Bug ID: 4734410 JAVAWS is passing the property set in extension installer to main program

4734410 : JAVAWS is passing the property set in extension installer to main program

Details

Type:	Bug	Submit Date:	2002-08-21
Status:	Closed	Updated Date:	2002-12-06
Project Name:	JDK	Resolved Date:	2002-11-19
Component:	deploy	OS:	solaris_8
Sub-Component:	webstart	CPU:	sparc
Priority:	P3
Resolution:	Fixed
Affected Versions:	1.4.1
Fixed Versions:	1.4.2

Related Reports

Sub Tasks

Description

See comments.

###@###.### 2002-08-20

Comments

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: mantis FIXED IN: mantis INTEGRATED IN: mantis mantis-b08 VERIFIED IN: mantis-beta
2004-08-31
SUGGESTED FIX Basically, in the old method of setting properties from the jnlp file, we would Construct the AppPolicy with all the properties from the jnlp file and all it's extensions. Then on the first CodeSource loaded, we would set all those properties (if they start with jnlp, javaws, or if the jnlp file for that CodeSource requested all-permissions, and we are granting). The problem is, that if an extension has all-permissions, and the main jnlp does not, we would try (and fail) to set the property when we loaded the first jar from the main jnlp file. With this change we only load the properties from the jnlp file associated with the CodeSource being loaded, and they will only work according to that CodeSource's permissions. This does not mean that a property set in an extension will not be set for the main program. There is only one VM running, and only one set of system properties. However, a property will not be set, or attempt to be set, until a CodeSource from a jar in the jnlp file containing that property is loaded and verified. ###@###.### 2002-10-16
2002-10-16
EVALUATION There are two problems here - one should be an ref to the spec: 1.) Scope of properties listed in extensions is not clear in spec. (The jnlp spec says component-extensions cannot have a j2se element, this should also apply to installer-extensions. The spec does not say anything about property settings in extensions, the code allows it, but since we know restrict properties to start with javaws or jnlp if not in trusted env, we get bug 2.) below) The spec should clearly state that all properties are set in the same VM, so will be available to code loaded from either the main jnlp file or any extensions. 2.) when implementing the security fix requiring sandbox restrictions on setting properties in jnlp files. It was assumed (incorrectly) that all the properties could be set while loading the main jar file of the application, in cases like this we are no longer in a security context that would allow this. I am going to split this into 2 bugs, where 1.) above will be a new spec rfe or bug, and this bug will be confined to the 2.) above. ###@###.### 2002-08-21
2002-08-21
WORK AROUND We have work around: 1. set the property name to be jnlp.* or, let the main jnlp file asking full permission. ###@###.### 2002-08-20
2002-08-20

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together