[icedtea-web] RFC: PR822: Applets fail to load if jars have different signers
Danesh Dadachanji
ddadacha at redhat.com
Thu Feb 2 09:30:14 PST 2012
On 26/01/12 02:55 PM, Deepak Bhole wrote:
> Hi,
>
> This patch fixes PR822:
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=822
>
> It makes it so that applets do not require all jars to have a single
> signer (which is not mandated by the spec). After the patch, sites like
> the one mentioned in the bug (https://bcee.snet.lu/) now work.
>
Hi,
I believe your logic for the if-statement in JNLPClassLoader is
incorrect. Specifically if this is an applet, it does not need to be
checked for multiple jars having a common signer. It actually depends on
whether or not the applet is being run from a JNLP file. If they are,
then we definitely have to check for a common signer.
If the applet is run via 'javaws' using a JNLP file (using
<applet-desc>) OR if the applet is run via the plugin using jnlp_href,
the check should be run. If this applet has no common signer among its
multiple jars, it should not be allowed to run. Note that running
applets using javaws doesn't work ATM but we should still consider this
case!
Another way of putting it (for the if condition's sake) is that if this
is an applet being run from the plugin AND NOT using jnlp_href (i.e.
using applet/embedded tag instead), then the jars do NOT need to be
checked for a common signer.
+ // Case when at least one jar has some signing
+ // For permissions to be given, we need:
+ // 1. Something is signed
+ // 2. This is an applet
This should be replaced with // 2. This is an applet being run by the
plugin without jnlp_href
+ // 3. OR, if this is NOT an applet, all jars have the same
signer
The "this is NOT an applet" bit should be removed. I think this should
also be changed to "OR all jars have at least one common signer" since,
to me, "the same" implies there's just one.
+ if (js.anyJarsSigned() // signed
+ && (getJNLPFile().isApplet() // and an applet
+ || (!getJNLPFile().isApplet() // OR, NOT an
applet
+ &&
js.isFullySignedByASingleCert()))) { // AND fully signed by a single cert
Logic from above in code
if (js.anyJarsSigned() // signed
&& ((getJNLPFile() instanceof PluginBridge
&& !((PluginBridge)getJNLPFile()).useJNLPHref())
// and an applet not using jnlp_href
|| js.isFullySignedByASingleCert())) { // AND
fully signed by a single cert
(hope this indenting gets through and isn't wrapped..)
The useJNLPHref() function is from my patch in review here:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017119.html
I believe this logic handles all the weird applet cases where they use
JNLPs. What do you think?
Cheers,
Danesh
More information about the distro-pkg-dev
mailing list