[icedtea-web] "Not All Signed" dialog and low-security setting
Jiri Vanek
jvanek at redhat.com
Mon Dec 9 03:54:08 PST 2013
On 12/05/2013 08:06 PM, Andrew Azores wrote:
> On 12/04/2013 11:32 AM, Jiri Vanek wrote:
>> On 12/03/2013 10:36 PM, Andrew Azores wrote:
>>> On 12/03/2013 11:04 AM, Jiri Vanek wrote:
>>>>
>>
>>
>> Wou!
>>
>> Thanx for quick and elegant patch!
>>
>> First - one clarification - as is "not all signed" pushed now, it rquires both "not all signed"
>> and "unsigned application wonts run" dialogs needs to be approved. You mentioned yesterday on IRC
>> (sorry if I do not remeber it correctly or misunderstood)
>>
>> After this patch, only one dialogue needs to be agreed.
>
> Correct, this is the idea.
>
>>
>> one "before review" conclusion - this will need to be split into two aptch - refactoring of
>> current, and new dialogue built on top of it.
>> Please try to add as much unittests as possible during both refractoring, and new dialogue
>> implemntation. Also thre seems to be more then one refactoring - the class abstraction and changed
>> constructo from (file) to (void)
>
> Changed constructor? Which? Do you mean the checkNotAllSignedWithUser() method?
>
yes
>>
>> hmm - do you know that your test applets run via jnlp do not close properly? Please fix...
>
> Sent this fix in a separate thread.
I had to missed it, may you resent or point me to?
>
>>
>> General thoughts now, few comments in-line later:
>>
>> What I like - reused dialogue code, shared "database" with unsigned, different icons, "diffferent"
>> text (so really elegant :)
>>
>> What I'm not sure (but tbh I.m not sure why I'm not sure) - reused database with unsigned - it is
>> sightly different thing, but on the otherisde why reimplemnt wheel? On third side, why not to have
>> specific config file? on thirrd side, why yes?. Dialogues are to similar... (yes, really nitpick
>> :) .... the icon is probably enough.. but... The "new" dialogue need to show signature
>> informations (as signed app dialogue do)
>
> I'll add in the signature information. Other than that, well, the dialogs are so similar on purpose.
ooook
> It's nice to have visual consistency between security dialogs - making them look different just
> because they are appearing for different reasons is a very, very bad reason to make them look
> different. Sharing the code allows them to always have the exact same general layout, same button
> labels, same checkboxes for remembering the applet/codebase, same keyboard shortcuts, etc. The only
> other way to achieve this is to simply copy/paste the code rather than refactoring it to be designed
> for subclassing, or to design a whole new dialog box for this purpose, which I don't see the point of.
Yes I agree with you. Especially on visual part of dialogue.
What I' partially (50/50 :) afraid of are some parts of shared logic.
Do you wont to revisit other dialogues as well?? Or maybe just some of them O:)
I'm mostly joking. It will need some analyse which are so wrong, that they should be replaced, and
some must not be replaced... (Especially the "remember" is handled in various waus)
>
>>
>> one serious bug - jnlp app with mixed permissions do not ask for permissions (no matter on
>> -Xtrustall) - both with old dialogue and new dialogue (am I missing something?)
>
> The PR1592 fix also only affects applets - I asked if we wanted it to work for both JNLP and plugin
> applets but I didn't hear anything, so it got left as applets only. If we want it to be effective
> for JNLP as well then that patch will need to be revised, and so will this one.
http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html
so yes. (as separate changesets of course)
and . . . - how are we with
http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest ?
>
>>
>>
>>>> This seems to be included in current version of "Re: [rfc][icedtea-web] Mixed-signing applet
>>>> permissions (PR1592)" however seems to be not working.
>>>>
>>>> As you suggested - the "not signed app is running" dialogue should not be showing - but is.
>>>> However - this still needs some tweaking:
>>>> the "only part of application is signed" dialogue is really dummy - information of
>>>> codebases/page pase (both for signed and unsigned part), signature details... run, run in sandbox,
>>>> not run, remember decsission and so on are missing. Those information are critical for user to be
>>>> able to decide.
>>>> After "Re: [rfc][icedtea-web] Mixed-signing applet permissions (PR1592)" is in (as I'm going to
>>>> aprove it now) this dialogue tweeking will be blocker of 1.5 release, as it needs to be done right.
>>>>
>>>> J.
>>>
>>> This patch doesn't yet take into account the "run in sandbox" action button, but it does give a
>>> dedicated "Partially Signed" dialog, as opposed to stacking the "Unsigned" confirmation with the
>>> "not all signed" warning. The "not all signed" warning is no longer displayed when JARs with partial
>>> signing are discovered. Instead, the new "Partially Signed" dialog should appear in the same manner
>>> the "Unsigned" dialog does. The "not all signed" warning is still displayed when an applet's JARs
>>> are all signed but its main-class is external.
