diff options
| author | Omair Majid <[email protected]> | 2011-02-23 13:04:02 -0500 |
|---|---|---|
| committer | Omair Majid <[email protected]> | 2011-02-23 13:04:02 -0500 |
| commit | 5f1057b76cc63f47fc7fc99f3a634b738a2645a3 (patch) | |
| tree | 2be51a244d5b217b52d25ef52cb0dce038531b61 /netx | |
| parent | 44d552df84874d5a89cfe4881e344249947c7ed3 (diff) | |
RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
Grant AllPermission to CodeSource originating from jre/lib/ext, and let Java's
security model work. The cryptography code already does a doPrivilegedAction
when initialzing cryptography providers which takes care of everything.
2011-02-23 Omair Majid <[email protected]>
RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
* NEWS: Update with bugfix.
* netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add new field
jreExtDir.
(JNLPPolicy): Initialize jreExtDir.
(getPermissions): Grant AllPermissions if the CodeSourse is a system jar.
(isSystemJar): New method.
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
(checkPermission): Remove special casing of
SecurityPermission("putProviderProperty.SunJCE") and
SecurityPermission("accessClassInPackage.sun.security.internal.spec").
(inTrustedCallChain): Remove.
Diffstat (limited to 'netx')
| -rw-r--r-- | netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java | 26 | ||||
| -rw-r--r-- | netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 49 |
2 files changed, 26 insertions, 49 deletions
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java index ea96022..13f72e6 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java @@ -16,6 +16,7 @@ package net.sourceforge.jnlp.runtime; +import java.io.File; import java.net.URI; import java.net.URISyntaxException; import java.security.*; @@ -44,6 +45,8 @@ public class JNLPPolicy extends Policy { /** the previous policy */ private static Policy systemPolicy; + private final String jreExtDir; + /** the system level policy for jnlps */ private Policy systemJnlpPolicy = null; @@ -57,6 +60,9 @@ public class JNLPPolicy extends Policy { systemJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_SYSTEM_SECURITY_POLICY); userJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_USER_SECURITY_POLICY); + + String jre = System.getProperty("java.home"); + jreExtDir = jre + File.separator + "lib" + File.separator + "ext"; } /** @@ -67,6 +73,10 @@ public class JNLPPolicy extends Policy { if (source.equals(systemSource) || source.equals(shellSource)) return getAllPermissions(); + if (isSystemJar(source)) { + return getAllPermissions(); + } + // if we check the SecurityDesc here then keep in mind that // code can add properties at runtime to the ResourcesDesc! if (JNLPRuntime.getApplication() != null) { @@ -123,6 +133,22 @@ public class JNLPPolicy extends Policy { } /** + * Returns true if the CodeSource corresponds to a system jar. That is, + * it's part of the JRE. + */ + private boolean isSystemJar(CodeSource source) { + // anything in JRE/lib/ext is a system jar and has full permissions + String sourceProtocol = source.getLocation().getProtocol(); + String sourcePath = source.getLocation().getPath(); + if (sourceProtocol.toUpperCase().equals("FILE") && + sourcePath.startsWith(jreExtDir)) { + return true; + } + + return false; + } + + /** * Constructs a delegate policy based on a config setting * @param key a KEY_* in DeploymentConfiguration * @return a policy based on the configuration set by the user diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java index 8807c58..b5b23ca 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java @@ -306,27 +306,6 @@ class JNLPSecurityManager extends AWTSecurityManager { } } } - - } else if (perm instanceof SecurityPermission) { - tmpPerm = perm; - - // JCE's initialization requires putProviderProperty permission - if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) { - if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) { - return; - } - } - - } else if (perm instanceof RuntimePermission) { - tmpPerm = perm; - - // KeyGenerator's init method requires internal spec access - if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) { - if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) { - return; - } - } - } else { tmpPerm = perm; } @@ -351,34 +330,6 @@ class JNLPSecurityManager extends AWTSecurityManager { } /** - * Returns weather the given class and method are in the current stack, - * and whether or not everything upto then is trusted - * - * @param className The name of the class to look for in the stack - * @param methodName The name of the method for the given class to look for in the stack - * @return Weather or not class::method() are in the chain, and everything upto there is trusted - */ - private boolean inTrustedCallChain(String className, String methodName) { - - StackTraceElement[] stack = Thread.currentThread().getStackTrace(); - - for (int i = 0; i < stack.length; i++) { - - // Everything up to the desired class/method must be trusted - if (!stack[i].getClass().getProtectionDomain().implies(new AllPermission())) { - return false; - } - - if (stack[i].getClassName().equals(className) && - stack[i].getMethodName().equals(methodName)) { - return true; - } - } - - return false; - } - - /** * Asks the user whether or not to grant permission. * @param perm the permission to be granted * @return true if the permission was granted, false otherwise. |