/hg/icedtea-web: 2 new changesets
jvanek at icedtea.classpath.org
jvanek at icedtea.classpath.org
Sun Feb 4 08:59:17 UTC 2018
changeset 91008ab6f703 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=91008ab6f703
author: Jiri Vanek <jvanek at redhat.com>
date: Sat Feb 03 17:54:35 2018 +0100
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: autoformatted
changeset 6639d193e740 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=6639d193e740
author: Jiri Vanek <jvanek at redhat.com>
date: Sun Feb 04 09:58:58 2018 +0100
nosecurity switch made extendable also for certificate issues
* netx/net/sourceforge/jnlp/config/Defaults.java: set deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java: added deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/resources/Messages.properties: BONosecurity is now tailed by rumor about deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: when ITW was about to throw certificate-caused launch exception, it i snow consulted with nosecurity and deployment.security.itw.ignorecertissues. If both are here, exception is only printed
diffstat:
ChangeLog | 13 +
netx/net/sourceforge/jnlp/config/Defaults.java | 7 +-
netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java | 3 +
netx/net/sourceforge/jnlp/resources/Messages.properties | 2 +-
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 881 +++++----
5 files changed, 514 insertions(+), 392 deletions(-)
diffs (truncated from 2024 to 500 lines):
diff -r e17f060bb41a -r 6639d193e740 ChangeLog
--- a/ChangeLog Sat Feb 03 17:48:38 2018 +0100
+++ b/ChangeLog Sun Feb 04 09:58:58 2018 +0100
@@ -1,3 +1,16 @@
+2018-02-03 Jiri Vanek <jvanek at redhat.com>
+
+ nosecurity switch made extendable also for certificate issues
+ * netx/net/sourceforge/jnlp/config/Defaults.java: set deployment.security.itw.ignorecertissues
+ * netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java: added deployment.security.itw.ignorecertissues
+ * netx/net/sourceforge/jnlp/resources/Messages.properties: BONosecurity is now tailed by rumor about deployment.security.itw.ignorecertissues
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: when ITW was about to throw certificate-caused launch exception,
+ it i snow consulted with nosecurity and deployment.security.itw.ignorecertissues. If both are here, exception is only printed
+
+2018-02-03 Jiri Vanek <jvanek at redhat.com>
+
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: autoformatted
+
2018-02-03 Jiri Vanek <jvanek at redhat.com>
Made ITW to load resources from j2se/java tag too
diff -r e17f060bb41a -r 6639d193e740 netx/net/sourceforge/jnlp/config/Defaults.java
--- a/netx/net/sourceforge/jnlp/config/Defaults.java Sat Feb 03 17:48:38 2018 +0100
+++ b/netx/net/sourceforge/jnlp/config/Defaults.java Sun Feb 04 09:58:58 2018 +0100
@@ -226,6 +226,11 @@
String.valueOf(false)
},
{
+ DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES,
+ BasicValueValidators.getBooleanValidator(),
+ String.valueOf(false)
+ },
+ {
DeploymentConfiguration.KEY_SECURITY_PROMPT_USER_FOR_JNLP,
BasicValueValidators.getBooleanValidator(),
String.valueOf(true)
@@ -445,4 +450,4 @@
return result;
}
-}
\ No newline at end of file
+}
diff -r e17f060bb41a -r 6639d193e740 netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java
--- a/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Sat Feb 03 17:48:38 2018 +0100
+++ b/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Sun Feb 04 09:58:58 2018 +0100
@@ -150,6 +150,9 @@
/** Boolean. Only install the custom authenticator if true */
public static final String KEY_SECURITY_INSTALL_AUTHENTICATOR = "deployment.security.authenticator";
+ /** Boolean. Only install the custom authenticator if true */
+ public static final String KEY_SECURITY_ITW_IGNORECERTISSUES = "deployment.security.itw.ignorecertissues";
+
public static final String KEY_STRICT_JNLP_CLASSLOADER = "deployment.jnlpclassloader.strict";
/** Boolean. Do not prefere https over http */
diff -r e17f060bb41a -r 6639d193e740 netx/net/sourceforge/jnlp/resources/Messages.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Sat Feb 03 17:48:38 2018 +0100
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Sun Feb 04 09:58:58 2018 +0100
@@ -337,7 +337,7 @@
BOVerbose = Enable verbose output.
