[fyi][icedtea-web] backend and itw-settings for extended applets security
Jiri Vanek
jvanek at redhat.com
Thu Feb 14 08:30:58 PST 2013
On 02/06/2013 12:22 AM, Omair Majid wrote:
> Hi Jiri,
>
> On 02/03/2013 07:08 AM, Jiri Vanek wrote:
>> Whole troubles are described here
>> http://icedtea.classpath.org/wiki/Extended_Applets_Security rather
>> then in plain email.
>
> Thanks for adding this to the wiki. I have a few thoughts and some
> questions.
>
> Would it be clearer if "Extra High Security" was renamed to "Disable All
> Applets"?
Adam recently wrote this sentence: IMO Extra High Security is better here as simply 'Disable
Applets'. It is a bit odd to say you're securing Java by turning it off.
I'm not sure if he mean the same or oposite:)
My vote is for Extra High Security - fact that it disables runtime of all applets (not JVM at all)
is in easily accessible description of the item.
>
> For matching, I think it might be good to follow the same rule that is
> used to decide whether to share classloaders between applets.
Disagree. The BackEnd is supposed to be much more versatile. Especially because thsoe are simple
changes now, but quite huge changes if they will be (not thought about now) added later
What we agreed to do is to match groups of applets.
The most strict match is what you suggested - it the id of applet. It will be implemented in first
iteration. (just maybe with minor enhancements)
In second iteration should be possibility to blacklist/whitelist wider groups of applets at once.
eg by page, by url, by codebase, ....
I think that it is explaining also the following question of yours
>
> What's the motivation behind keeping codebase and document-bases as regexes?
>
eg N 123456 \Qhttp://localhost:123456/evilPage.html\E null null null will disable all applets on
exact url
eg A 123456 .*\Qlocalhost\E.* null null null will enable all other applets on local machine
without asking
You have later in email asked for \Q \E filtering. As \Qurl\E regex will be used for exact match
matching, then it will be probably most spread pattern in config file. For simple user who will just
check the table it can be confusing. So it is filtered in default view. However, there is checkbox
to disable this filtering in gui.
>> There is what me and adam have already achieved on this topic, what we
>> have o achieve and where we are stil not so sure....
>>
>> This patch is containing itw-settings part and backend for manipulating
>> stored entries.and basic matching.
>> I noted this just [fyi] because adam ave already walked through the
>> patch, and so have I across his part. So the patch should be ready for
>> push unless someone find something malicious on
>> implementation or even on design.
>
> Some comments/questions and suggestions below.
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/AppletExtendedSecurity.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/AppletExtendedSecurity.java Fri Feb 01 20:55:48 2013 +0100
>
> Hm... I would have expected this to be for the plugin. Why netx?
>
> If it's in netx, why not the existing net/sourceforge/jnlp/security package?
>
>> @@ -0,0 +1,84 @@
>> +/*
>> +Copyright (C) 2013 Red Hat
>> +
>> +This program is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2 of the License, or
>> +(at your option) any later version.
>> +
>> +This program is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with this program; if not, write to the Free Software
>> +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> +*/
>
> We generally use GPL+Classpath exception license (see [1] for an
> example). Is there a specific reason for using the GPL? This same issue
> is with other classes too.
Sorry, wrong source for copypaste of all headers!
Should be fixed now.
>
>> +public class AppletExtendedSecurity {
>
> To me this name sounds like it extends another class (the existing
> AppletSecurity class, even). Maybe call it something else, like
> AppletStartupSecuritySettings? (not a great name either, but slightly
> more descriptive)
Adam's name :P
Now it is your name :)
>
> Any reason for making this class mostly static? I would prefer it if was
> instantiated. Maybe JNLPRuntime can be used to obtain an instance of this?
Actually not, but it will complicate moving of this to plugin.
As I have preferred moving of this class to plugin, and agree with singleton, I made it singleton in
itself and in plugin.
>
>> + public static AppletSecurityLevel getDefaultSecurityLevel(){
>> + return AppletSecurityLevel.getDefault();
>> + }
>
> I am trying to see what is the advantage of this method, but I am having
> trouble.
