Mercurial > hg > release > icedtea-web-1.1
changeset 263:0a1733685325
RH738814: Access denied at ssl handshake
It turns out that TrustManager.checkTrusted() could be called by untrusted
code. In such a case, we should still show a warning to the user, and not
throw a SecurityException instead.
2011-09-23 Omair Majid <omajid@redhat.com>
* netx/net/sourceforge/jnlp/security/SecurityDialogs.java
(showCertWarningDialog): Add a javadoc comment.
* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
(askUser): Wrap the call to showCertWarningDialog in a doPrivileged
block.
| author | Omair Majid <omajid@redhat.com> |
|---|---|
| date | Fri, 23 Sep 2011 12:14:39 -0400 |
| parents | c7b22b085229 |
| children | a0b951436a6d |
| files | ChangeLog NEWS netx/net/sourceforge/jnlp/security/SecurityDialogs.java netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java |
| diffstat | 4 files changed, 25 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Sep 13 16:23:04 2011 -0400 +++ b/ChangeLog Fri Sep 23 12:14:39 2011 -0400 @@ -1,3 +1,12 @@ +2011-09-23 Omair Majid <omajid@redhat.com> + + RH738814: Access denied at ssl handshake + * netx/net/sourceforge/jnlp/security/SecurityDialogs.java + (showCertWarningDialog): Add a javadoc comment. + * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java + (askUser): Wrap the call to showCertWarningDialog in a doPrivileged + block. + 2011-09-13 Deepak Bhole <dbhole@redhat.com> PR782: Support building against npapi-sdk as well
--- a/NEWS Tue Sep 13 16:23:04 2011 -0400 +++ b/NEWS Fri Sep 23 12:14:39 2011 -0400 @@ -20,6 +20,7 @@ - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up - PR769: IcedTea-Web does not work with some ssl sites with OpenJDK7 - RH734081: Javaws cannot use proxy settings from Firefox + - RH738814: Access denied at ssl handshake New in release 1.1.1 (2011-07-20): * Security updates:
--- a/netx/net/sourceforge/jnlp/security/SecurityDialogs.java Tue Sep 13 16:23:04 2011 -0400 +++ b/netx/net/sourceforge/jnlp/security/SecurityDialogs.java Fri Sep 23 12:14:39 2011 -0400 @@ -181,6 +181,8 @@ * @param accessType the type of warning dialog to show * @param file the JNLPFile associated with this warning * @param jarSigner the JarSigner used to verify this application + * + * @return true if the user accepted the certificate */ public static boolean showCertWarningDialog(AccessType accessType, JNLPFile file, CertVerifier jarSigner) {
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Sep 13 16:23:04 2011 -0400 +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 23 12:14:39 2011 -0400 @@ -37,7 +37,9 @@ package net.sourceforge.jnlp.security; +import java.security.AccessController; import java.security.KeyStore; +import java.security.PrivilegedAction; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -379,14 +381,20 @@ * @param authType The authentication algorithm * @return user's response */ - private boolean askUser(X509Certificate[] chain, String authType, - boolean isTrusted, boolean hostMatched, - String hostName) { - return SecurityDialogs.showCertWarningDialog( + private boolean askUser(final X509Certificate[] chain, final String authType, + final boolean isTrusted, final boolean hostMatched, + final String hostName) { + final VariableX509TrustManager trustManager = this; + return AccessController.doPrivileged(new PrivilegedAction<Boolean>() { + @Override + public Boolean run() { + return SecurityDialogs.showCertWarningDialog( AccessType.UNVERIFIED, null, - new HttpsCertVerifier(this, chain, authType, + new HttpsCertVerifier(trustManager, chain, authType, isTrusted, hostMatched, hostName)); + } + }); } /**