[icedtea-web] (PR1513) Signed JAR with external main-class

[Omair Majid]

* Andrew Azores <aazores at redhat.com> [2013-10-18 14:04]:
> Hi,
> 
> The applet in the PR1513 report fails to launch due to the following
> check in JNLPClassLoader#initializeResources():
> 
> // If jar with main class was not found and there are no more
> // available jars, throw a LaunchException
> if (file.getLaunchInfo() != null) {
>     if (!foundMainJar // && (available == null || available.size() == 0))
>         throw new LaunchException(file, null, R("LSFatal"),
>                 R("LCClient"), R("LCantDetermineMainClass"),
>                 R("LCantDetermineMainClassInfo"));
> }

/me grumbles about comments that reiterate what the code is doing
without explaining why.

> What I'm wondering however, is if this is actually safe. How do we
> really want to be handling this situation? The JarCertVerified
> reports "fully signed", but then we are going to go ahead and
> execute an arbitrary unverified class file from outside the JAR(s).
> To me this seems a little bit questionable - definitely we shouldn't
> just fail to launch altogether, but what should be done about the
> permissions for this applet? Right now with the exception removed,
> the user is still prompted with a dialog claiming that the applet's
> signature has been validated by a trusted source, but can we really
> say that now?

I don't think saying "fully signed" is valid even if the main class is
found in the jar. As long as there is a URL which will be used to search
for additional classes, we can not claim we have verified all classes.
We probably should not claim that everything is signed and/or trusted.

Do all applets get a codebase URL for fallback unconditionally?

Thanks,
Omair