[icedtea-web] URLPermission in Java 8
Andrew Azores
aazores at redhat.com
Wed Jun 18 14:03:34 UTC 2014
Hi,
There's a new permission in Java 8 known as URLPermission [0]. It's used
to restrict access to, well, URL resources. Some of our manual test case
applets are affected by this, for example, Oasis [1].
I can't find any documentation on how exactly Oracle grants applets
URLPermissions, eg what kind of path they're allowing the applets to
access, or which HTTP methods and headers they may use, etc. So
determining sane defaults on these is the primary point of discussion
for this thread. We could just try to ask Oracle what they're granting
as well and mirror that.
To confirm that Oasis is impacted by this new permission:
(1) (using openjdk7) Build IcedTea-Web.
(2) Launch browser from terminal
(3) Go to Oasis URL
(4) Observe that applet launches successfully
(5) system-switch-java to openjdk8
(6) Repeat 1-3 and observe that Oasis no longer launches due to
SecurityExceptions from missing URLPermissions
As a sort of proof of concept, I've attached a small patch. Applying
this patch to HEAD and repeating the Oasis test procedure with Java 8 in
use should allow Oasis to run again. This patch can't compile with Java
7, however, and is also probably too lenient about the URLPermission
it's granting, which allows any request method with any headers to any
resource recursively and inclusively in the applet codebase. So the
second point of discussion for this thread is how to resolve actually
adding this permission to the default sandbox permission set.
[0] http://docs.oracle.com/javase/8/docs/api/java/net/URLPermission.html
[1] https://oasisweb.uga.edu/oasis.html
Thanks,
--
Andrew A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermission-test.patch
Type: text/x-patch
Size: 1695 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140618/c22ebf0e/urlpermission-test.patch>
More information about the distro-pkg-dev
mailing list