BOAbout = Shows a sample application.
BOVersion = Print the IcedTea-Web version and exit.
-BONosecurity= Disables the secure runtime environment.
+BONosecurity= Disables the secure runtime environment. You need also deployment.security.itw.ignorecertissues to workaround corrupted signatures
BONoupdate = Disables checking for updates.
BOHeadless = Disables download window, other UIs.
BOStrict = Enables strict checking of JNLP file format.
diff -r e17f060bb41a -r 6639d193e740 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Sat Feb 03 17:48:38 2018 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Sun Feb 04 09:58:58 2018 +0100
@@ -12,7 +12,6 @@
// You should have received a copy of the GNU Lesser General Public
// License along with this library; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
package net.sourceforge.jnlp.runtime;
import static net.sourceforge.jnlp.runtime.Translator.R;
@@ -69,6 +68,7 @@
import net.sourceforge.jnlp.LaunchDesc;
import net.sourceforge.jnlp.LaunchException;
import net.sourceforge.jnlp.NullJnlpFileException;
+import net.sourceforge.jnlp.OptionsDefinitions;
import net.sourceforge.jnlp.ParseException;
import net.sourceforge.jnlp.ParserSettings;
import net.sourceforge.jnlp.PluginBridge;
@@ -90,14 +90,16 @@
import net.sourceforge.jnlp.util.StreamUtils;
import net.sourceforge.jnlp.util.UrlUtils;
import net.sourceforge.jnlp.util.logging.OutputController;
+import static net.sourceforge.jnlp.runtime.Translator.R;
/**
- * Classloader that takes it's resources from a JNLP file. If the
- * JNLP file defines extensions, separate classloaders for these
- * will be created automatically. Classes are loaded with the
- * security context when the classloader was created.
+ * Classloader that takes it's resources from a JNLP file. If the JNLP file
+ * defines extensions, separate classloaders for these will be created
+ * automatically. Classes are loaded with the security context when the
+ * classloader was created.
*
- * @author <a href="mailto:jmaxwell at users.sourceforge.net">Jon A. Maxwell (JAM)</a> - initial author
+ * @author <a href="mailto:jmaxwell at users.sourceforge.net">Jon A. Maxwell
+ * (JAM)</a> - initial author
* @version $Revision: 1.20 $
*/
public class JNLPClassLoader extends URLClassLoader {
@@ -105,12 +107,15 @@
// todo: initializePermissions should get the permissions from
// extension classes too so that main file classes can load
// resources in an extension.
-
- /** Signed JNLP File and Template */
+ /**
+ * Signed JNLP File and Template
+ */
final public static String TEMPLATE = "JNLP-INF/APPLICATION_TEMPLATE.JNLP";
final public static String APPLICATION = "JNLP-INF/APPLICATION.JNLP";
- /** Actions to specify how cache is to be managed **/
+ /**
+ * Actions to specify how cache is to be managed *
+ */
public static enum DownloadAction {
DOWNLOAD_TO_CACHE, REMOVE_FROM_CACHE, CHECK_CACHE
}
@@ -119,101 +124,148 @@
FULL, PARTIAL, NONE
}
- /** True if the application has a signed JNLP File */
+ /**
+ * True if the application has a signed JNLP File
+ */
private boolean isSignedJNLP = false;
-
- /** map from JNLPFile unique key to shared classloader */
+
+ /**
+ * map from JNLPFile unique key to shared classloader
+ */
private static Map<String, JNLPClassLoader> uniqueKeyToLoader = new ConcurrentHashMap<>();
- /** map from JNLPFile unique key to lock, the lock is needed to enforce correct
- * initialization of applets that share a unique key*/
+ /**
+ * map from JNLPFile unique key to lock, the lock is needed to enforce
+ * correct initialization of applets that share a unique key
+ */
private static Map<String, ReentrantLock> uniqueKeyToLock = new HashMap<>();
- /** Provides a search path & temporary storage for native code */
+ /**
+ * Provides a search path & temporary storage for native code
+ */
private NativeLibraryStorage nativeLibraryStorage;
- /** security context */
+ /**
+ * security context
+ */
private final AccessControlContext acc = AccessController.getContext();
- /** the permissions for the cached jar files */
+ /**
+ * the permissions for the cached jar files
+ */
private List<Permission> resourcePermissions;
- /** the app */
+ /**
