[RFC] PR568: LWJGL Applets fail to work with IcedTea Plugin
omajid at redhat.com
Wed Oct 13 08:32:33 PDT 2010
The attached patch attempts to fix PR568.
The LWJGL applet downloads a jar to /tmp/ and then calls
getPermissions() using that jar as the CodeSource. Currently, since
there is no SecurityDesc for this new location, an exception is thrown.
A comment from the source code of LWJGL is:
// getPermissions from original classloader is important as it checks //
for signed jars and shows any security dialogs needed
The attached patch modifies JNLPClassLoader.getPermissions() to treat
the new jar the same way it would be treated if it was loaded by
initializeResources(). Currently, it checks that the jar is on the local
machine and the plugin is being used.
The check for a local jar means that any jar on the local machine can
now be accessed by an applet (can untrusted applets do this? - they do
not have any file permissions). Even though a security dialog will tell
the user if the jar is unsigned (or any of the cases that can happen in
initializeResources), I am not sure if this is the best solution.
I would also like to extend this to all JNLPs in general, but two things
are keeping me
1. I have not seen any JNLP applications using this.
2. I cant see a way to figure out what SecurityDesc should be used
(since there is no JNLP file to describe the security permissions that
should be granted).
Any thoughts or comments?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 12756 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101013/cb041cf0/icedtea6-jnlp-classloader-load-new-codesources-01.patch
More information about the distro-pkg-dev