[rfc][icedtea-web] External main-class fix

Andrew Azores aazores at redhat.com
Mon Jan 27 11:54:05 PST 2014 

On 01/14/2014 02:30 PM, Andrew Azores wrote:
> On 01/08/2014 04:57 PM, Andrew Azores wrote:
>> Hi,
>>
>> Jiri found a flaw in the fix for PR1513, which allows applets to run 
>> when their main-class is not in a JAR, but is still available to load 
>> from the codebase. The previous fix simply didn't throw a 
>> LaunchException when the main-class could not be found in a JAR, and 
>> instead displayed a warning about not all of the code being signed. 
>> However, this warning could still appear even if no classes or JARs 
>> could be loaded at all! This patch causes the ClassLoader to not be 
>> so optimistic about finding an external main-class - it actually 
>> checks for it first, and if it still can't be found on the codebase 
>> after searching all JARs, then a LaunchException is thrown. If it can 
>> be found, then the applet launch proceeds as normal at this step.
>>
>> Additionally, checkNotAllSignedWithUser can only be called once now 
>> in initializeResources. Previously, it could be called both due to an 
>> external main-class as well as mixed signing states of JARs in the 
>> applet - so if you had one signed JAR, one unsigned JAR, and an 
>> external main-class, you would be prompted twice about the mixed 
>> signing, as well as about trusting the signer of the signed JAR. 
>> Craziness. Now, the prompt about mixed signing should only appear once.
>>
>> ChangeLog:
>> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: 
>> (initializeResources) perform search for main-class when suspected to 
>> be external. Only show mixed code signing prompt once during 
>> initialization. (checkNotAllSignedWithUser) refactor to remove local 
>> variable (promptUser)
>>
>> Thanks,
>>
>
> Updated patch, Jiri pointed out over IRC that the previous patch only 
> worked for plugin applets and excluded JNLP. This makes it work for 
> JNLP as well, and also cleans up how codebase loading is set up on a 
> classloader. It's now done during initialization, rather than being 
> handled after the fact by a static factory-ish method.
>
> Thanks,
>

Ping.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list