[icedtea-web] URLPermission in Java 8

Andrew Azores aazores at redhat.com
Wed Jun 18 17:06:57 UTC 2014


On 06/18/2014 12:59 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-06-18 12:55]:
>> Do we really want to exclude this permission from the reported set of
>> permissions in the applet's SecurityDesc?
>
> I am not sure what you mean by 'reported set'.

The result of SecurityDesc#getSandboxPermissions. If we add the 
URLPermission once, in the ClassLoader, then calling 
SecurityDesc#getSandboxPermissions will return a result that does not 
actually match the conceptual sandbox permissions set.

>
> If you mean keeping this permission separate from others, then
> Code-wise, it's not ideal.  But this might be better for performance if
> we stop icedtea-web from re-computing the same permissions multiple
> times and only apply the static permissions once, at class creation
> time.

We can also stop from having to perform a class lookup and stop from 
having to do any real computing by simply storing a reference to the 
URLPermission class and constructor, if they exist, when the 
SecurityDesc is created. Then the reflection cost is only paid once, 
too, but the permission lives in IMO the correct location and can also 
be included in the result of #getSandboxPermissions.

>
>> Because setting it directly in the ClassLoader instead means that
>> further attempts to determine the sandbox set applied to the applet
>> will be incomplete if done through SecurityDesc, which doesn't sound
>> good to me.
>
> I don't follow. What is the 'sandbox set'?

The default set of permissions granted to all applets, even sandboxed ones.

>
> Thanks,
> Omair
>

Thanks,
-- 
Andrew Azores


More information about the distro-pkg-dev mailing list