This trouble should serve as bottleneck to access it implementations.
One can have troubles to found where hardoced default is placed (and it is imho in only right place)
So this method is shortcut to it.
The default is needed for case (after update to icedtea with this feture!!) that
deployment.security.level is not specified in settings.
If your point is that getCustomSecurityLevel is already falling back to default security then your
point is valid. Renamed to getHardcodedDefaultSecurityLevel to make it clear.
>
>> + /**
>> + *
>> + * @return user-set seurity level or default one if user-set do not exists
>> + */
>> + public static AppletSecurityLevel getCustomSecurityLevel(){
>> + DeploymentConfiguration conf = JNLPRuntime.getConfiguration();
>> + if (conf==null){
>> + conf = new DeploymentConfiguration();
>> + try {
>> + conf.load();
>> + } catch (ConfigurationException ex){
>> + ex.printStackTrace();
>> + return getDefaultSecurityLevel();
>> + }
>> + }
>
> I think it would be much more robust if this method threw an exception
> instead of instantiating a new DeploymentConfiguration object. I would
> so far as to require a DeploymentConfiguration parameter in the constructor.
Agree.Fallback removed
>
>> + String s = conf.getProperty(DeploymentConfiguration.KEY_SECURITY_LEVEL);
>> + if (s==null) {
>> + return getDefaultSecurityLevel();
>> + }
>> + return AppletSecurityLevel.fromString(s);
>> + }
>
> There are two methods that use the word 'custom' in the name. But moth
> mean different things.
>
> I would prefer it if both methods were renamed (custom is not a very
> descriptive term):
Actually it was. There were two black/whitelists - global (stored in etc) and custom (stored in
home). The name of the method was indicating that this proeperty is read from config file (not
black/white list). But I agree it was confusing (as t can not be read from somewhere else). Renamed
to getSecurityLevel
>
> getUnsignedAppletActionCustomStorage -> getUnsignedAppletActionUserStorage
>
> getCustomSecurityLevel -> getCurrentSecurityLevel
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/AppletSecurityLevel.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/AppletSecurityLevel.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public enum AppletSecurityLevel {
>> +
>> + DENY_ALL, DENY_UNSIGNED, ASK_UNSIGNED, ALLOW_UNSIGNED;
>> +
>> + public static String allToString() {
>> + return DENY_ALL.toChars()+" "+DENY_UNSIGNED.toChars()+" "+ASK_UNSIGNED.toChars()+" "+ALLOW_UNSIGNED.toChars();
>> + }
>
> If you just need this for debugging, try:
> Arrays.toString(AppletSecurityLevel.values())
just partially - it is used in ValueValidator for AppletSecurityLevel to print out possible values.
I would rather to keep this under human control.
>
> And you wont have to change this code if you add another enum value.
>
>> + public String toChars() {
>> + switch (this) {
>> + case DENY_ALL:
>> + return " DENY_ALL";
>> + case DENY_UNSIGNED:
>> + return "DENY_UNSIGNED";
>> + case ASK_UNSIGNED:
>> + return "ASK_UNSIGNED";
>> + case ALLOW_UNSIGNED:
>> + return "ALLOW_UNSIGNED";
>> + }
>> + throw new RuntimeException("Unknown AppletSecurityLevel");
>> + }
>
> I think you can replace this with the name() method of the enum (unless
> you really want the space in the beginning of DENY_ALL):
>
> DENY_ALL.name().
I can see I had an hole in my enum knowledge. So much wasted keyboards hits! Thanks for enlightenment!
>
>> + public static AppletSecurityLevel fromString(String s) {
>> + if (s.trim().equalsIgnoreCase("DENY_ALL")) {
>> + return AppletSecurityLevel.DENY_ALL;
>> + } else if (s.trim().equalsIgnoreCase("DENY_UNSIGNED")) {
>> + return AppletSecurityLevel.DENY_UNSIGNED;
>> + } else if (s.trim().equalsIgnoreCase("ASK_UNSIGNED")) {
>> + return AppletSecurityLevel.ASK_UNSIGNED;
>> + } else if (s.trim().equalsIgnoreCase("ALLOW_UNSIGNED")) {
>> + return AppletSecurityLevel.ALLOW_UNSIGNED;
>> + } else {
>> + throw new RuntimeException("Unknown AppletSecurityLevel for " + s);
>> + }
>> + }
>
> AppletSecurityLevel.valueOf(String.toUpperCase()) does what fromString
> does, I think.
