Mercurial > hg > release > icedtea-web-1.5

--- a/ChangeLog	Tue Nov 04 17:13:34 2014 +0100
+++ b/ChangeLog	Thu Nov 06 14:16:48 2014 -0500
@@ -1,3 +1,18 @@
+2014-11-05  Andrew Azores  <aazores@redhat.com>
+
+	* netx/net/sourceforge/jnlp/resources/Messages.properties
+	(CertWarnHTTPSAcceptTip, CertWarnHTTPSRejectTip): new messages more
+	applicable for HTTPS cert warning dialogs
+	* netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java:
+	distinguish between HTTPS cert warnings and signed applet cert warnings.
+	Display appropriate text labels and buttons corresponding to either case.
+	* netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java:
+	If any of file, securityDelegate, or linkedButton are null, simply
+	disable this component and do not add component listeners dependent upon
+	these fields. Also, do not add multiple groups of permissions, and do not
+	add the permissions to the securityDelegate until the linkedButton is
+	actually clicked (rather than when the menu item is clicked)
+
 2014-10-21  Jiri Vanek  <jvanek@redhat.com>

 	Fixed case when already decoded file is wonted from cache (RH1154177)
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties	Tue Nov 04 17:13:34 2014 +0100
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties	Thu Nov 06 14:16:48 2014 -0500
@@ -25,6 +25,8 @@
 CertWarnCancelTip=Do not run this applet
 CertWarnPolicyTip=Advanced sandbox settings
 CertWarnPolicyEditorItem=Launch PolicyEditor
+CertWarnHTTPSAcceptTip=Accept this certificate and trust the HTTPS connection
+CertWarnHTTPSRejectTip=Do not accept this certificate and do not establish the HTTPS connection

 AFileOnTheMachine=a file on the machine
 AlwaysAllowAction=Always allow this action
--- a/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java	Tue Nov 04 17:13:34 2014 +0100
+++ b/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java	Thu Nov 06 14:16:48 2014 -0500
@@ -224,7 +224,8 @@
         infoPanel.add(nameLabel);
         infoPanel.add(publisherLabel);

-        if (!(certVerifier instanceof HttpsCertVerifier)) {
+        final boolean isHttpsCertTrustDialog = certVerifier instanceof HttpsCertVerifier;
+        if (!isHttpsCertTrustDialog) {
             infoPanel.add(fromLabel);
         }

@@ -233,15 +234,34 @@

         //run and cancel buttons
         buttonPanel = new JPanel(new FlowLayout(FlowLayout.RIGHT));
-        run = new JButton(R("ButRun"));
+        run = new JButton();
+        if (isHttpsCertTrustDialog) {
+            run.setText(R("ButYes"));
+        } else {
+            run.setText(R("ButRun"));
+        }
         sandbox = new JButton(R("ButSandbox"));
         advancedOptions = new TemporaryPermissionsButton(file, securityDelegate, sandbox);
-        cancel = new JButton(R("ButCancel"));

-        run.setToolTipText(R("CertWarnRunTip"));
+        cancel = new JButton();
+        if (isHttpsCertTrustDialog) {
+            cancel.setText(R("ButNo"));
+        } else {
+            cancel.setText(R("ButCancel"));
+        }
+
+        if (isHttpsCertTrustDialog) {
+            run.setToolTipText(R("CertWarnHTTPSAcceptTip"));
+        } else {
+            run.setToolTipText(R("CertWarnRunTip"));
+        }
         sandbox.setToolTipText(R("CertWarnSandboxTip"));
         advancedOptions.setToolTipText(R("CertWarnPolicyTip"));
-        cancel.setToolTipText(R("CertWarnCancelTip"));
+        if (isHttpsCertTrustDialog) {
+            cancel.setToolTipText(R("CertWarnHTTPSRejectTip"));
+        } else {
+            cancel.setToolTipText(R("CertWarnCancelTip"));
+        }

