[icedtea-web] "Not All Signed" dialog and low-security setting

Andrew Azores aazores at redhat.com
Tue Nov 12 08:12:54 PST 2013 

On 11/10/2013 05:57 AM, Jiri Vanek wrote:
> On 11/07/2013 08:47 PM, Andrew Azores wrote:
>> Hi,
>>
>> Should the "Not All Signed" dialog 
>> (SecurityDialogs.showNotAllSignedWarningDialog(JNLPFile)) still 
>> appear when extended applet security is set to "low?" This can happen 
>> with signed applets with external main-classes, or applets with mixed 
>> signing. To me it seems like it should not appear when running one of 
>> these applets on low security. Changing this behaviour would also 
>> make it possible for me to add a reproducer for the recent signed 
>> applet with external main-class fix (PR1513).
>>
>> Thanks,
>
> One dialogue is definitely enough. If "not all signed" dialogue 
> appear, then no extended applet security dialog should occur (not 
> depending on actual settings)

Should the "Not All Signed" really be overpowering the other standard 
dialogs, eg the unsigned applet warning? If we only show the Not All 
Signed and skip the other extended security dialogs then the user misses 
out on some information, eg the applet name/location (u45 manifest 
attributes!), and misses the option to trust the publisher in the future 
or not. I suppose Not All Signed could be made into a new dialog of the 
same type as the signed/unsigned confirmation dialogs, but as it is, I 
don't think it's a suitable replacement for them.

My other question however was what to do when set to not prompt to run 
applets, aka set security to low in itweb-settings. The "Not All Signed" 
dialog will still appear in this kind of situation, which breaks our 
testing if any reproducer meets the criteria for "Not All Signed", as 
the dialog will appear and require the user to approve it.

The attached patch simply causes the dialog to not appear when security 
is set to Low and/or -Xtrustall is used. It might be more suitable to 
move this logic into the dialog itself, but to me it also seemed out of 
place to put it there.

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not-all-signed-dialog.patch
Type: text/x-patch
Size: 3920 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20131112/4864291d/not-all-signed-dialog-0001.patch

More information about the distro-pkg-dev mailing list