commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (IO-445) attributes are missing in MANIFEST.MF
Date Wed, 04 Jun 2014 17:17:04 GMT

    [ https://issues.apache.org/jira/browse/IO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017883#comment-14017883
] 

Sebb edited comment on IO-445 at 6/4/14 5:16 PM:
-------------------------------------------------

We could of course add this to the parent pom, but won't this bypass any security checks in
the browser?
Is that something we want to do? Should we not perform some kind of security analysis first?

The "Application Name" field looks safe enough to add (though it is optional anyway). I'm
not sure about the rest.

According to the linked article, Codebase cannot be "*"
{quote}
An asterisk \(*) can be used as a wildcard only at the beginning of the domain name, and cannot
be used with only a top-level domain, such as *.com. 
{quote}

So I don't see how we can possibly provide a Codebase that works for all users.

I suspect these values need to be set up by the person who wants to use the jar.


was (Author: sebb@apache.org):
We could of course add this to the parent pom, but won't this bypass any security checks in
the browser?
Is that something we want to do? Should we not perform some kind of security analysis first?

The "Application Name" field looks safe enough to add (though it is optional anyway). I'm
not sure about the rest.

According to the linked article, Codebase cannot be "*"
{quote}
An asterisk (*) can be used as a wildcard only at the beginning of the domain name, and cannot
be used with only a top-level domain, such as *.com. 
{quote}

So I don't see how we can possibly provide a Codebase that works for all users.

I suspect these values need to be set up by the person who wants to use the jar.

> attributes are missing in MANIFEST.MF
> -------------------------------------
>
>                 Key: IO-445
>                 URL: https://issues.apache.org/jira/browse/IO-445
>             Project: Commons IO
>          Issue Type: Bug
>    Affects Versions: 2.4
>            Reporter: Jeff Yu
>            Priority: Critical
>
> We are encountering an issue using commons-io-2.4.jar inside an applet.
> Since the 7U45 of java, the MANIFEST of a jar used inside an applet must be complete.
> 3 attributes are missing in the MANIFEST
> Trusted-Library : true
> Application-Name : <<as you want>>
> Permissions : all-permissions (or less if you want to be precise)
> Codebase : *
> see : http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
> Without these attributes, the JRE refuse to execute an applet containing commons-io-2.4.jar.
> Could you please fix that in order to make these two jars usable inside an applet ?
> Thanks



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message