[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available
Jiri Vanek
jvanek at redhat.com
Wed Jul 2 16:38:21 UTC 2014
On 07/02/2014 06:31 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-07-02 12:16]:
>> This patch adds URLPermission to the sandbox permissions set in
>> SecurityDesc, if URLPermission is available (so for Java 8+). Certain
>> applets are broken when using IcedTea-Web with Java 8 due to the lack of
>> this permission. An example of such an applet is Oasis[0]. This applet
>> should work fine with plain IcedTea-Web and JDK 7, but should fail with
>> plain IcedTea-Web and JDK 8. It should continue to work with patched
>> IcedTea-Web and JDK 7 but produce a few small WARNING_DEBUG level messages,
>> and should begin to work with patched IcedTea-Web and JDK 8.
>
>> +++ b/netx/net/sourceforge/jnlp/SecurityDesc.java
>> + } catch (final ClassNotFoundException | NoSuchMethodException | SecurityException e) {
>
> Maybe use ReflectiveOperationException to reduce the number of exceptions
> here? It's only available in Java 7 and later.
>
>> + final String urlPermUriString = codebase + (codebase.endsWith("/") ? "-" : "/-");
>
>> + // Allow applets all HTTP methods (ex POST, GET) with any request headers
>> + // on resources anywhere recursively in or below the applet codebase
>
> I wonder if we can be more lax and allow accessing more resources on
> the same host/port combination. Can you think of a reason to restrict to
> the given codebase directory only?
This is good point. I would say more lenient, even beter.
>
>> + } catch (final URISyntaxException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
>
> I would highly recommend using ReflectiveOperationException here.
>
Dont forget that it is not an solution for 1.5.1 which is 1.6 compatible.
J.
More information about the distro-pkg-dev
mailing list