[icedtea-web] URLPermission in Java 8

[Andrew Azores]

On 06/18/2014 12:04 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-06-18 10:04]:
>> As a sort of proof of concept, I've attached a small patch. Applying this
>> patch to HEAD and repeating the Oasis test procedure with Java 8 in use
>> should allow Oasis to run again.
>
>> I can't find any documentation on how exactly Oracle grants applets
>> URLPermissions, eg what kind of path they're allowing the applets to access,
>> or which HTTP methods and headers they may use, etc. So determining sane
>> defaults on these is the primary point of discussion for this thread. We
>> could just try to ask Oracle what they're granting as well and mirror that.
>
> After reading the JEP [0] and the javadoc [1], the patch makes sense. As
> long as it is not less restrictive than the SocketPermissions, I think
> it's fine.
>
>> This patch can't compile with Java 7
>
> I guess the question to ask is, do you want something built with Java 7
> to just work on Java 7? Or do you want the same build to work with both
> Java 7 and 8?
>
> If it's the first, then a compile-time switch to optionally compile a
> 8-specific class that handles this responsibility seems appropriate.
> This is what we did for the X509TrustManager with 6/7 support. If you
> want the second option, then you probably have to use reflection to work
> around the issue.

Right, this is something I have no informed opinion on.

>
>> is also probably too lenient about the URLPermission it's
>> granting, which allows any request method with any headers to any resource
>> recursively and inclusively in the applet codebase.
>
> Isn't that expected?

I don't know. That's the first thing I think we need to figure out. The 
actual result does indeed match exactly what I intended and expected for 
it to do, but I don't know if this is actually the right thing to do.

>
>
> Thanks,
> Omair
>

Thanks,
-- 
Andrew Azores