Cannot set the right permissions for Firefox extension

Brian Fernandes brianvfernandes at
Mon Jan 30 11:45:10 PST 2012

I have a Firefox extension, FireBible, which uses LiveConnect to access a
Java library, JSword. I use JSword to access biblical material (both text
and images) stored in the SWORD module form.
My extension can be found here:
JSword is here:*jsword*/

My extension works fine with both Java 6 and Java 7 on Windows and Linux
(testing with Ubuntu 11.10), but only if I use the Oracle JVM. I'm having
issues using OpenJDK and the IcedTea web browser plugin, I hope someone is
able to help. I'm currently testing using Firefox 9, though this extension
works with Firefox 3 and above. I'm not sure exactly what IcedTea version
I'm using (it was installed this week) but an apt-cache "show" says
Source: icedtea-web (1.1.3-1ubuntu1)
Version: 6b21.1.3-1ubuntu1

My extension works by creating a URLClassloader with a few directories
containing .class files and a few JAR files which make up the JSword
distribution. From that loader, it loads and sets a policy which grants
*all permissions* to the classes loaded by my loader *only*, that is pretty
much the only way in which I can get my extension to work. AFAIK, this
technique was pioneered by the SIMILE extension, discussed here:

With IcedTea, the first problem I encountered was
a) LiveConnectPermissionNeeded access denied (java.lang.RuntimePermission
when trying to create the URLClassLoader instance. I got around this by
adding the createClassLoader permission to the file like so.
permission java.lang.RuntimePermission "createClassLoader";

b) It now moved further, but failed because it could not load any of my
loose .class files
I fixed this by simply putting these files in a JAR instead (signing the
JAR was not required)

c) Even though I set the getPolicy, setPolicy and
setSecurityManager/createSecurityManager runtime permissions, I was *not*
being allowed to set the policy - it would fail with the following message.
Changing the SecurityManager is not allowed.

In fact, even using (which I tried as a
debugging technique) would not fix it, I still am prevented from setting
the policy. As a result, the Java in Firefox technique described above
falls flat as my code does not run with required permissions. So I have to
skip the part where I set the policy entirely.

I tried adding a few more permissions but that just kept pushing the point
of failure further, bit by bit, until I hit a wall where some key class
would not get initialized. The exception with IcedTea is a single message
instead of a stack trace, simply stating the name of the class that could
not be initialized - unlike the Oracle plugin which I believe provides the
entire trace; I haven't yet tried to debug this, but it is just another
permission issue for sure.

d) Now, if I simply use AllPermission and do *not* set the policy, the
extension works completely. Obviously, I don't need to set any of the other
permissions now.

My problem is that I am setting the permission globally, in a simple grant
{} block, without any codeBase setting; obviously dangerous for the system.


1) Find a way in which I can set the security manager. This will give my
code the right permissions; however, it is still not clean as the user must
still set some initial permissions like createClassLoader in the policy
file. Is there a reason why this is prevented even when the permissions are
set? Note: With the Oracle plugin, changing the policy file is not required
at all.

2) Grant AllPermissions to my code, but use codeBase to restrict it only to
my extension only. Here too, the user needs to modify the policy file but
needs to set only a single permission. I prefer this solution, but I'm
afraid I cannot find the right codeBase string.
The URLClassLoader is first created by *JavaScript* code running in my
extension; and this in turn will load the JARs. However, the code simply
breaks at this point because the createClassLoader permission is not being
set -  because I do not seem to be using the right codeBase. Setting the
codeBase  to the extension location does not seem to do it; probably
because codeBase is used to grant permissions to JAR files or .class files,
but not JavaScript files. I tried several other locations like the JRE lib
folder for instance, but nothing worked.

Can someone suggest the right codeBase string to be used here?

3) A technique is mentioned here:

"We load this class manually out of our JAR file from JavaScript,
using the protected defineClass method of a URLClassLoader object (so
that we can load it as privileged)."

The links in this comment are unfortunately broken and I have been unable
to find the files anywhere online (even in the current version of their OO
integration extension). Also, the defineClass method is private and with
all the security already in place, I doubt I'd be able to change access.

4) A variation of the above where I set the createClassLoader permission
(again, because I don't know the right codeBase, I'll have to do this
globally - undesirable). Then load a special classloader which overrides
getPermissions(CodeSource) to grant all permissions to my JARs, which I
will load using this loader.

There are a significant number of users of this extension (~ 20K) but users
on Linux are having a hard time because of the JVM / browser plugin - the
problem is further exacerbated by the fact that the Oracle JVMs can no
longer be easily installed in Linux.

If this is the wrong forum for support of this kind, please let me know
where I should direct this message. Any assistance will be greatly

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the distro-pkg-dev mailing list