[RFC][IcedTea-Web]: Change #4 (PersistenceService) of new JNLP specification (v7.0)

Wed Jun 8 12:34:50 PDT 2011

* Saad Mohammad <smohammad at redhat.com> [2011-06-08 15:18]:
> Hi,
> 
> This is the patch that allows any trusted application to have access
> to any PersistenceService data (including ones from other hosts). It
> is part of the new JNLP specification, and is stated under change #4 (http://jcp.org/aboutJava/communityprocess/maintenance/jsr056/jnlp-7_0-changes.html).
> 
> This patch is very simple, it uses a custom method [a modified
> version of ServiceUtil.checkAccess()] to validate whether the
> current application is trusted and has a signature. If the current
> application is  a trusted application,
> XPersistenceService.checkLocation() makes sure that the application
> has access to all Persistence Service data. If the current
> application is not a trusted application and it want to have access
> to PersistenceService data from an outside host,
> XPersistenceService.checkLocation() will throw
> MalformedURLException.
> 
> Cheers,
> Saad Mohammad

> diff -r af1ed34483d1 netx/net/sourceforge/jnlp/services/XPersistenceService.java
> --- a/netx/net/sourceforge/jnlp/services/XPersistenceService.java	Tue May 31 12:00:01 2011 -0400
> +++ b/netx/net/sourceforge/jnlp/services/XPersistenceService.java	Wed Jun 08 13:54:41 2011 -0400
> @@ -53,8 +53,11 @@
>  
>          URL source = app.getJNLPFile().getCodeBase();
>  
> -        if (!source.getHost().equalsIgnoreCase(location.getHost()))
> -            throw new MalformedURLException("Cannot access data from a different host.");
> +        if (!source.getHost().equalsIgnoreCase(location.getHost())){
> +        	if (!checkSigned(app)){ // If the application is not trusted, throw exception. Allow trusted application to access data from a different host
> +        		throw new MalformedURLException("Untrusted application cannot access data from a different host.");
> +        	}
> +        }
>  
>          // test for above codebase, not perfect but works for now
>  
> @@ -69,8 +72,11 @@
>              System.out.println("request path: " + requestPath);
>          }
>  
> -        if (!source.getFile().startsWith(requestPath))
> -            throw new MalformedURLException("Cannot access data below source URL path.");
> +        if (!source.getFile().startsWith(requestPath)){
> +        	if (!checkSigned(app)){ // If the application is not trusted, throw exception. Allow trusted application to access data from a different host
> +        		throw new MalformedURLException("Untrusted application cannot access data below source URL path.");
> +        	}
> +        }
>      }
> 

You can just use && instead of a nested if.

Also, is the checkSigned function actually needed? ApplicationInstance
has an isSigned() method and if app is not null, you can use it
directly..

Cheers,
Deepak