[RFC][IcedTea-Web]: Change #4 (PersistenceService) of new JNLP specification (v7.0)
Deepak Bhole
dbhole at redhat.com
Wed Jun 8 13:54:18 PDT 2011
* Omair Majid <omajid at redhat.com> [2011-06-08 16:46]:
> On 06/08/2011 04:19 PM, Saad Mohammad wrote:
> >On 06/08/2011 03:52 PM, Omair Majid wrote:
> >>app = JNLPRuntime.getApplication();
> >I am looking into ApplicationInstance.isSigned at the moment, and I will
> >try running some test to see if it is actually a better method to
> >determine whether the application has a signature.
>
> Please do NOT use ApplicationIsntance.isSigned(). Deepak himself
> patched checkAccess to avoid using ApplicationInstance.isSigned. It
> is not enough. You can have unsigned applications calling privileged
> code which does doPrivileged() operations. I think it's completely
> fine to allow them to use PersistenceService.
>
I can't recall why I made the change, but I thought it was due to the
case of it being called from JNLPSecurityManager.
What do you mean by unsigned apps calling doPrivileged() operations? Can
you give an example where that would lead to app being null?
Cheers,
Deepak
> >I will get back with
> >that soon. Deepak is also right about having a nested if condition, I
> >will fix it with &&. I will also create a method within ServiceUtil to
> >avoid having duplicate code and will email my updated patch soon.
> >
>
> I look forward to it.
>
> Cheers,
> Omair
More information about the distro-pkg-dev
mailing list