[rfc][icedtea-web] Mixed-signing applet permissions (PR1592)

Andrew Azores aazores at redhat.com
Tue Nov 12 08:14:19 PST 2013

On 11/04/2013 03:19 PM, Andrew Azores wrote:
> Hi,
> This patch allows signed JARs within mixed-signing applets to be 
> granted full permissions, while unsigned JARs in the same applets 
> retain sandbox permissions only. The user is warned/prompted for the 
> okay to proceed when this occurs.
> I was not able to create a working reproducer test for this due to the 
> following error:
> java.lang.SecurityException: class "MixedSigningApplet"'s signer 
> information does not match signer information of other classes in the 
> same package
> I'd need to have two different packages in use to get around this, but 
> AFAIK we don't have a way to support this with our reproducer system. 
> Also, even if I had that working, the 
> SecurityDialogs.showNotAllSignedWarningDialog still doesn't really 
> respect the Extended Applet Security settings and will appear to 
> prompt the user even if security is set to lowest. This would break 
> the automation of the reproducer test and make it fairly useless anyway.
> The patch is split in two. The first one does the actual work. The 
> second patch just removes an old unused local variable and an 
> associated enclosing try/catch. This indentation change creates hard 
> to read diff output, so I included this separately for ease of review. 
> They need to be applied in order.
> Changelog:
> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: 
> (initializeResources) grant full permissions to signed JARs of 
> mixed-signing applets
> Thanks,



Andrew A

More information about the distro-pkg-dev mailing list