[Bug 1016] New: IcedTea-web sandboxes all jars in mixed unsigned jars + signed jars applets
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Mon May 28 08:27:29 PDT 2012
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1016
Priority: P3
Bug ID: 1016
CC: unassigned at icedtea.classpath.org
Assignee: ddadacha at redhat.com
Summary: IcedTea-web sandboxes all jars in mixed unsigned jars
+ signed jars applets
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: xerxes at zafena.se
URL: http://jogamp.org/deployment/jogamp-current/jogl-apple
t-runner-newt-gears-normal-napplet.html
Hardware: all
Status: NEW
Version: hg
Component: Plugin
Product: IcedTea-Web
http://jogamp.org/deployment/jogamp-current/jogl-applet-runner-newt-gears-normal-napplet.html
work using the proprietary plugin while icedtea-web sandboxes the whole
application.
When icedtea-web runs this applet then jcv.isFullySignedByASingleCert() ==
false at
http://icedtea.classpath.org/hg/icedtea-web/file/6df151bb5320/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java#l487
jcv.anyJarsSigned() on the other hand is true.
This sets the signing boolean to false and thus the whole application gets
SecurityDesc.SANDBOX_PERMISSIONS even for the signed jars.
Suggested fix is to relax the plugin and remove the
jcv.isFullySignedByASingleCert() check.
This applet expects to be able to let the unsigned sandboxed code call -> the
signed code -> runs AccessController.doPrivileged -> and then execute the
previlegied actions according to:
http://www.oracle.com/technetwork/java/seccodeguide-139067.html#9-3
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120528/7467c7d3/attachment.html
More information about the distro-pkg-dev
mailing list