[rfc][icedtea-web] policytool in itweb-settings

Deepak Bhole dbhole at redhat.com
Wed Jan 15 13:08:35 PST 2014 

* Jiri Vanek <jvanek at redhat.com> [2014-01-15 09:26]:
> On 01/14/2014 07:15 PM, Deepak Bhole wrote:
> >* Jiri Vanek <jvanek at redhat.com> [2014-01-14 07:44]:
> >>On 01/14/2014 12:33 AM, Jacob Wisor wrote:
> >>>Hello there!
> >>>
> >>>On 01/13/2014 23:20, Andrew Azores wrote:
> >>>>Hi,
> >>>>
> >>>>This small patch hooks the JDK policytool into itweb-settings. It can then be
> >>>>used to set up a custom user-level JNLP policy - this, in combination with the
> >>>>Run in Sandbox patch, will allow for quite a lot more flexibility in how
> >>>>permissions are handled with signed applets/applications.
> >>>>
> >>>>A nicer, more user-friendly editor to replace the policytool will hopefully come
> >>>>later on.
> >>>
> >>>Oooooooh yes, please! This would be awesome! :-)
> >>
> >>Yes this would be :))
> >>But it is different task. And Quite complex. Especially it must pass
> >>upstream (openjdk). And that is *the* task!
> >>
> >
> >Hi Jiri,
> >
> >How so? The editor we have in mind for ITW is to set policies for
> >applets/JNLP apps. Why the need to have it accepted upstream (not that I
> >am against it)?
> >
> >The editor will be geared toward setting policies for untrusted apps for
> >the most part (e.g. checkboxes for "allow read/write to filesystem",
> >"allow network connection" etc. and some additional customizations. In
> >general it would be too restrictive for the kind of complex policies
> >that administrators would want to set for complex Java applications.
> >
> 
> Hi!
> 
> Well the policy tool do exists, and can be reused.  There is no need to re-implement it.
> If so, then in the most correct place of all - the jdk (where
> current policy tool is). Then others (even itw) will gain benefits
> from it.
> We can add some simple editor for most common cases (as I understand
> form your comment is what you wont). But not rewrite it on our own.
> 
> Thanx for watch!
> 

Perhaps it makes sense to first determine what we want and settle on
that first (as rfc) then before we try to implement (either standalone
or updating policytool).

Andrew, did you have a specific design in mind? If so, can you provide
quick mockups?

Thanks,
Deepak

> J.
> 
> >
> >>For now I'm happy that this feature was implemented with such an small effort.
> >>>
> ...

More information about the distro-pkg-dev mailing list