[rfc][icedtea-web] New PartiallySigned Dialog
Andrew Azores
aazores at redhat.com
Mon Mar 10 16:07:07 UTC 2014
On 03/06/2014 11:19 AM, Jiri Vanek wrote:
> On 03/04/2014 11:07 PM, Andrew Azores wrote:
>> Hi,
>>
>> This patch introduces a new PartiallySigned dialog to replace the
>> NotAllSigned prompt. This new dialog uses the same abstracted parent
>> class that was pulled out of the Unsigned dialog, so it uses the same
>> remembered action storage and has the same general look and feel.
>> This dialog also has a Sandbox button, just like CertWarningPane
>> recently gained for fully signed applets, which allows partially
>> signed ones to also be run with only sandbox permissions. Some more
>> security info is also present on the dialog, eg the applet's
>> publisher and codebase. Not yet included is a new Help text for this
>> dialog, but this can be written up separately IMO. Right now it will
>> just display the same Help as the Unsigned dialog.
>>
>> ChangeLog:
>> Added new PartiallySigned Dialog to replace NotAllSignedWarningPane.
>> Also includes a Sandbox button.
>> * netx/net/sourceforge/jnlp/resources/Messages.properties:
>> (APPEXTSecunsignedAppletActionSandbox, LPartiallySignedApplet,
>> LPartiallySignedAppletUserDenied) new messages
>> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
>> Logic added for displaying new PartiallySigned dialog.
>> (showNotAllSignedDialog) removed. (getSigningState) new method.
>> (promptUserOnPartialSigning, userPromptedForPartialSigning) new
>> methods for
>> SecurityDelegate.
>> * netx/net/sourceforge/jnlp/security/AppTrustWarningDialog.java:
>> (partiallySigned) new method
>> * netx/net/sourceforge/jnlp/security/AppTrustWarningPanel.java:
>> (chosenActionSetter) refactored to allow Sandbox action.
>> (setupInfoPanel) applet
>> title made overrideable by subclasses
>> * netx/net/sourceforge/jnlp/security/SecurityDialog.java:
>> (NOTALLSIGNED_WARNING)
>> renamed PARTIALLYSIGNED_WARNING, display new dialog rather than old
>> * netx/net/sourceforge/jnlp/security/SecurityDialogs.java:
>> (NOTALLSIGNED_WARNING)
>> renamed PARTIALLYSIGNED_WARNING. (showNotAllSignedWarningDialog)
>> removed.
>> (showPartiallySignedWarningDialog) new method
>> *
>> netx/net/sourceforge/jnlp/security/appletextendedsecurity/ExecuteAppletAction.java:
>> Added Sandbox action
>> *
>> netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java:
>> (checkPartiallySignedWithUserIfRequired) new method
>> *
>> tests/reproducers/custom/SignedAppletCodebaseLoading/testcases/SignedAppletCodebaseLoadingTests.java:
>> test now passes since dialog will not appear if applet security is
>> set to Low.
>> KnownToFail removed.
>> *
>> tests/reproducers/custom/SignedAppletExternalMainClass/testcases/SignedAppletExternalMainClassTest.java:
>> same
>> *
>> netx/net/sourceforge/jnlp/security/PartiallySignedAppTrustWarningPanel.java:
>> new class
>> * netx/net/sourceforge/jnlp/security/NotAllSignedWarningPane.java:
>> deleted
>> in favour of PartiallySignedAppTrustWarningPanel
>>
>> Thanks,
>>
> Ouch - "legacy" dialogs packages? :) Please dont forget to adapt
> changelog. For patch I think there will be more rounds. Also pls move
> your new dialogue to proper pacage.package
Updated.
>
> General thoughts:
>
> SANDBOX_ALWAYS is not (going to be) supported? If so, the checbox and
> radiobuttons should be disabled (I have not noted it but I could
> overlook). But I' +1 to support SANDBOX_ALWAYS
It's supported here. It's disabled for CertWarningPane ie fully signed
just because in that case we aren't using the nice extended security
action storage - it just uses the certificate keystore, so there wasn't
a clean and easy way to incorporate remembering the sandbox decision, as
far as I could tell. But since this one is based off of the Extended
Applet Security stuff, remembering this action is no problem.
> - if this will be supported, then there is going to be fun with the
> sandbox+custom policies saving :)
What do you mean? It will allow partially signed applets to always be
run with a user-defined set of extra permissions above the sandbox level
but below all-permission. This was the exact overarching objective of
all of these patches.
>
> The removal of NotAllSignedWarningPane is not compelte. Please check
> also used Trasnlator.R keys. If they are dangling, please rmeove them
> from all Messages*.properties
They were being reused in the PartiallySigned dialog, so no removals. I
renamed them though.
>
> You have removed:
> - @KnownToFail
> - assertTrue("NotAllSigned dialog will appear if this test
> runs. Remove this exception and KnownToFail "
> - + "when a proper replacement is in place", false);
>
> How come? I think partialy signed dialogue should appear always, no
> matter of EAS level.
> Or not?
I can see the motivation behind having it always appear, since partially
signed applets seem to be the most inherently untrustworthy class, but
from a user perspective it also seems like it makes little sense for
only these applets to have a dialog appear. Maybe a new, even lower
level could be made to display no dialogs ever, and partially signed
will appear at any level above this? I'm not sure this is really worthwhile.
>
> + protected String getAppletTitle() {
> + return R("SAppletTitle", file.getTitle());
> + }
>
> (And few more methods about title) Wasn't this handled in previous push?
Not sure what you mean.
>
> Can we have some testing main method as I added recently for unsigned
> warnng dialogue?
It will be messy, since it will require a mocked SecurityDialog, which
only has package-private constructors, and these classes are no longer
in the same package.
>
>
> hmmm . . . I ahve just spotted usage of
> type = AccessType.SIGNING_ERROR;
Where?
> In this case this dialogue have sense also for JNLP files.
> Then ~/icedtea-web-image/bin/javaws -allowredirect
> http://java.net/projects/electric/downloads/download/WebStartFiles/electricAnt.jnlp
> would be an example... But it is something for think about for future
> work.
>
Yes, this dialog is built to depend only on JNLPFile, not PluginBridge,
and JNLPClassLoader's checks that cause it to appear are also not
restricted only for browser applets.
>
>
> + private String getSigningInfo() {
> + CertInformation info =
> jcv.getCertInformation(jcv.getCertPath(null));
> +
> + AccessType type;
> + if (info != null && info.isRootInCacerts() &&
> !info.hasSigningIssues()) {
> + type = AccessType.VERIFIED;
> + } else if (info != null && info.isRootInCacerts()) {
> + type = AccessType.SIGNING_ERROR;
> + } else {
> + type = AccessType.UNVERIFIED;
> + }
> +
> + String mainText = "";
> + switch (type) {
> + case VERIFIED:
> + mainText = R("SSigVerified");
> + break;
> + case UNVERIFIED:
> + mainText = R("SSigUnverified");
> + break;
> + case SIGNING_ERROR:
> + mainText = R("SSignatureError");
> + break;
> + }
> +
> + return mainText;
> + }
>
> ouh thats looong way to return one of three strings :)
>
>
> Good work otherwise,
> Thanx
> J.
Yea, what the heck was I doing there... jeez. Thanks for pointing this out.
Thanks,
--
Andrew A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: partially-signed-dialog-new-packages.patch
Type: text/x-patch
Size: 46414 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140310/9ebae4f6/partially-signed-dialog-new-packages-0001.patch>
More information about the distro-pkg-dev
mailing list