From 5f1057b76cc63f47fc7fc99f3a634b738a2645a3 Mon Sep 17 00:00:00 2001 From: Omair Majid Date: Wed, 23 Feb 2011 13:04:02 -0500 Subject: RH677772: NoSuchAlgorithmException using SSL/TLS in javaws Grant AllPermission to CodeSource originating from jre/lib/ext, and let Java's security model work. The cryptography code already does a doPrivilegedAction when initialzing cryptography providers which takes care of everything. 2011-02-23 Omair Majid RH677772: NoSuchAlgorithmException using SSL/TLS in javaws * NEWS: Update with bugfix. * netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java: Add new field jreExtDir. (JNLPPolicy): Initialize jreExtDir. (getPermissions): Grant AllPermissions if the CodeSourse is a system jar. (isSystemJar): New method. * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java (checkPermission): Remove special casing of SecurityPermission("putProviderProperty.SunJCE") and SecurityPermission("accessClassInPackage.sun.security.internal.spec"). (inTrustedCallChain): Remove. --- netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java | 26 ++++++++++++ .../jnlp/runtime/JNLPSecurityManager.java | 49 ---------------------- 2 files changed, 26 insertions(+), 49 deletions(-) (limited to 'netx') diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java index ea96022..13f72e6 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java @@ -16,6 +16,7 @@ package net.sourceforge.jnlp.runtime; +import java.io.File; import java.net.URI; import java.net.URISyntaxException; import java.security.*; @@ -44,6 +45,8 @@ public class JNLPPolicy extends Policy { /** the previous policy */ private static Policy systemPolicy; + private final String jreExtDir; + /** the system level policy for jnlps */ private Policy systemJnlpPolicy = null; @@ -57,6 +60,9 @@ public class JNLPPolicy extends Policy { systemJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_SYSTEM_SECURITY_POLICY); userJnlpPolicy = getPolicyFromConfig(DeploymentConfiguration.KEY_USER_SECURITY_POLICY); + + String jre = System.getProperty("java.home"); + jreExtDir = jre + File.separator + "lib" + File.separator + "ext"; } /** @@ -67,6 +73,10 @@ public class JNLPPolicy extends Policy { if (source.equals(systemSource) || source.equals(shellSource)) return getAllPermissions(); + if (isSystemJar(source)) { + return getAllPermissions(); + } + // if we check the SecurityDesc here then keep in mind that // code can add properties at runtime to the ResourcesDesc! if (JNLPRuntime.getApplication() != null) { @@ -122,6 +132,22 @@ public class JNLPPolicy extends Policy { return result; } + /** + * Returns true if the CodeSource corresponds to a system jar. That is, + * it's part of the JRE. + */ + private boolean isSystemJar(CodeSource source) { + // anything in JRE/lib/ext is a system jar and has full permissions + String sourceProtocol = source.getLocation().getProtocol(); + String sourcePath = source.getLocation().getPath(); + if (sourceProtocol.toUpperCase().equals("FILE") && + sourcePath.startsWith(jreExtDir)) { + return true; + } + + return false; + } + /** * Constructs a delegate policy based on a config setting * @param key a KEY_* in DeploymentConfiguration diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java index 8807c58..b5b23ca 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java @@ -306,27 +306,6 @@ class JNLPSecurityManager extends AWTSecurityManager { } } } - - } else if (perm instanceof SecurityPermission) { - tmpPerm = perm; - - // JCE's initialization requires putProviderProperty permission - if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) { - if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) { - return; - } - } - - } else if (perm instanceof RuntimePermission) { - tmpPerm = perm; - - // KeyGenerator's init method requires internal spec access - if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) { - if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) { - return; - } - } - } else { tmpPerm = perm; } @@ -350,34 +329,6 @@ class JNLPSecurityManager extends AWTSecurityManager { } } - /** - * Returns weather the given class and method are in the current stack, - * and whether or not everything upto then is trusted - * - * @param className The name of the class to look for in the stack - * @param methodName The name of the method for the given class to look for in the stack - * @return Weather or not class::method() are in the chain, and everything upto there is trusted - */ - private boolean inTrustedCallChain(String className, String methodName) { - - StackTraceElement[] stack = Thread.currentThread().getStackTrace(); - - for (int i = 0; i < stack.length; i++) { - - // Everything up to the desired class/method must be trusted - if (!stack[i].getClass().getProtectionDomain().implies(new AllPermission())) { - return false; - } - - if (stack[i].getClassName().equals(className) && - stack[i].getMethodName().equals(methodName)) { - return true; - } - } - - return false; - } - /** * Asks the user whether or not to grant permission. * @param perm the permission to be granted -- cgit v1.2.3