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/UnsignedAppletAction.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/UnsignedAppletAction.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public enum UnsignedAppletAction {
>
> Maybe call it ExecuteUnsignedApplet?
Adam's aname again :P
Now it will be yours name :P
>
>> + ALWAYS, NEVER, YES, NO;
>> +
>> + public String toChar() {
>> + switch (this) {
>> + case ALWAYS:
>> + return "A";
>> + case NEVER:
>> + return "N";
>> + case YES:
>> + return "y";
>> + case NO:
>> + return "n";
>> + }
>> + throw new RuntimeException("Unknown UnsignedAppletAction");
>> + }
>> +
>
> I think name() already does this.
I would rather stay with the one char convention here
>
>> + public String toExplanation() {
>> + switch (this) {
>> + case ALWAYS:
>> + return Translator.R("APPEXTSECunsignedAppletActionAlways");
>> + case NEVER:
>> + return Translator.R("APPEXTSECunsignedAppletActionNever");
>> + case YES:
>> + return Translator.R("APPEXTSECunsignedAppletActionYes");
>> + case NO:
>> + return Translator.R("APPEXTSECunsignedAppletActionNo");
>> + }
>> + throw new RuntimeException("Unknown UnsignedAppletAction");
>> + }
>
> Do you expect the explanation to be visible to the user? Maybe it
> belongs with the rest of the UI, not in here with the logic. Just
> something to think about.
Yes, explanation is visible to user, but I see no reason why to move it it from here.
This is also used in to string. If I will remove it from here then I will duplicate effort elsewhere.
It is used in itw-settings in comobox, and will be probably used Adam's click and play
implementation (somehow).
Probably the best solution will be to crate custom model for both those comboboxes, But imho Adam
will not have combobox, but set of check boxes and radioboxes. So I would rather stay with this
simple solution.
>> + public static UnsignedAppletAction fromString(String s) {
>> + if (s.startsWith("A")) {
>> + return UnsignedAppletAction.ALWAYS;
>> + } else if (s.startsWith("N")) {
>> + return UnsignedAppletAction.NEVER;
>> + } else if (s.startsWith("y")) {
>> + return UnsignedAppletAction.YES;
>> + } else if (s.startsWith("n")) {
>> + return UnsignedAppletAction.NO;
>> + } else {
>> + throw new RuntimeException("Unknown UnsignedAppletAction for " + s);
>> + }
>> + }
>
> Maybe use Enum.valueOf() can replace this fromString method.
I would rather stay with the one char convention again
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/UnsignedAppletActionEntry.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/UnsignedAppletActionEntry.java Fri Feb 01 20:55:48 2013 +0100
>
>> + @Override
>> + public String toString() {
>> + return unsignedAppletAction.toChar() +
>> + " " + ((timeStamp == null)?"1":timeStamp.getTime()) +
>> + " " + ((documentBase == null)?"":documentBase.getRegEx()) +
>> + " " + ((codeBase == null)?"":codeBase.getRegEx()) +
>> + " " + ((mainClass == null)?"":mainClass) +
>> + " " + createArchivesString(archives);
>> +
>> + }
>> +
>> + public void write(Writer bw) throws IOException {
>> + bw.write(this.toString());
>> + }
>
> This may not be a good idea. toString() is generally meant for humans to
> read, not for machines:
>
> * Returns a string representation of the object. In general, the
> * {@code toString} method returns a string that
> * "textually represents" this object. The result should
> * be a concise but informative representation that is easy for a
> * person to read.
Well - iirc, toString was in prehistoric java used for debugging purposes only. Swing have missuesd
it in default models, and since this its purpose is mingled ;(
My toString here is not breaking any of this idioms. It is returning output readable to humans,
usable also as debug message (thats why there are the null checks). My missuse here is write method.
