Not using signers in JNLPPolicy.getPermissions()
Deepak Bhole
dbhole at redhat.com
Tue Jan 4 13:05:21 PST 2011
* Omair Majid <omajid at redhat.com> [2010-12-17 18:07]:
> Hi,
>
> I noticed this line in JNLPPolicy.getPermissions(CodeSource source):
>
> CodeSource appletCS = new CodeSource(JNLPRuntime.getApplication().getJNLPFile().getSourceLocation(),
> (java.security.cert.Certificate[]) null);
>
> I understand that we need a URL to the actual source of the code
> (instead of a url to the on-disk cache), but why use null as the
> certificate array? Is there a reason we are not using the actual
> signers associated with the CodeSource?
>
appletCS is used only in the getPermissions call below, whose return is
merged with the permissions that the jar code signer has
(clPermissions).
clPermissions already accounts for code-signer specific permissions, so
providing signers to the CodeSource constructor would make no
difference, and was probably done to avoid redundant merging.
Cheers,
Deepak
> Thanks,
> Omair
More information about the distro-pkg-dev
mailing list