>>>
>>> The major change here is that the UnsignedAppletTrustWarningPanel became the AppletTrustWarningPanel
>>> and was made abstract. Two new concrete implementations extend it - UnsignedAppletTrustWarningPanel,
>>> and PartiallySignedAppletTrustWarningPanel. The two dialogs are mostly identical, the differences
>>> just being in the text they contain and the icons they display. The Unsigned variant is identical in
>>> appearance and function to how it was before the patch.
>>>
>>> Other than this, the changes are generally minor additions to support this addition elsewhere in the
>>> codebase, ie mirroring how the Extended Applet Security stuff deals with the Unsigned variant.
>>>
>>
>> the codebase regexes and y,Y,n, N and so are honored, yes?
>>
>> - as above. On one side I agree, on second, it si partially confusing. But as longer I look into
>> it, more I like it.
>
> Everything should be the same - I haven't changed anything at all in the functionality of the
> dialog. It just got made abstract and now has four abstract methods in use rather than four
> constants for defining some of its content.
>>
>>
>>> This new dialog also doesn't obey the Extended Applet Security setting, so it will appear even if
>>> you have security set to Low. So those plugin applet tests from PR1592 can't be enabled yet.
>>
>> yes this is important.
>>
>>>
>>> ChangeLog:
>>> Introduce new Partially Signed security confirmation dialog.
>>> * netx/net/sourceforge/jnlp/resources/Messages.properties: (SPartiallySignedDetail) new message
>>> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: (createInstance) invoke
>>> PartiallySignedAppletTrustWarning when appropriate. (initializeResources) do not show old "Not All
>>> Signed" warning for partially signed applets. (checkNotAllSignedWithUser) removed unneeded param
>>> * netx/net/sourceforge/jnlp/security/SecurityDialog.java: (initDialog, installPanel) handle new
>>> PARTIALLY_SIGNED_WARNING DialogType
>>> * netx/net/sourceforge/jnlp/security/SecurityDialogs.java: (DialogType) added
>>> PARTIALLY_SIGNED_WARNING. (UnsignedWarningAction) renamed to TrustWarningAction.
>>> (showPartiallySignedWarningDialog) new method
>>> * netx/net/sourceforge/jnlp/security/UnsignedAppletTrustWarningDialog.java: use TrustWarningAction
>>> * netx/net/sourceforge/jnlp/security/UnsignedAppletTrustWarningPanel.java: mostly moved into new
>>> AppletTrustWarningPanel class, which it now extends.
>>> * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java:
>>> new class
>>> * netx/net/sourceforge/jnlp/security/AppletTrustWarningPanel.java: new abstract parent class for
>>> UnsignedAppletTrustWarningPanel and PartiallySignedAppletTrustWarningPanel.
>>> * netx/net/sourceforge/jnlp/security/PartiallySignedAppletTrustWarningDialog.java: new class
>>> * netx/net/sourceforge/jnlp/security/PartiallySignedAppletTrustWarningPanel.java: new class
>>>
>>> Thanks,
>>>
>>> --
>>> Andrew A
>>>
>>>
>>> partially-signed-dialog.patch
>>>
>>>
>>> diff --git a/netx/net/sourceforge/jnlp/resources/Messages.properties
>>> b/netx/net/sourceforge/jnlp/resources/Messages.properties
>>> --- a/netx/net/sourceforge/jnlp/resources/Messages.properties
>>> +++ b/netx/net/sourceforge/jnlp/resources/Messages.properties
>>> @@ -247,6 +247,7 @@
>>> SUnsignedQuestion=Allow the applet to run?
>>> SNotAllSignedSummary=Only parts of this application code are signed.
>>> SNotAllSignedDetail=This application contains both signed and unsigned code. While signed code
>>> is safe if you trust the provider, unsigned code may imply code outside of the trusted provider's
>>> control.
>>> +SPartiallySignedDetail=An application from the following location wants to
>>> run:<br> <u>{0}</u><br>The page which made the request
>>> was:<br> <u>{1}</u><br><br><b>This application contains both signed and unsigned code.
>>> While signed code is safe if you trust the provider, unsigned code may imply code outside of the
>>> trusted provider's control.
>>> SNotAllSignedQuestion=Do you wish to proceed and run this application anyway?
>>> SAuthenticationPrompt=The {0} server at {1} is requesting authentication. It says "{2}"
>>> SJNLPFileIsNotSigned=This application contains a digital signature in which the launching JNLP
>>> file is not signed.