But while toString and write are ok with same output, I would like to avoid duplicate/unnecessary code.
>
> I would encourage you to serialize the data for writing to a file in
> write(), but only serialize it for debugging/display in toString().
Not sure what you mean here - yo mean to do it vice versa? or to have some method called by both of
those implementations? (done for case of some minor change)
>
>> + public static String createArchivesString(List<String> listOfArchives) {
>> + if (listOfArchives == null){
>> + return "";
>> + }
>> + StringBuilder sb = new StringBuilder();
>> + for (int i = 0; i < listOfArchives.size(); i++) {
>> + String string = listOfArchives.get(i);
>
> As a sanity check, maybe you can check that the input string does not
> contain any semicolons? I ran into a URL last week that had a semicolon :(
Why? I was living in universe when archives will bne delivered as relative paths -
jar1.jar;jar2.jar;some/hidden.jar
But if there is supposed to be whole url of jar, than this wil need rethinking and do need Adams
opinions also here
To bad discover that my universe was the wrong one :)
>
>> + if (string.trim().isEmpty()){
>> + continue;
>> + }
>> + sb.append(string).append(";");
>> + }
>> + return sb.toString();
>
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/UnsignedAppletActionStorage.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/UnsignedAppletActionStorage.java Fri Feb 01 20:55:48 2013 +0100
>> @@ -0,0 +1,106 @@
>> +/*
>> +Copyright (C) 2013 Red Hat
>> +
>> +This program is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2 of the License, or
>> +(at your option) any later version.
>> +
>> +This program is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with this program; if not, write to the Free Software
>> +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> +*//*
>> +Copyright (C) 2013 Red Hat
>> +
>> +This program is free software; you can redistribute it and/or modify
>> +it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation; either version 2 of the License, or
>> +(at your option) any later version.
>> +
>> +This program is distributed in the hope that it will be useful, but
>> +WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with this program; if not, write to the Free Software
>> +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> +*/
>
> This file has 2 licenses.
>
Hidden the second was! You have eyes as an eagle (considering also the space in enum.toChar!)
My respect!
>> +/**
>> + *
>> + * @author jvanek
>> + */
>
> Javadocs on what this class does would be nice to have.
hmm.. methods are documeted behind the avarage level-f-documentation-in-ITW :)
oook, something added. And pssst!
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/UrlRegEx.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/UrlRegEx.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public class UrlRegEx {
>
> I don't follow the motivation for having this class.
:))
Well, we can probably live with plain string, but I would like to cleanly and loudly say that it is
specialised string.
And so to determine string with this specialisation immediately.
>
>> + public String getFilteredRegEx() {
>> + return regEx.replaceAll("\\\\Q", "").replaceAll("\\\\E", "");
>> + }
>
> Uh.. do you expect someone to use quote things in the strings? IMHO, if
> you are exposing a "regex" to the users, don't try and
> sanitize/modify/"fix" it.
Issue here is little bit more complex.
jsut repeating from above: "
What we agreed to do is to match groups of applets.
The most strict match is what you suggested - it the id of applet. It will be implemented in first
iteration. (just maybe with minor enhancements)
In second iteration should be possibility to blacklist/whitelist wider groups of applets at once.
eg by page, by url, by codebase, ....
eg N 123456 \Qhttp://localhost:123456/evilPage.html\E null null null will disable all applets on
exact url
eg A 123456 .*\Qlocalhost\E.* null null null will enable all other applets on local machine
without asking
You have later in email asked for \Q \E filtering. As \Qurl\E regex will be used for exact match
matching, then it will be probably most spread pattern in config file. For simple user who will just
check the table it can be confusing. So it is filtered in default view. However, there is checkbox
to disable this filtering in gui."
I hope taht it clarified the quoting (as default and simpel way to insert perfect match) and also
the need of regex as ppowerful tool match groups of applets. And also the visual (optional!)
sanitize for simple view
>
>> diff -r e631770d76ba netx/net/sourceforge/appletextendedsecurity/impl/UnsignedAppletActionStorageOperator.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/appletextendedsecurity/impl/UnsignedAppletActionStorageOperator.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public class UnsignedAppletActionStorageOperator extends UnsignedAppletActionStorageImpl {
>
> The name "operator" at the end of the name makes it sound like it should
> be using UnsignedAppletActionStorage, not extending it.
