[rfc][icedtea-web] Mixed-signing applet permissions (PR1592)

Andrew Azores aazores at redhat.com
Mon Dec 2 07:40:06 PST 2013 

On 11/28/2013 12:03 PM, Jiri Vanek wrote:
> (snip)
>
> ok, it sounds  excelent.
>   For changes you mention, I'm looking forward to new patch
>   for reproducer, please remake you dirty one reproducer as regullar 
> reproducer
>     - have one jar created via simple, and one via siged.
>     - in one of them have  jnlp and html files under sources
>     - you can adapt the calls between jars via args/params
>     - in one of them have testcase, which will lunch all the mentioned 
> cases (but commetn out @Test untill issue with dialogue is fixed)
>            - rember that test must have at least on @test method
>    - have comment both in both srcs, and in testcase, that those two 
> jars are connected
>    - adapt above to your feelings, this is just group of advices of 
> ill men :)
>
> Sorry for insisting :(
>   J

Attached is the new version of the patch. From last time:
1) "signing" became a three-valued enum
2a) a new method was added in the classloader to make showing the "not 
all signed" dialog a little cleaner
2b) the "not all signed" dialog will not appear when the security 
setting is "Low"
3) verifying single JAR was moved into JarCertVerifier

Tests are also included. Before the patch is applied, the 
"testSignedReadProperties" test should fail, and all the others should 
pass. Applying the patch should result in all tests passing.

ChangeLog:
Fix/new feature and tests for PR1592. Each JAR in partially signed 
applets is assigned
its own security level, rather than forcing the entire applet to run 
sandboxed.
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: 
(initializeResources)
each JAR in partially signed applets is assigned its own security 
descriptor.
(signing) changed to three-valued enum. (checkNotAllSignedWithUser) new 
method
* netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isJarSigned) 
new method
* 
tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java:
new tests for per-JAR applet security
* 
tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp: 
same
* 
tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html: 
same
* 
tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java: 
same

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: per-jar-applet-security.patch
Type: text/x-patch
Size: 12130 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131202/535c48c5/per-jar-applet-security-0001.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: per-jar-applet-security-tests.patch
Type: text/x-patch
Size: 36327 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131202/535c48c5/per-jar-applet-security-tests-0001.patch

More information about the distro-pkg-dev mailing list