+ * the app
+ */
private ApplicationInstance app = null; // here for faster lookup in security manager
- /** list of this, local and global loaders this loader uses */
+ /**
+ * list of this, local and global loaders this loader uses
+ */
private JNLPClassLoader loaders[] = null; // ..[0]==this
- /** whether to strictly adhere to the spec or not */
+ /**
+ * whether to strictly adhere to the spec or not
+ */
private final boolean strict;
- /** loads the resources */
+ /**
+ * loads the resources
+ */
private final ResourceTracker tracker = new ResourceTracker(true); // prefetch
- /** the update policy for resources */
+ /**
+ * the update policy for resources
+ */
private UpdatePolicy updatePolicy;
- /** the JNLP file */
+ /**
+ * the JNLP file
+ */
private JNLPFile file;
- /** the resources section */
+ /**
+ * the resources section
+ */
private ResourcesDesc resources;
- /** the security section */
+ /**
+ * the security section
+ */
private SecurityDesc security;
- /** Permissions granted by the user during runtime. */
+ /**
+ * Permissions granted by the user during runtime.
+ */
private final ArrayList<Permission> runtimePermissions = new ArrayList<>();
- /** all jars not yet part of classloader or active
- * Synchronized since this field may become shared data between multiple classloading threads.
- * See loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
+ /**
+ * all jars not yet part of classloader or active Synchronized since this
+ * field may become shared data between multiple classloading threads. See
+ * loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
*/
private final List<JARDesc> available = Collections.synchronizedList(new ArrayList<JARDesc>());
- /** the jar cert verifier tool to verify our jars */
+ /**
+ * the jar cert verifier tool to verify our jars
+ */
private final JarCertVerifier jcv;
private SigningState signing = SigningState.NONE;
- /** ArrayList containing jar indexes for various jars available to this classloader
- * Synchronized since this field may become shared data between multiple classloading threads/
- * See loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
+ /**
+ * ArrayList containing jar indexes for various jars available to this
+ * classloader Synchronized since this field may become shared data between
+ * multiple classloading threads/ See loadClass(String) and
+ * CodebaseClassLoader.findClassNonRecursive(String).
*/
private final List<JarIndexAccess> jarIndexes = Collections.synchronizedList(new ArrayList<JarIndexAccess>());
- /** Set of classpath strings declared in the manifest.mf files
- * Synchronized since this field may become shared data between multiple classloading threads.
- * See loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
+ /**
+ * Set of classpath strings declared in the manifest.mf files Synchronized
+ * since this field may become shared data between multiple classloading
+ * threads. See loadClass(String) and
+ * CodebaseClassLoader.findClassNonRecursive(String).
*/
private final Set<String> classpaths = Collections.synchronizedSet(new HashSet<String>());
- /** File entries in the jar files available to this classloader
- * Synchronized sinc this field may become shared data between multiple classloading threads.
- * See loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
+ /**
+ * File entries in the jar files available to this classloader Synchronized
+ * sinc this field may become shared data between multiple classloading
+ * threads. See loadClass(String) and
+ * CodebaseClassLoader.findClassNonRecursive(String).
*/
private final Set<String> jarEntries = Collections.synchronizedSet(new TreeSet<String>());
- /** Map of specific original (remote) CodeSource Urls to securitydesc
- * Synchronized since this field may become shared data between multiple classloading threads.
- * See loadClass(String) and CodebaseClassLoader.findClassNonRecursive(String).
+ /**
+ * Map of specific original (remote) CodeSource Urls to securitydesc
+ * Synchronized since this field may become shared data between multiple
+ * classloading threads. See loadClass(String) and
+ * CodebaseClassLoader.findClassNonRecursive(String).