You have sometimes strange ear for naming:)
I hope new UnsignedAppletActionStorageExtendedImpl will make you little bit more satisfied.
>
>> diff -r e631770d76ba netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java
>> --- a/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Thu Jan 31 11:12:35 2013 +0100
>> +++ b/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Fri Feb 01 20:55:48 2013 +0100
>
>
>> + public static File getAppletTrustCustomSettingsPath() {
>> + return new File(System.getProperty("user.home") + File.separator + DEPLOYMENT_DIR
>> + + File.separator + APPLET_TRUST_SETTINGS);
>> + }
>
> Please avoid 'custom'. It's not very indicative of the purpose. I think
> "User" might be more apporpriate than Custom.
:(( ooook
>
>> + public static File getAppletTrustGlobalSettingsPath() {
>> + return new File(File.separator + "etc" + File.separator + ".java" + File.separator
>> + + "deployment" + File.separator + APPLET_TRUST_SETTINGS);
>> +
>> + }
>> +
>> /**
>> * Initialize this deployment configuration by reading configuration files.
>> * Generally, it will try to continue and ignore errors it finds (such as file not found).
>
>> diff -r e631770d76ba netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java Fri Feb 01 20:55:48 2013 +0100
>
>
>> + jButton1.setText(Translator.R("APPEXTSECguiPanelHelpButton"));
>> + jButton1.addActionListener(new java.awt.event.ActionListener() {
>> + @Override
>> + public void actionPerformed(java.awt.event.ActionEvent evt) {
>> + jButton1ActionPerformed(evt);
>> + }
>> + });
>
> Uh.. can you better names than "jButton#" ?
Is answer no acceptable?.. well renamed anyway
>
>> diff -r e631770d76ba netx/net/sourceforge/jnlp/util/lockingfile/LockingFile.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/jnlp/util/lockingfile/LockingFile.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public class LockingFile {
>
> Maybe call it LockedFile?
>
>> + private LockingFile(File file) {
>> + this.file = file;
>> + try{
>> + //just try to ctreate
>> + this.file.createNewFile();
>> + }catch(Exception ex){
>> + //intentionaly silent
>
> Are you sure about the semantics here? Maybe we can chek if the file
> exists and is writiable before doing this?
I'm pretty sure :)
>
>> + // Provide shared access to LockedFile's via weak map
>> + static private final Map<File, LockingFile> instanceCache = new WeakHashMap<File, LockingFile>();
>> +
>> + /**
>> + * Get a LockingFile for a given File.
>> + * Ensures that we share the same instance for all threads
>> + * @param file the file to lock
>> + * @return a LockingFile instance
>> + */
>> + synchronized public static LockingFile getInstance(File file) {
>> + if (!instanceCache.containsKey(file)) {
>> + instanceCache.put(file, new LockingFile(file));
>> + }
>> +
>> + return instanceCache.get(file);
>> + }
>
> Nice!
>
>> diff -r e631770d76ba netx/net/sourceforge/jnlp/util/lockingfile/LockingReaderWriter.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/jnlp/util/lockingfile/LockingReaderWriter.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public abstract class LockingReaderWriter {
>
>> + private LockingFile lockedFile;
>
> I am going to point to as support for my argument that LockingFile
> should be renamed to LockedFile :)
oook.
>
>> diff -r e631770d76ba netx/net/sourceforge/jnlp/util/lockingfile/StorageIoException.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/jnlp/util/lockingfile/StorageIoException.java Fri Feb 01 20:55:48 2013 +0100
>> @@ -0,0 +1,22 @@
>
> Please add a license header.
done
>
>> +package net.sourceforge.jnlp.util.lockingfile;
>> +
>> +/**
>> + * Thrown when an exception occurs using the storage (namely IOException)
>> + */
>> +public class StorageIoException extends RuntimeException {
>
>
>> diff -r e631770d76ba tests/netx/unit/net/sourceforge/jnlp/util/lockingfile/LockingStringListStorageTest.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/tests/netx/unit/net/sourceforge/jnlp/util/lockingfile/LockingStringListStorageTest.java Fri Feb 01 20:55:48 2013 +0100
>
>> +public class LockingStringListStorageTest {
>
> Copy-paste mistake, I hope.