>>> diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>>> b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>>> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>>> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>>> @@ -387,8 +387,13 @@
>>> // If security level is 'high' or greater, we must check if the user allows unsigned
>>> applets
>>> // when the JNLPClassLoader is created. We do so here, because doing so in the constructor
>>> // causes unwanted side-effects for some applets
>>> - if (!loader.getSigning() && file instanceof PluginBridge) {
>>> - UnsignedAppletTrustConfirmation.checkUnsignedWithUserIfRequired((PluginBridge)file);
>>> + if (file instanceof PluginBridge) {
>>> + PluginBridge pluginFile = (PluginBridge) file;
>>> + if (loader.getSigningState() == SigningState.NONE) {
>>> + UnsignedAppletTrustConfirmation.checkUnsignedWithUserIfRequired(pluginFile);
>>> + } else if (loader.getSigningState() == SigningState.PARTIAL) {
>>> + UnsignedAppletTrustConfirmation.checkPartiallySignedWithUserIfRequired(pluginFile);
>>> + }
>>
>>
>> This do not seem ok - you are asking all applets to checkUnsignedWithUserIfRequired and all other
>> checkPartiallySignedWithUserIfRequired - You should checkPartiallySignedWithUserIfRequired for
>> both, when partial signing detected. And applet for checkUnsignedWithUserIfRequired if no
>> signature detected.
>
> As above, I can make it apply to both, but here in particular it will require some work since the
> existing extended applet security stuff is built with only PluginBridge in mind, not JNLPFile.
as above. Some action sis needed. At least the mixed code should not be run or user should be warned.
It looks like you have an task for rest of your internship - this, and policies :)
>
>>> }
...
>>> +public abstract class AppletTrustWarningPanel extends JPanel {
>>
>> As not all signed is shared also for jnlp, so better naame perhaps?
>> Maybe we can slowly migrate more dialogues to this style.
>
> "AppTrustWarningPanel" then, so it could be either applet or application? But if you're worried
> about naming, what about JNLPClassLoader? :)
tsss :)
>
>>
>> But even now, I'm already thinking about "show more" refactoring. (yes hlpcrypto;s motivation :) )
>>
>> Also need of javadoc rised:(
>
> What documentation do you want here? I've added a little comment to it stating that its purpose is
> to provide common functionality and layout for warning dialogs, and gave the example of the unsigned
> and partially signed ones, which will be the only two concrete implementations at the time this
> patch is pushed. Anything else?
Genraly all public methods and protected methods should have javadoc. You Transfroemd class to
absract class. A lot of javadoc is needed so one cen easily extend it.
Especially when the forefather is saving/laoding files.
>
>>
>>> +
>>> + /*
...
>>> +
>>
>> This was in original class? Pelase fix. No need to create new classlaoder...
>
> Yes, I didn't really do any actual coding with this "refactor" step, it's just changing the class
> name and introducing the four abstract methods, really. Anyway, I've got a fix for this, which will
> come in the patch later on.
>
>>
>>> + protected abstract String getTopLabelTextKey();
>>> +
>>> + private void setupTopPanel() {
>>> + final String topLabelText = R(getTopLabelTextKey());
>>> +
>>> + JLabel topLabel = new JLabel(htmlWrap(topLabelText), infoImage(),
>>> + SwingConstants.LEFT);
>>> + topLabel.setFont(new Font(topLabel.getFont().toString(), Font.BOLD, 12));
>>> +
>>> + JPanel topPanel = new JPanel(new BorderLayout());
>>> + topPanel.setBackground(Color.WHITE);
>>> + topPanel.add(topLabel, BorderLayout.CENTER);
>>> + topPanel.setPreferredSize(new Dimension(PANE_WIDTH, TOP_PANEL_HEIGHT));
>>> + topPanel.setBorder(BorderFactory.createEmptyBorder(10, 10, 10, 10));
>>> +
>>> + add(topPanel);
>>> + }
>>> +
>> pls gather abstract methods together
>
> Sure.
>
>>
>>> + protected abstract String getInfoLabelTextKey();
>>> +
>>> + private void setupInfoPanel() {
>>> + String infoLabelText = R(getInfoLabelTextKey(), file.getCodeBase(),
...
>>> +public class PartiallySignedAppletTrustWarningDialog extends SecurityDialogPanel {
>>> +
>>> + public PartiallySignedAppletTrustWarningDialog(SecurityDialog x, PluginBridge file) {
>>> + super(x);
>>
>>
>> x? :)
>
> I've renamed this. Again, that's already how it was, I just copied the file.
I know, thanks.
>
>>
>>> +
>>> + add(new PartiallySignedAppletTrustWarningPanel(file,
...
>>> +
>>> +import net.sourceforge.jnlp.PluginBridge;
>>> +
>>> +public class PartiallySignedAppletTrustWarningPanel extends AppletTrustWarningPanel {
>>> +
>>
>> please Override annotations!!
>
> Ah yes, good call.
>
>>
>>> + public PartiallySignedAppletTrustWarningPanel(PluginBridge file, ActionChoiceListener
>>> actionChoiceListener) {
>>> + super(file, actionChoiceListener);
...