         alwaysTrust.addActionListener(new ButtonDisableListener(sandbox));
         int buttonWidth = Math.max(run.getMinimumSize().width,
@@ -266,11 +286,12 @@

         initialFocusComponent = cancel;
         buttonPanel.add(run);
-        // file will be null iff this dialog is being called from VariableX509TrustManager.
-        // In this case, the "sandbox" button does not make any sense, as we are asking
-        // the user if they trust some certificate that is not being used to sign an app.
-        // Since there is no app, there is nothing to run sandboxed.
-        if (file != null) {
+        // Only iff this dialog is being invoked by VariableX509TrustManager.
+        // In this case, the "sandbox" button and temporary permissions do not make any sense,
+        // as we are asking the user if they trust some certificate that is not being used to sign an app
+        // (eg "do you trust this certificate presented for the HTTPS connection to the applet's host site")
+        // Since this dialog isn't talking about an applet/application, there is nothing to run sandboxed.
+        if (!isHttpsCertTrustDialog) {
             buttonPanel.add(sandbox);
             buttonPanel.add(advancedOptions);
         }
--- a/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java	Tue Nov 04 17:13:34 2014 +0100
+++ b/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java	Thu Nov 06 14:16:48 2014 -0500
@@ -48,6 +48,7 @@
 import java.net.URL;
 import java.security.Permission;
 import java.util.Collection;
+import java.util.HashSet;

 import javax.swing.JButton;
 import javax.swing.JMenuItem;
@@ -59,6 +60,7 @@
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
 import net.sourceforge.jnlp.security.policyeditor.PolicyEditor;
 import net.sourceforge.jnlp.security.policyeditor.PolicyEditor.PolicyEditorWindow;
+import net.sourceforge.jnlp.util.logging.OutputController;

 public class TemporaryPermissionsButton extends JButton {

@@ -67,15 +69,35 @@
     private PolicyEditorWindow policyEditorWindow = null;
     private final JNLPFile file;
     private final SecurityDelegate securityDelegate;
+    private final Collection<Permission> temporaryPermissions = new HashSet<Permission>();

     public TemporaryPermissionsButton(final JNLPFile file, final SecurityDelegate securityDelegate, final JButton linkedButton) {
+        /* If any of the above parameters are null, then the button cannot function - in particular, a null SecurityDelegate
+         * would prevent temporary permissions from being able to be added; a null JNLPFile would prevent PolicyEditor from
+         * being launched with a sensible codebase for the current applet; and a null JButton would prevent the Sandbox button
+         * from being automatically invoked when a set of temporary permissions are selected by the user.
+         */
         super("\u2630");
         this.menu = createPolicyPermissionsMenu();
         this.linkedButton = linkedButton;
         this.file = file;
         this.securityDelegate = securityDelegate;

-        addMouseListener(new PolicyEditorPopupListener(this));
+        if (file == null || securityDelegate == null || linkedButton == null) {
+            this.setEnabled(false);
+            OutputController.getLogger().log(OutputController.Level.MESSAGE_DEBUG, "Temporary Permissions Button disabled due to null fields."
+                    + " file: " + file
+                    + ", securityDelegate: " + securityDelegate
+                    + ", linkedButton: " + linkedButton);
+        } else {
+            linkedButton.addActionListener(new ActionListener() {
+                @Override
+                public void actionPerformed(final ActionEvent e) {
+                    securityDelegate.addPermissions(temporaryPermissions);
+                }
+            });
+            addMouseListener(new PolicyEditorPopupListener(this));
+        }
     }

     private JPopupMenu createPolicyPermissionsMenu() {
@@ -144,7 +166,8 @@

         @Override
         public void actionPerformed(final ActionEvent e) {
-            securityDelegate.addPermissions(permissions);
+            temporaryPermissions.clear();
+            temporaryPermissions.addAll(permissions);
             menu.setVisible(false);
             if (linkedButton != null) {
                 linkedButton.doClick();