>
I guess yes - but from your comment later it looks like you have overlooked fact, that those are
testing classes only.
SOme replies below, but fact that they are just testing should ecxpalin it all.
>> +public static class LockingStringListStorage extends LockingReaderWriter {
>> +
>> + private List<String> cachedContents = new ArrayList<String>();
>> +
>> + //To sutisfy testengine, void constructor and dummy testmethod
>> + public LockingStringListStorage() throws IOException {
>> + this(createTmpBackend());
>> + }
>
> Please dont do this! Someone will end up using this constructor. I
> assume this is for unit tests? Just have the unit test itself create a
> temp file and pass it along to the real constructor.
It was obsolate already in this pathc - it is needed for testclass to have exactly one 0-params
cosntructor. This class was originlay outer, so it needed. Now it is inner, so no need of it.
>
>> + @Test
>> + public void lockingStringListStorageCanBeInstantiated(){
>> + Assert.assertNotNull(this);
>> + }
>
> Please move tests to separate files.
Also relict from time when it was outer class. Each test need at least one @Test method
removed.
>
>> +
>> + private static File createTmpBackend() throws IOException{
>> + File f = File.createTempFile("forTests","emptyConstructor");
>> + f.deleteOnExit();
>> + return f;
>> + }
>
> Please dont do this!
Another relicct.. sorry for confusing
>
>> + /**
>> + * Create locking file-backed storage.
>> + * @param file the storage file
>> + */
>> + public LockingStringListStorage(File file) {
>> + super(file);
>> + }
>> +
>> + /**
>> + * Get the underlying string list cache. Should lock
>> + * before using.
>> + * @return the cache
>> + */
>> + final protected List<String> getCachedContents() {
>> + return cachedContents;
>> + }
>> +
>> + @Override
>> + public void writeContent(BufferedWriter writer) throws IOException {
>> + for (String string : cachedContents) {
>> + writer.write(string);
>> + writer.newLine();
>> + }
>> + }
>> +
>> + @Override
>> + protected void readLine(String line) {
>> + this.cachedContents.add(line);
>> + }
>> +
>> + @Override
>> + protected void readContents() throws IOException {
>> + cachedContents.clear();
>> + super.readContents();
>> + }
>
> I am not a huge fan of this. The javadoc for the parent says "read
> contents from file", but nothing bout refresing. This class overrides it
> and clears the old contents. If an instance of this class is returned as
> a LockingReaderWriter, all sorts of glitches can happen because of the
> undexpected clear() call.
>
> This method should probably be called reloadContents() or something.
>
> My suggestions is to remove the inheritence completely and make
> LockingStringListStorage use a LockingReaderWriter instead.
As told - this is helper class to test LockingReaderWriter. It is doing its pupose well.
>
>> + /**
>> + * Removes the first occurrence of the specified element from this list,
>> + * if it is present (optional operation). If this list does not contain
>> + * the element, it is unchanged.
>> + *
>> + * @param line string to be removed from this list, if present
>> + * @return <tt>true</tt> if the storage contained the line
>> + */
>> + synchronized public boolean remove(String line) {
>> + boolean didRemove;
>> +
>> + lock();
>> + try {
>> + readContents();
>> + didRemove = cachedContents.remove(line);
>> + writeContents();
>> + } catch (IOException e) {
>> + throw new StorageIoException(e);
>> + } finally {
>> + unlock();
>> + }
>> +
>> + return didRemove;
>> + }
>> +}
>
>
> I hope there was a mistake in the patch and the test code below goes in
> separate classes.