*/
- private final Map<URL, SecurityDesc> jarLocationSecurityMap =
- Collections.synchronizedMap(new HashMap<URL, SecurityDesc>());
+ private final Map<URL, SecurityDesc> jarLocationSecurityMap
+ = Collections.synchronizedMap(new HashMap<URL, SecurityDesc>());
/*Set to prevent once tried-to-get resources to be tried again*/
private final Set<URL> alreadyTried = Collections.synchronizedSet(new HashSet<URL>());
-
- /** Loader for codebase (which is a path, rather than a file) */
+
+ /**
+ * Loader for codebase (which is a path, rather than a file)
+ */
private CodeBaseClassLoader codeBaseLoader;
-
- /** True if the jar with the main class has been found
- * */
- private boolean foundMainJar= false;
-
- /** Name of the application's main class */
+
+ /**
+ * True if the jar with the main class has been found
+ *
+ */
+ private boolean foundMainJar = false;
+
+ /**
+ * Name of the application's main class
+ */
private String mainClass = null;
-
+
/**
* Variable to track how many times this loader is in use
*/
@@ -242,16 +294,18 @@
* @param file the JNLP file
* @param policy the UpdatePolicy for this class loader
* @param mainName name of the application's main class
- * @param enableCodeBase switch whether this classloader can search in codebase or not
- * @throws net.sourceforge.jnlp.LaunchException when need to kill an app comes.
- *
+ * @param enableCodeBase switch whether this classloader can search in
+ * codebase or not
+ * @throws net.sourceforge.jnlp.LaunchException when need to kill an app
+ * comes.
+ *
*/
protected JNLPClassLoader(JNLPFile file, UpdatePolicy policy, String mainName, boolean enableCodeBase) throws LaunchException {
super(new URL[0], JNLPClassLoader.class.getClassLoader());
OutputController.getLogger().log("New classloader: " + file.getFileLocation());
- strict = Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_STRICT_JNLP_CLASSLOADER));
-
+ strict = Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_STRICT_JNLP_CLASSLOADER));
+
this.file = file;
this.updatePolicy = policy;
this.resources = file.getResources();
@@ -262,10 +316,9 @@
this.enableCodeBase = enableCodeBase;
-
AppVerifier verifier;
- if (file instanceof PluginBridge && !((PluginBridge)file).useJNLPHref()) {
+ if (file instanceof PluginBridge && !((PluginBridge) file).useJNLPHref()) {
verifier = new PluginAppVerifier();
} else {
verifier = new JNLPAppVerifier();
@@ -288,15 +341,26 @@
initializeReadJarPermissions();
installShutdownHooks();
-
-
+
+ }
+
+ public static boolean isCertUnderestimated() {
+ return Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES))
+ && !JNLPRuntime.isSecurityEnabled();
+ }
+
+ private static void consultCertificateSecurityException(LaunchException ex) throws LaunchException {
+ if (isCertUnderestimated()) {
+ OutputController.getLogger().log(OptionsDefinitions.OPTIONS.NOSEC.option + " and " + DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES + " are declared. Ignoring certificate issue");
+ OutputController.getLogger().log(ex);
+ } else {
+ throw ex;
+ }
}
public boolean isStrict() {
return strict;
}
-
-
/**
* Install JVM shutdown hooks to clean up resources allocated by this
@@ -322,9 +386,9 @@
}
/**
- * Gets the lock for a given unique key, creating one if it does not yet exist.
- * This operation is atomic & thread-safe.
- *
+ * Gets the lock for a given unique key, creating one if it does not yet
+ * exist. This operation is atomic & thread-safe.
+ *
* @param uniqueKey the file whose unique key should be used
* @return the lock
*/
@@ -342,10 +406,10 @@
}
/**
- * Creates a fully initialized JNLP classloader for the specified JNLPFile,
- * to be used as an applet/application's classloader.
- * In contrast, JNLP classloaders can also be constructed simply to merge
- * its resources into another classloader.
