commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kitching <>
Subject Re: [Digester] Digester is a security violation when using JNLP?
Date Sat, 19 Feb 2005 00:18:10 GMT
On Fri, 2005-02-18 at 16:57 -0600, Vic wrote:
> Digester reads an XML file, and JNLP/WebStart classloader won't let you 
> read files without signing all the jars.

Yes, that sounds reasonable to me; applications should be sandboxed.

Applications that require access outside the sandbox (including
applications that can read arbitrary files off the local disk) should be
signed and require the user to confirm that they understand these are
not sandboxed apps.

> I chose not to use commons-chains(it uses digester) on the Swing side 
> becuase of this.
> Siging the jars leads to this 4 year old bug:

Yes, I see this can be confusing to users. Ordinary applications don't
have the concept of a "sandbox", nor of signed code. Users have got into
the habit of just trusting any old code (hence the wave of trojans,
viruses, etc). But suddenly encountering a java app that asks them
whether they want to grant access to their machines (when they do this
implicitly whenever they install a non-java app) could well confuse

A shame such users can't just be educated (with a large stick if

I'm not convinced that your proposal (essentially dumbing down JNLP to
the poor standard of all other software) is entirely satisfactory, but I
agree there is a real problem that needs to be addressed somehow.

On the other hand, given that sandbox-able apps are actually 0.01% of
all apps, it does seem a shame that this extra step is needed for the
vast majority of cases...

Anyway, back to Digester. It seems to me that the problem you are
describing will apply to any java code at all that reads external files
(ie wants access beyond the sandbox). Your email was not a warning about
Digester+JNLP, but in fact a recommendation to avoid JNLP completely, in
order to avoid user confusion over the "accept signed application"
dialog, yes?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message