>
>> + private static File storagefile;
>> +
>> + private static LockingStringListStorage newInstance() {
>> + return new LockingStringListStorage(storagefile);
>> + }
>> +
>> + @Before
>> + public void setUp() throws IOException {
>> + storagefile = File.createTempFile("foo", "bar");
>> + }
>
>
>
> [1]
> http://icedtea.classpath.org/hg/icedtea-web/file/fd01cd1c2bbc/netx/net/sourceforge/jnlp/browser/BrowserAwareProxySelector.java#l1
>
adding also replys to some latests adams hints to have this in one email
>
> Actually maybe hold off until Omair comments on the patch, and all the typos have been worked out.
done
>
> 1) Some additional comments:
>
> - The delete pop-up is awkward, doing 'delete all' could easily create a pop-up that stretches more
disagre, bu I will add a delte key handler whixh will act as delete selected
> than the screen, hiding the confirmation.
> - Additionally the delete button is hard to visually locate. I think selecting things and
pressing
It does not metter, the enter/esc keys are working fine
> 'delete' should delete them.
> - Help button does nothing ATM, correct ? (its OK for now but just double checking)
>
Yes, I will add help as separate patch.
> 2) I have attached my patch, although take note of the following:
> - I had to fix an issue where applets without any jars said they were 'signing', not showing the
> dialogue. Note though that they were still not given any permissions, so there was no security hole.
> - Your LockingFile as-was did not recursively lock correctly. I had to fix it so I could recursively
> lock to make sure that updating the dialogue is an atomic operation. However I still prefer my
> refactoring of Locking File.
Your version was not handling some existence/permissions variants, I have kept my original version
But during reading of your refactored one I have not not strumbled across issue you are mentioning.
Can you please in your nextr iterationpoint only to the corrupted part and do not do any more
refactoring?
> -Even still it seems like multiple applet entries can sneak their way in, making it impossible to
> properly update the stored action (because simple 'yes/no's are stored...). Might need to put the
> most recent decision at the top of the list, or match starting from the bottom, just in case
> duplicates do sneak in. I am in favour though of dropping simple yes/no's being stored.
Well we have agreed ot add it, and we can agree to remove it. But I still am in favour to keep it
And actually it can help with the issue you are solving.
When first applet will show dialogues, others should not react shown it if they match definition
this appelt have added/updated
>
> 3) We need to decide if we are going to backport this:
> - This patch will have some odd behaviour unless my initialization fixes go in, but I fear they
> cannot all be backported.
Yes we are going to backport it. At least as pleasure for users eyes.
>
> - The other option is to, for backporting purposes, instead of trying to show one pop-up for all the
> applets that share a classloader, we can show one pop-up for each applet (as Oracle does). That will
I thought we are already doing this. Jsut with exception, when first shown dialogue creates an rule
some other applet is matching, then it do not show the rule.
This is vlaid especially for appelts with shared classlaoder, because they ALWAYS match rule saved
by dialogue of first of them.
> circumvent the issues with classloader initialization/deinitialization.
>
> Thanks,
> -Adam
On 02/04/2013 07:02 PM, Adam Domurad wrote:> On 02/03/2013 07:08 AM, Jiri Vanek wrote:
>> Whole troubles are described here http://icedtea.classpath.org/wiki/Extended_Applets_Security
>> rather then in plain email.
>>
>> There is what me and adam have already achieved on this topic, what we have o achieve and where we
>> are stil not so sure....
>>
>> This patch is containing itw-settings part and backend for manipulating stored entries.and basic
>> matching.
>> I noted this just [fyi] because adam ave already walked through the patch, and so have I across
>> his part. So the patch should be ready for push unless someone find something malicious on
>> implementation or even on design.
>>
>> J.
>
> TYVM for writing out the wiki page.
>
> I'm allowed to comment right ? :-)
Definitely!
Especially to clarify the matching algorithm.
> The table is looking quite nice.
>
Thanx! first nice words to this patch :) ..?..:(
> We can push as is and work from head perhaps ? Needs ChangeLog, though.
>
changelog will come
> I have attached a preferred iteration of my test.
Unable to thing anymore today, I have just added this test to patch as "...Test2"
But they seems to me nearly completely same... Just with moreover cosmetich changes. Why this?
