[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available

Andrew Azores aazores at redhat.com
Thu Jul 3 20:55:20 UTC 2014 

On 07/02/2014 12:38 PM, Jiri Vanek wrote:
> On 07/02/2014 06:31 PM, Omair Majid wrote:
>> * Andrew Azores <aazores at redhat.com> [2014-07-02 12:16]:
>>> This patch adds URLPermission to the sandbox permissions set in
>>> SecurityDesc, if URLPermission is available (so for Java 8+). Certain
>>> applets are broken when using IcedTea-Web with Java 8 due to the 
>>> lack of
>>> this permission. An example of such an applet is Oasis[0]. This applet
>>> should work fine with plain IcedTea-Web and JDK 7, but should fail with
>>> plain IcedTea-Web and JDK 8. It should continue to work with patched
>>> IcedTea-Web and JDK 7 but produce a few small WARNING_DEBUG level 
>>> messages,
>>> and should begin to work with patched IcedTea-Web and JDK 8.
>>
>>> +++ b/netx/net/sourceforge/jnlp/SecurityDesc.java
>>> +            } catch (final ClassNotFoundException | 
>>> NoSuchMethodException | SecurityException e) {
>>
>> Maybe use ReflectiveOperationException to reduce the number of 
>> exceptions
>> here? It's only available in Java 7 and later.
>>
>>> +            final String urlPermUriString = codebase + 
>>> (codebase.endsWith("/") ? "-" : "/-");
>>
>>> +            // Allow applets all HTTP methods (ex POST, GET) with 
>>> any request headers
>>> +            // on resources anywhere recursively in or below the 
>>> applet codebase
>>
>> I wonder if we can be more lax and allow accessing more resources on
>> the same host/port combination. Can you think of a reason to restrict to
>> the given codebase directory only?
>
> This is good point. I would say more lenient, even beter.
>>
>>> +        } catch (final URISyntaxException | InstantiationException 
>>> | IllegalAccessException | IllegalArgumentException | 
>>> InvocationTargetException e) {
>>
>> I would highly recommend using ReflectiveOperationException here.
>>
> Dont forget that it is not an solution for 1.5.1 which is 1.6 compatible.
>
>
> J.

Here we go again.

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermissions-4.patch
Type: text/x-patch
Size: 4969 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140703/43088971/urlpermissions-4.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermissions-backport-1.5-2.patch
Type: text/x-patch
Size: 6249 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140703/43088971/urlpermissions-backport-1.5-2.patch>

More information about the distro-pkg-dev mailing list