Mercurial > hg > release > icedtea-web-1.7
changeset 1475:385bbdb0c185
nosecurity switch made extendable also for certificate issues
* netx/net/sourceforge/jnlp/config/Defaults.java: set deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java: added deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/resources/Messages.properties: BONosecurity is now tailed by rumor about deployment.security.itw.ignorecertissues
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: when ITW was about to throw certificate-caused launch exception, it i snow consulted with nosecurity and deployment.security.itw.ignorecertissues. If both are here, exception is only printed
author | Jiri Vanek <jvanek@redhat.com> |
---|---|
date | Fri, 02 Mar 2018 10:21:15 +0100 |
parents | 67fa5af65e7f |
children | f8fc55ba5af6 |
files | ChangeLog netx/net/sourceforge/jnlp/config/Defaults.java netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java netx/net/sourceforge/jnlp/resources/Messages.properties netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java |
diffstat | 5 files changed, 51 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Mar 02 10:18:08 2018 +0100 +++ b/ChangeLog Fri Mar 02 10:21:15 2018 +0100 @@ -1,3 +1,12 @@ +2018-02-03 Jiri Vanek <jvanek@redhat.com> + + nosecurity switch made extendable also for certificate issues + * netx/net/sourceforge/jnlp/config/Defaults.java: set deployment.security.itw.ignorecertissues + * netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java: added deployment.security.itw.ignorecertissues + * netx/net/sourceforge/jnlp/resources/Messages.properties: BONosecurity is now tailed by rumor about deployment.security.itw.ignorecertissues + * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: when ITW was about to throw certificate-caused launch exception, + it i snow consulted with nosecurity and deployment.security.itw.ignorecertissues. If both are here, exception is only printed + 2018-02-03 Jiri Vanek <jvanek@redhat.com> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: autoformatted
--- a/netx/net/sourceforge/jnlp/config/Defaults.java Fri Mar 02 10:18:08 2018 +0100 +++ b/netx/net/sourceforge/jnlp/config/Defaults.java Fri Mar 02 10:21:15 2018 +0100 @@ -226,6 +226,11 @@ String.valueOf(false) }, { + DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, + BasicValueValidators.getBooleanValidator(), + String.valueOf(false) + }, + { DeploymentConfiguration.KEY_SECURITY_PROMPT_USER_FOR_JNLP, BasicValueValidators.getBooleanValidator(), String.valueOf(true) @@ -445,4 +450,4 @@ return result; } -} \ No newline at end of file +}
--- a/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Fri Mar 02 10:18:08 2018 +0100 +++ b/netx/net/sourceforge/jnlp/config/DeploymentConfiguration.java Fri Mar 02 10:21:15 2018 +0100 @@ -150,6 +150,9 @@ /** Boolean. Only install the custom authenticator if true */ public static final String KEY_SECURITY_INSTALL_AUTHENTICATOR = "deployment.security.authenticator"; + /** Boolean. Only install the custom authenticator if true */ + public static final String KEY_SECURITY_ITW_IGNORECERTISSUES = "deployment.security.itw.ignorecertissues"; + public static final String KEY_STRICT_JNLP_CLASSLOADER = "deployment.jnlpclassloader.strict"; /** Boolean. Do not prefere https over http */
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Fri Mar 02 10:18:08 2018 +0100 +++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Fri Mar 02 10:21:15 2018 +0100 @@ -337,7 +337,7 @@ BOVerbose = Enable verbose output. BOAbout = Shows a sample application. BOVersion = Print the IcedTea-Web version and exit. -BONosecurity= Disables the secure runtime environment. +BONosecurity= Disables the secure runtime environment. You need also deployment.security.itw.ignorecertissues to workaround corrupted signatures BONoupdate = Disables checking for updates. BOHeadless = Disables download window, other UIs. BOStrict = Enables strict checking of JNLP file format.
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Mar 02 10:18:08 2018 +0100 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Mar 02 10:21:15 2018 +0100 @@ -68,6 +68,7 @@ import net.sourceforge.jnlp.LaunchDesc; import net.sourceforge.jnlp.LaunchException; import net.sourceforge.jnlp.NullJnlpFileException; +import net.sourceforge.jnlp.OptionsDefinitions; import net.sourceforge.jnlp.ParseException; import net.sourceforge.jnlp.ParserSettings; import net.sourceforge.jnlp.PluginBridge; @@ -89,6 +90,7 @@ import net.sourceforge.jnlp.util.StreamUtils; import net.sourceforge.jnlp.util.UrlUtils; import net.sourceforge.jnlp.util.logging.OutputController; +import static net.sourceforge.jnlp.runtime.Translator.R; /** * Classloader that takes it's resources from a JNLP file. If the JNLP file @@ -342,6 +344,20 @@ } + public static boolean isCertUnderestimated() { + return Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES)) + && !JNLPRuntime.isSecurityEnabled(); + } + + private static void consultCertificateSecurityException(LaunchException ex) throws LaunchException { + if (isCertUnderestimated()) { + OutputController.getLogger().log(OptionsDefinitions.OPTIONS.NOSEC.option + " and " + DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES + " are declared. Ignoring certificate issue"); + OutputController.getLogger().log(ex); + } else { + throw ex; + } + } + public boolean isStrict() { return strict; } @@ -719,8 +735,9 @@ //Note: one of these exceptions could be from not being able //to read the cacerts or trusted.certs files. OutputController.getLogger().log(OutputController.Level.ERROR_ALL, e); - throw new LaunchException(null, null, R("LSFatal"), + LaunchException ex = new LaunchException(null, null, R("LSFatal"), R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo") + ": " + e.getMessage()); + consultCertificateSecurityException(ex); } //Case when at least one jar has some signing @@ -1090,13 +1107,14 @@ * Throws LaunchException if signed JNLP file fails to be verified * or fails to match the launching JNLP file */ - throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), + LaunchException ex = new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPFileDidNotMatch"), R(e.getMessage())); - + consultCertificateSecurityException(ex); /* * Throwing this exception will fail to initialize the application * resulting in the termination of the application */ + } catch (Exception e) { OutputController.getLogger().log(e); @@ -2456,11 +2474,19 @@ */ if (!runInSandbox && !classLoader.getSigning() && !classLoader.file.getSecurity().getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS)) { if (classLoader.jcv.allJarsSigned()) { - throw new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPAppDifferentCerts"), R("LSignedJNLPAppDifferentCertsInfo")); + LaunchException ex = new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LSignedJNLPAppDifferentCerts"), R("LSignedJNLPAppDifferentCertsInfo")); + consultCertificateSecurityException(ex); + return consultResult(codebaseHost); } else { - throw new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LUnsignedJarWithSecurity"), R("LUnsignedJarWithSecurityInfo")); + LaunchException ex = new LaunchException(classLoader.file, null, R("LSFatal"), R("LCClient"), R("LUnsignedJarWithSecurity"), R("LUnsignedJarWithSecurityInfo"));; + consultCertificateSecurityException(ex); + return consultResult(codebaseHost); } - } else if (!runInSandbox && classLoader.getSigning()) { + } else return consultResult(codebaseHost); + } + + private SecurityDesc consultResult(URL codebaseHost){ + if (!runInSandbox && classLoader.getSigning()) { return classLoader.file.getSecurity(); } else { return new SecurityDesc(classLoader.file,