[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available

Andrew Azores aazores at redhat.com
Tue Jul 15 15:14:15 UTC 2014 

On 07/15/2014 11:12 AM, Andrew Azores wrote:
> On 07/14/2014 11:09 AM, Omair Majid wrote:
>> * Andrew Azores <aazores at redhat.com> [2014-07-14 10:07]:
>>> On 07/03/2014 05:14 PM, Andrew Azores wrote:
>>>
>>>      On 07/03/2014 05:02 PM, Omair Majid wrote:
>>>
>>>          * Andrew Azores <aazores at redhat.com> [2014-07-03 16:55]:
>>>
>>>              +            codebaseHost = new 
>>> URI(codebase.getScheme(), codebase.getUserInfo(), 
>>> codebase.getHost(), -1, null, null, null);
>>>
>>>          Why -1 for port? This seems strange compared to the 
>>> same-origin-policy.
>>>
>>>          Thanks,
>>>          Omair
>>>
>>>
>>>
>>>      It doesn't seem to be specified for the SocketPermission 
>>> granted in
>>>      SecurityDesc either - downloadHost is just the hostname part of 
>>> the
>>>      codebase URL AFAICT. So I haven't specified a port for the 
>>> URLPermission so
>>>      as to not be more restrictive than the SocketPermission.
>> That sounds like a bug. This should be fixed.
>
> Which part? Just the URLPermission's port, or the downloadHost itself?
>
>>
>>>      There's also this in the URLPermission docs:
>>>
>>>          portrange is used to specify a port number, or a bounded or 
>>> unbounded
>>>          range of ports that this permission applies to. If 
>>> portrange is absent
>>>          or invalid, then a default port number is assumed if the 
>>> scheme is http
>>>          (default 80) or https (default 443). No default is assumed 
>>> for other
>>>          schemes. A wildcard may be specified which means all ports.
>> Won't this break applets and webstart applications that run the
>> webserver on non-default ports? For example, [1] uses port 9090.
>>
>> Thanks,
>> Omair
>>
>> [1] 
>> http://www.symantec.com/connect/forums/sepm-console-unable-launch-application-after-java-upgrade-7u51
>>
>
> Okay, the attached patch explicitly uses the "wildcard port" for 
> URLPermission. I also added some new tests and cleaned up the existing 
> SecurityDesc tests.
>
> Thanks,
>

Whoops sorry left some printlns in there, ignore them please.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list