+ * Creates a fully initialized JNLP classloader for the specified JNLPFile,
+ * to be used as an applet/application's classloader. In contrast, JNLP
+ * classloaders can also be constructed simply to merge its resources into
+ * another classloader.
*
* @param file the file to load classes for
* @param policy the update policy to use when downloading resources
@@ -366,7 +430,7 @@
if (loader.getSigningState() == SigningState.PARTIAL) {
loader.securityDelegate.promptUserOnPartialSigning();
} else if (!loader.getSigning() && !loader.securityDelegate.userPromptedForSandbox() && file instanceof PluginBridge) {
- UnsignedAppletTrustConfirmation.checkUnsignedWithUserIfRequired((PluginBridge)file);
+ UnsignedAppletTrustConfirmation.checkUnsignedWithUserIfRequired((PluginBridge) file);
}
// New loader init may have caused extentions to create a
@@ -384,7 +448,7 @@
// loader is now current + ext. But we also need to think of
// the baseLoader
if (baseLoader != null && baseLoader != loader) {
- loader.merge(baseLoader);
+ loader.merge(baseLoader);
}
return loader;
@@ -392,12 +456,13 @@
/**
* Returns a JNLP classloader for the specified JNLP file.
- *
+ *
* @param file the file to load classes for
* @param policy the update policy to use when downloading resources
- * @param enableCodeBase true if codebase can be searched (ok for applets,false for apps)
- * @return existing classloader. creates new if none reliable exists
- * @throws net.sourceforge.jnlp.LaunchException when launch is doomed
+ * @param enableCodeBase true if codebase can be searched (ok for
+ * applets,false for apps)
+ * @return existing classloader. creates new if none reliable exists
+ * @throws net.sourceforge.jnlp.LaunchException when launch is doomed
*/
public static JNLPClassLoader getInstance(JNLPFile file, UpdatePolicy policy, boolean enableCodeBase) throws LaunchException {
return getInstance(file, policy, null, enableCodeBase);
@@ -409,22 +474,23 @@
* @param file the file to load classes for
* @param policy the update policy to use when downloading resources
* @param mainName Overrides the main class name of the application
- * @param enableCodeBase ue if codebase can be searched (ok for applets,false for apps)
- * @return existing classloader. creates new if none reliable exists
- * @throws net.sourceforge.jnlp.LaunchException when launch is doomed
+ * @param enableCodeBase ue if codebase can be searched (ok for
+ * applets,false for apps)
+ * @return existing classloader. creates new if none reliable exists
+ * @throws net.sourceforge.jnlp.LaunchException when launch is doomed
*/
public static JNLPClassLoader getInstance(JNLPFile file, UpdatePolicy policy, String mainName, boolean enableCodeBase) throws LaunchException {
JNLPClassLoader loader;
String uniqueKey = file.getUniqueKey();
- synchronized ( getUniqueKeyLock(uniqueKey) ) {
+ synchronized (getUniqueKeyLock(uniqueKey)) {
JNLPClassLoader baseLoader = uniqueKeyToLoader.get(uniqueKey);
// A null baseloader implies that no loader has been created
// for this codebase/jnlp yet. Create one.
- if (baseLoader == null ||
- (file.isApplication() &&
- !baseLoader.getJNLPFile().getFileLocation().equals(file.getFileLocation()))) {
+ if (baseLoader == null
+ || (file.isApplication()
+ && !baseLoader.getJNLPFile().getFileLocation().equals(file.getFileLocation()))) {
loader = createInstance(file, policy, mainName, enableCodeBase);
} else {
@@ -433,15 +499,15 @@
// If this is an applet, we do need to consider its loader
loader = new JNLPClassLoader(file, policy, mainName, enableCodeBase);
- if (baseLoader != null)
+ if (baseLoader != null) {
baseLoader.merge(loader);
+ }
}
loader = baseLoader;
}
// loaders are mapped to a unique key. Only extensions and parent
// share a key, so it is safe to always share based on it
-
loader.incrementLoaderUseCount();
uniqueKeyToLoader.put(uniqueKey, loader);
More information about the distro-pkg-dev
mailing list