[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available

Andrew Azores aazores at redhat.com
Tue Jul 15 15:12:07 UTC 2014 

On 07/14/2014 11:09 AM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-07-14 10:07]:
>> On 07/03/2014 05:14 PM, Andrew Azores wrote:
>>
>>      On 07/03/2014 05:02 PM, Omair Majid wrote:
>>
>>          * Andrew Azores <aazores at redhat.com> [2014-07-03 16:55]:
>>
>>              +            codebaseHost = new URI(codebase.getScheme(), codebase.getUserInfo(), codebase.getHost(), -1, null, null, null);
>>
>>          Why -1 for port? This seems strange compared to the same-origin-policy.
>>
>>          Thanks,
>>          Omair
>>
>>
>>
>>      It doesn't seem to be specified for the SocketPermission granted in
>>      SecurityDesc either - downloadHost is just the hostname part of the
>>      codebase URL AFAICT. So I haven't specified a port for the URLPermission so
>>      as to not be more restrictive than the SocketPermission.
> That sounds like a bug. This should be fixed.

Which part? Just the URLPermission's port, or the downloadHost itself?

>
>>      There's also this in the URLPermission docs:
>>
>>          portrange is used to specify a port number, or a bounded or unbounded
>>          range of ports that this permission applies to. If portrange is absent
>>          or invalid, then a default port number is assumed if the scheme is http
>>          (default 80) or https (default 443). No default is assumed for other
>>          schemes. A wildcard may be specified which means all ports.
> Won't this break applets and webstart applications that run the
> webserver on non-default ports? For example, [1] uses port 9090.
>
> Thanks,
> Omair
>
> [1] http://www.symantec.com/connect/forums/sepm-console-unable-launch-application-after-java-upgrade-7u51
>

Okay, the attached patch explicitly uses the "wildcard port" for 
URLPermission. I also added some new tests and cleaned up the existing 
SecurityDesc tests.

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermissions-5.patch
Type: text/x-patch
Size: 11605 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140715/418eb56e/urlpermissions-5.patch>

More information about the distro-pkg-dev mailing list