> I have attached a preferred refactoring of LockingFile :-)
See above :(
>
>> +
>> + ALWAYS, NEVER, YES, NO;
>> +
>> + public String toChar() {
>> + switch (this) {
>> + case ALWAYS:
>> + return "A";
>> + case NEVER:
>> + return "N";
>> + case YES:
>> + return "y";
>> + case NO:
>> + return "n";
>
> I don't know anymore if storing yes/no is worth the added confusion of displaying them as options in
> icedtea-web settings (4 options for what to do with an applet -- 2 of them still requiring
> confirmation ??)
Why not? Is nice expalnation of meaning of those symbols in file if somebody will be investigative
enough to read the plaintext.
=>
>> + @Override
>> + public String toString() {
>> + return toChar() + " - " + toExplanation();
>
> Drop this toChar() IMO.
>
no :)
>> +package net.sourceforge.appletextendedsecurity;
>> +
>> +import java.util.List;
>> +
>> +/**
>> + *
>> + * @author jvanek
>
> Are we allowing authors now ? :-)
>
>> + */
>> +public interface UnsignedAppletActionStorage {
>> +
>> +
No ;))
And also other minor rebukes and spell checks fixed. Thanx!
>> + String regEx;
>> + //cache pattern during each set and init?
>> + //Pattern p
>
> Drop this comment before pushing (implementation is fine as-is).
>
>> +
oook.
>> import net.sourceforge.jnlp.runtime.JNLPProxySelector;
>> @@ -384,6 +385,41 @@
>> DeploymentConfiguration.KEY_PLUGIN_JVM_ARGUMENTS,
>> null,
>> null
>> + },
>> + //unsigned applet security level
>> + {
>
> Why are you not just using a set of strings with a string validator ? I do not like the idea of
> having an anonymous class here.
>
>> + DeploymentConfiguration.KEY_SECURITY_LEVEL,
>> + new ValueVa
Disagree - the anonymous class is good enough. If you really insists I will make regular validator
class, but I'm not going to change the way how it is done.
>> + @Override
>> + public int getRowCount() {
>> + try {
>> + return back.toArray().length;
>> + } catch (Exception ex) {
>> + throw new RuntimeException(ex);
>
> Why is this wrapping needed ?
>
>> + }
>> + }
>> +
yy, rleict from time when there was IOException
>> +
>> + /**
>> + * Writes stored contents to file. Assumes lock is held.
>> + * @throws IOException
>> + */
>> + protected void writeContents() throws IOException {
>> + if (!getBackingFile().isFile()){
>> + return;
>> + }
>> + if (isReadOnly()){
>> + return;
>> + }
>
> This silent failure is not acceptable IMO! It ignores the intent of the method completely, and it
> was causing me a lot of confusion when I was playing with the code. We ought to error-out here.
>
> Same here, we shouldn't be backed by an invalid file in the first place.
> Note that I believe this will cause problems with how you are currently handling non-existant global
> configurations -- but that needs a more robust solution than this anyway.
yah, this is serious But I think that we *should* handle not existing file. But I'mnotsure how to do
it properly == where to catch this.
For now I woul dlike to keep this as it is, because it is quite important functionality, and you
need to work on top of it. Anyway I will think about it and try to fix it (because I really agree
that this silent ignoration is the worst evil)
>> + }
>> +
>> +}
>
> In conclusion, nits are nits, but I really want to see this in HEAD :-)) Great work on the
> icedtea-web-settings parts.
>
> Happy hacking,
> -Adam
I needed some positive sentence at the end.
Guys, this was really hard to zigzag and fullfill both yours reviews but it hsould be done now.
Tis was actually the longest reply to review I have ever done, espcially because there were three
fully-scramming voices. I hope I have not forget to reply/fix/explain some nit, but it was really
long reading
ps: Adam, you really MUST to snip your replies. To seek few chars of nit between hundreds of lines
(of unrelated lines!) is not possible. Especially after longer time, or during such a mixed
review... it is also protection to get some importatn stuff lost.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doubleReviewedIntegrationOfExtendedSecurityToITW-round4.diff
Type: text/x-patch
Size: 133126 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130214/b645e652/doubleReviewedIntegrationOfExtendedSecurityToITW-round4.diff
More information about the distro-pkg-dev
mailing list