IcedTea-Web javaws is running the jnlp app sandboxed

Mon Apr 8 08:46:11 UTC 2019

Is it possible that the signature is invalid?
You should get better warning in this case, but it could get lost somewhere in the process - you
should get application is requesting permissions, but signature is broken".

On 4/6/19 4:31 AM, mpritt wrote:
> I'm not sure why my application seems to always run being sandboxed (or so it
> seems), when running with IcedTea-Web's javaws.  I'm running in a Windows
> environment with the IcedTea-Web version 1.7.2 and the java OpenJDK 11.0.2. 
> 
> Note that I can run the app successfully using the -nosecurity option.
> 
> All the jars are signed and each jar has in it's manifest the following:
> 
> Permissions: all-permissions
> Codebase: *
> Trusted-Library: true
> Application-Library-Allowable-Codebase: *
> Caller-Allowable-Codebase: *
> 
> The .jnlp file has requested all permissions as well: 
>   
>   <security>
>     <all-permissions/>
>   </security>
> 
> With the debugging option turned on I can see that the certificate is
> accepted, and that the jars are being recognized as signed.  When the app
> first gets downloaded,  the dialog pops up requesting permission to run with
> unrestricted access and the I've selected the "run" button.  However the app
> seems to runs in sandbox mode.  (I've also cleared out the cache and then
> manually selected all security options as well to try to run it any
> differently but to no avail).  
> 
> I've also tried creating a java.policy file under the
> .config/icedtea-web/security directory and have it allow all permissions (I
> don't believe I should have to do this anyway) by putting into the file:
> 
> grant {
>   permission java.lang.AllPermission;
> };  
> 
> 
> With debugging turned on I see that certain permissions are not being
> allowed.  I see the following statements:
> 
> Denying permission: ("java.lang.RuntimePermission"
> "accessClassInPackage.sun.security.util")
> Denying permission: ("java.security.SecurityPermission"
> "putProviderProperty.XMLDSig")
> Denying permission: ("java.lang.RuntimePermission"
> "accessClassInPackage.sun.security.krb5")
> 
> I do see the following file permission given (i.e. Permission added:
> ("java.io.FilePermission"
> "...\.cache\icedtea-web\cache\352\...\persistence-api-1.0.jar" "read"))
> 
> 
> Application starts up but fails because of security exceptions from the
> login attempt (i.e 
> javax.security.auth.login.LoginException: Security Exception
> 	at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:805)
> 	at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> 	at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> 	at java.base/java.security.AccessController.doPrivileged(Native Method)
> 	at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> 	at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> )
> 
> Like I mentioned before, the application works just fine when the
> -nosecurity option is added.  
> 
> Does anyone have any idea as to what might be the problem?
> 
> Thanks,
> 
> 
> 
> --
> Sent from: http://openjdk.5641.n7.nabble.com/OpenJDK-Distribution-specific-Packaging-f25548.html
> 

-- 
Jiri Vanek
Senior QE engineer, OpenJDK QE lead, Mgr.
Red Hat Czech
jvanek at redhat.com    M: +420775390109