> @@ -16,9 +16,13 @@
>  
>  package net.sourceforge.jnlp.runtime;
>  
> +import java.net.URI;
> +import java.net.URISyntaxException;
>  import java.security.*;
>  import java.util.Enumeration;
>  
> +import net.sourceforge.jnlp.config.DeploymentConfiguration;
> +
>  /**
>   * Policy for JNLP environment.  This class delegates to the
>   * system policy but always grants permissions to the JNLP code
> @@ -40,10 +44,19 @@
>      /** the previous policy */
>      private static Policy systemPolicy;
>  
> +    /** the system level policy for jnlps */
> +    private Policy systemJnlpPolicy = null;
> +
> +    /** the user-level policy for jnlps */
> +    private Policy userJnlpPolicy = null;
> +
>      protected JNLPPolicy() {
>          shellSource = JNLPPolicy.class.getProtectionDomain().getCodeSource();
>          systemSource = Policy.class.getProtectionDomain().getCodeSource();
>          systemPolicy = Policy.getPolicy();
> +
> +        systemJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_SYSTEM_SECURITY_POLICY);
> +        userJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_USER_SECURITY_POLICY);
>      }
>  
>      /**
> @@ -62,11 +75,27 @@
>  
>                  PermissionCollection clPermissions = cl.getPermissions(source);
>  
> +                Enumeration<Permission> e;
> +                CodeSource appletCS = new CodeSource(JNLPRuntime.getApplication().getJNLPFile().getSourceLocation(), (java.security.cert.Certificate[]) null);
> +
>                  // systempolicy permissions need to be accounted for as well
> -                CodeSource appletCS = new CodeSource(JNLPRuntime.getApplication().getJNLPFile().getSourceLocation(), (java.security.cert.Certificate[]) null);
> -                Enumeration e = systemPolicy.getPermissions(appletCS).elements();
> +                e = systemPolicy.getPermissions(appletCS).elements();
>                  while (e.hasMoreElements())
> -                    clPermissions.add((Permission) e.nextElement());
> +                    clPermissions.add(e.nextElement());
> +
> +                // and so do permissions from the jnlp-specific system policy
> +                if (systemJnlpPolicy != null) {
> +                    e = systemJnlpPolicy.getPermissions(appletCS).elements();
> +                    while (e.hasMoreElements())
> +                        clPermissions.add(e.nextElement());
> +                }
> +
> +                // and permissiosn from jnlp-specific user policy too
> +                if (userJnlpPolicy != null) {
> +                    e = userJnlpPolicy.getPermissions(appletCS).elements();
> +                    while (e.hasMoreElements())
> +                        clPermissions.add(e.nextElement());
> +                }
>  
>                  return clPermissions;
>              }
> @@ -93,6 +124,31 @@
>          return result;
>      }
>  
> +    /**
> +     * Constructs a delegate policy based on a config setting
> +     * @param key a KEY_* in DeploymentConfiguration
> +     * @return a policy based on the configuration set by the user
> +     */
> +    private Policy getPolicyFromConfig(String key) {
> +        Policy policy = null;
> +        String policyLocation = null;
> +        DeploymentConfiguration config = JNLPRuntime.getConfiguration();
> +        policyLocation = config.getProperty(key);
> +        if (policyLocation != null) {
> +            try {
> +                URI policyUri = new URI(policyLocation);
> +                policy = getInstance("JavaPolicy", new URIParameter(policyUri));
> +            } catch (IllegalArgumentException e) {
> +                e.printStackTrace();
> +            } catch (NoSuchAlgorithmException e) {
> +                e.printStackTrace();
> +            } catch (URISyntaxException e) {
> +                e.printStackTrace();
> +            }
> +        }
> +        return policy;
> +    }
> +
>      public boolean implies(ProtectionDomain domain, Permission permission) {
>          //Include the permissions that may be added during runtime.
>          PermissionCollection pc = getPermissions(domain.getCodeSource());

More information about the distro-pkg-dev mailing list