[rfc][icedtea-web] PolicyEditor

Andrew Azores aazores at redhat.com
Thu Feb 13 14:14:35 PST 2014 

On 02/13/2014 08:55 AM, Jiri Vanek wrote:

>
> Hi!
>
> I have no general issues with this.Considering it was done n best mind;)
> After reading it, I'm against making it separate project. I would much 
> ratehr keep it in itew.. and suggestion .. add new luncher? next to 
> itw-settings javaws.. SimplePolicyEditor?

I didn't get around to that with this patch, but I'll work on that next. 
Either a new launcher beside itweb-settings and javaws, or a standalone 
launcher as a separate project... ;) I really do think this idea has 
some merit. Maybe the editor seems small and simple enough now to stay 
within ITW, but I think it's already got enough utility to be a 
replacement for PolicyTool for a lot of users. Most of whom probably are 
using IcedTea-Web anyway, but not necessarily.

>
> This is ok to head, so you cna continue in run in sandbox more promptly.
>

Not yet ;) and the RunInSandbox/PartiallySigned stuff is still not in 
yet anyway, so hooking this in with those already doesn't make sense to 
me. Anyway, it's already all in-place in the PolicyEditor, what's left 
is just adding a button or something to those dialogs and having them 
launch a PolicyEditor instance, then call addNewCodebase(String) on it 
or provide the -codebase flag in its args.

>
> few notes:
>     permission java.io.FilePermission "${user.home}${/}*", "read";
>     permission java.io.FilePermission "${user.home}${/}*", "write";
>     permission java.io.FilePermission "*", "read";
>     permission java.io.FilePermission "${io.tmpdir}${/}*", "read";
>     permission java.io.FilePermission "${io.tmpdir}${/}*", "write";
>
> are granted by checkboxes which do not fully descibee them (imho) 
> Maybew tooltip should be enough.... 

There are tooltips, for every checkbox...

> Onemore think I noted After I click the send - yo are allowing the app 
> to open multiple simple editor windows in time. This may be dangerous. 
> - maybe some check "underlying file have changed, reload?)
> (but yah, advaced tool do the same )I'm for -
>  - have it as modal dialogue in itw-settings
>  - have it on frame in case of seaprate application (see suggestion in 
> previous email)
>  -  otherwse do as you wish ::)

Hmm. I don't think I like the idea of making it modal in this situation 
(just seems like it is not necessary, and unnecessary modality is really 
irritating to deal with as a user IMO), but "file has changed, 
reload/ignore/quit" does sound good. I will look into that next. 
Besides, even if we make it modal, that doesn't actually protect us 
against concurrent modification very much. Perhaps itweb-settings 
control panel can be made to handle the PolicyEditor in the same way 
that PolicyEditor handles CustomPolicyViewer - if there is no instance, 
create one. If there is an instance, focus it rather than creating another.

I spent a lot more time on this already, so I'm attaching another patch 
with the progress so far.

Notable changes:
- can view "custom permissions" aka permissions in the file that don't 
match any of the checkboxes.
-- can also add/remove these. Adding them is not nearly as powerful as 
the big old PolicyTool, but this is meant as complement, not 
replacement, so that's fine by me
-- only one of these windows is displayed at a time, but I really am not 
sure about the method I used to achieve this. I don't want to make it 
blocking (modal), so is there any other better way than what I've done?
- much, much better model for "default" (checkbox-provided) permissions. 
Not just hardcoded Strings anymore
-- as part of this, the "parsing" of policy files became a bit more 
relaxed. For permissions that specify multiple actions, eg the NetAll 
default permission, the permission will still be recognized as a default 
even if the actions are reordered
-- considering making the "parsing" step case-insensitive but not sure 
on that
-- newline isn't just \n anymore, actually using system line separator 
when "serializing"
- vertical scrollbars always shown just so it's clear that those are 
indeed list views. horizontal shown as needed
- mnemonics and accelerators, even more.

Other notes:
- still no handling for SignedBy or Principal or multiple codebases per 
"block", and I'm not really planning on supporting this. Leave that for 
the heavyweight tool and power users, IMO. If you create an entry like 
this, it will simply be clobbered when you next run PolicyEditor
- "parsing"/"deserializing" is not the most robust. I haven't tested it 
with random garbage malformed text or with comments in the middle of a 
block, etc. These hardening improvements will come a bit later on, right 
now I want to nail down the functionality/visuals. I may end up 
refactoring the models even further, so hardening it now might be a 
waste of effort

I'm planning to add plenty of unit testing to the models introduced with 
this patch, but I'm out of time today and am taking a short day 
tomorrow, so I'm not sure if I'll get those done before the end of the 
week, and I wanted to get this out for at least visuals feedback first.

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy-editor-4.patch
Type: text/x-patch
Size: 109743 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140213/a1ad4d94/policy-editor-4-0001.patch

More information about the distro-pkg-dev mailing list