>>> UNSIGNED_WARNING, /* requires confirmation with 'high-security' setting */
>>> + PARTIALLY_SIGNED_WARNING,
>>
>> this was not used with old dialogue? how come?
>
> I'm not sure what you mean. "Old dialogue" as in the crummy little "only some JARs are signed"
> prompt with only two buttons, no ability to remember, no codebase information, etc.? It has its own
> type, "NOTALLSIGNED_WARNING", which you can see there. Since that dialog still exists and isn't
> really the same one as this new dialog, I've given the new one its own DialogType.
Do the dialogue exist?? And Is used? Should be????
Probably just new one should remain, and then it should(?) reuse old constant. Or not?
>
>>
>>
>>> APPLET_WARNING,
>>> AUTHENTICATION,
>>> }
....
>>
>>>> + }
>>>> +
>>>> + protected String getInfoImageLocation() {
>>>> + return "net/sourceforge/jnlp/resources/warning.png";
>>>> + }
>>
>> maybe to enhance the api to take not string, but already loaded icon?
>
> Sure.
>
>>>> +
>>>> + protected String getTopLabelTextKey() {
>>>> + return "SNotAllSignedSummary";
>>>> + }
>>>> +
>>>> + protected String getInfoLabelTextKey() {
>>>> + return "SPartiallySignedDetail";
>>>> + }
>>>> +
>>>> + protected String getQuestionPanelKey() {
>>>> + return "SNotAllSignedQuestion";
>>>> + }
>>
>> I'm a bit unhappy about ^ solution. It is not versatile, nor clear enough. A bit better apporach
>> is needed.
>>
>> I vould vote for setSomeTExt(String s) setAnotherText(String s)... With some utility method in
>> abstract class to help with it and so not duplicate code...(possible also for icon)
>>
>> Again - unittests will be needed.
>
> I'm not sure how I'm supposed to use a setSomeText(String) method. Do you want the parent class to
> have a new field for each of these configurable contents, and then have the child classes simply set
> the field for their own needs? This is not enforceable the same way abstract methods are, so you can
> end up with a subclass that fails due to NPEs or something much more easily. Not only that but this
> also means that when you call super() in the child class' constructor, and it goes about setting
> itself up, we need to simply set some kind of meaningless default value to each of the fields, until
> the subclass constructor can go ahead and change those values back to something actually meaningful
> - or else runtime exceptions are thrown and our dialog freezes the browser.
>
> What do you want unit tested here? I can make unit tests simply to assert that the child classes
> actually return data with their implementations of the abstract methods, ie assertNotNull, or assert
> that the Messages keys they use don't result in NoResourceFound or similar. But I'm not sure what
> else can really be unit tested with these changes.
>
any test is wonted. Especially when you refactor. You don't like them to much do you?
Remember that after your work is done, someone else will maintain it. And by some chage he can
trigger chain of events original author (you) had in mind, but did not forwarded (as it not possible
to do so)
Please try to cover as much code as possible.
I know that it is really had and slow... delaying from more fun coding, and I donot insist
everywhere. But try to find some places for it.
When you wont an direct example - in your approach you are forcing other person, extending your
abstract dialogue,to fill "String infoLabelText = R(getInfoLabelTextKey(), file.getCodeBase(),
file.getSourceLocation())" request. The mehtod using this call is private. So ouor "the person" will
not read it, and javadoc do not mention it. So the "key" have to consists of {0} and {1} or it do
not have sense. But :
- it is not documented
- no unittest is guarding it
- you are requesting it
Another case is that some keys are expected to be html...
You can do such evil stuff in private stuff, but not in classes someone will extend.
Copy?
As for possible other approach:
You can have abstract methods like getInfoLabelText, getTopLabelText, getQuestionPanelText.
Those can be created via static methods based on key, adding parameters, htmlize... And whole chain
can be tested.
Yes, this is dummy logic, but can serve as example of common errors.
> On 12/04/2013 11:53 AM, Jiri Vanek wrote:
>> On 12/04/2013 05:45 PM, Jiri Vanek wrote:
>>> forgot a thing, If you may inline it in answer to previous reply, it would be nice.
>>>
>>>>> + }
>>
>> One more - what happend with old nott all signed dialogue? If it is not used any more, it shold
>> be removed...
>>
>
> This new dialog is shown when the JNLPClassLoader determines that the app(let|lication) has only a
> partially signed set of JARs. This happens somewhere along the line when the classloader is
> instantiated. However, it doesn't know, and can't easily know, about external main-classes at this
> time. So the old dialog has still been retained and will appear in the event of an external
> main-class being found in an applet that was initially believed to have been fully signed.
>
> Thanks,
>
More information about the distro-pkg-dev
mailing list