[RFC][icedtea-web] Do not allow searching of jar manifest classpath if jnlp_href is being used

[Jiri Vanek]

On 05/17/2012 08:26 PM, Danesh Dadachanji wrote:
> Hi Jiri,
>
> Thanks for the review! Comments below
>
> On 17/05/12 05:50 AM, Jiri Vanek wrote:
>> On 05/17/2012 12:58 AM, Danesh Dadachanji wrote:
>>> Hi,
>>
>> I think this is ok, but few hints:
>>
>>> Applets run by the plugin are allowed to specify classpaths in their jars' manifest files. IMO this
>>> is fine for applets run via specifying a main class but this is not okay if they are run via
>>> jnlp_href. When using a JNLP via javaws, you do not have access to manifest's classpaths. I believe
>>> this is a property of JNLP files. Therefore, since jnlp_href points to a JNLP file to do the guide
>>> the launching and resource tracking, I propose we ignore classpaths when the plugin runs using
>>> jnlp_href.
>>>
>>> To note, the proprietary plugin allows classpath specified jars but I do not think this is correct
>>> behaviour.
>>
>> Although I agree with you, I'm afraid we have to follow proprietary plugin wherever specification
>> is not clear :-/. But I do not see
>> this as blocker for this changeset.
>
> I realize that specification is not clear but regardless, I would rather we deviate from proprietary
> plugin here. An app run from a JNLP is expected to have all its jars fully signed by 1 signer,
> right? Then it should not matter how we run this, be it through the plugin or from javaws. What do
> you think?

I agree
>
>> (eg this https://bugzilla.redhat.com/show_bug.cgi?id=816592 is nice example of brutality allowed
>> in proprietary one:-/)
>
> Yeah I agree, that is quite horrible. :S
>
>> > FWIW I've run through all the regression tests, none of them use this so far.
>>
>> Please - tests!!! And if before the fix then best! I really would lke to see reproducers before push.
>>
>
> Sorry, I did not realize we supported manifest entries! I am writing a test now but I've run into a
> problem. The plugin will search your current directory for jars by default (at least it was when I
> ran my test manually). So I would need to put the manifest classpath specified jar in a different
> dir than jnlp_test_server. Is this possible with our current engine? It can be a subdir even.

I'm afraid not. According to our IRC discussion feel free to enhance.

>
>>>
>>> Is this okay to push to HEAD, 1.2 and 1.1?
>> Are all three branches necessary? In this case I'm maybe just for head.. But 1.2 can live long
>> enough to have this too (and your next
>> work need this (?)).
>>>
>>> +2012-05-16 Danesh Dadachanji <ddadacha at redhat.com>
>>> +
>>> + Classpaths in jars' manifests are only considered when the applet is run
>>> + without using jnlp_href and a JNLP file.
>>> + * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (activateJars):
>>> + Add conditional check for use of jnlp_href.
>>> +
>>>
>>> There are no differences in the patches between HEAD, 1.2 and 1.1 so I've only attached one.
>>>
>>> Cheers,
>>> Danesh
>>>
>>> PS: this patch is dependent on this backport[1] going into 1.1.
>>>
>>> [1] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-May/018533.html
>>
>> Thanx a lot and sorry for sitting on tests :((
>
> The more tests the better!
>
> Cheers,
> Danesh