[RFC][IcedTea-Web]: Change #4 (PersistenceService) of new JNLP specification (v7.0)

Omair Majid omajid at redhat.com
Wed Jun 8 14:01:10 PDT 2011

On 06/08/2011 04:54 PM, Deepak Bhole wrote:
> * Omair Majid<omajid at redhat.com>  [2011-06-08 16:46]:
>> On 06/08/2011 04:19 PM, Saad Mohammad wrote:
>>> On 06/08/2011 03:52 PM, Omair Majid wrote:
>>>> app = JNLPRuntime.getApplication();
>>> I am looking into ApplicationInstance.isSigned at the moment, and I will
>>> try running some test to see if it is actually a better method to
>>> determine whether the application has a signature.
>> Please do NOT use ApplicationIsntance.isSigned(). Deepak himself
>> patched checkAccess to avoid using ApplicationInstance.isSigned. It
>> is not enough. You can have unsigned applications calling privileged
>> code which does doPrivileged() operations. I think it's completely
>> fine to allow them to use PersistenceService.
> I can't recall why I made the change, but I thought it was due to the
> case of it being called from JNLPSecurityManager.
> What do you mean by unsigned apps calling doPrivileged() operations? Can
> you give an example where that would lead to app being null?

Sure. I am not worried about app being null though. It wont be.

Supposed a privileged application A uses an extension jnlp B. A is 
signed/trusted but B isnt. When using isSigned(), code from B will be 
able to access persistence service information from any application. 
Even though code from B is unsigned/untrusted.

Similarly, suppose an unprivileged application C uses a signed jnlp 
extension D. If we use isSigned() then D, even in a doPrivileged() 
block, will not be able to access the persistence cache for any url. 
Given that D is signed/trusted, it should be able to do anything - it 
can certainly access the persistence store using java.io.File directly.

I think it's best to look at the current stack, and use the permissions 
there to make a security decision about whether the code on the stack is 
trusted or not - and whether it should be able to access persistence 
service information for any url or not.

What do you think?


More information about the distro-pkg-dev mailing list