felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Walker (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (FELIX-4281) Security Warning: Felix with Java Web Start
Date Fri, 06 Jun 2014 13:20:02 GMT

    [ https://issues.apache.org/jira/browse/FELIX-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14019831#comment-14019831
] 

Rob Walker edited comment on FELIX-4281 at 6/6/14 1:19 PM:
-----------------------------------------------------------

One other curiosity - a Q for Karl.

In the patched code, I noticed the following:

{noformat}
            Felix.m_secureAction.addURLToURLClassLoader(Felix.m_secureAction.createURL(
                Felix.m_secureAction.createURL(null, "http:", extensionManager),
                "http://felix.extensions:9/", extensionManager),
                Felix.class.getClassLoader());

                extensionManager = new ExtensionManager();
{noformat}

Was curious why the extensionManager  is only set non-null after the addURLToURLClassLoader()
call. In the original version this would not have been a null value, the new ExtensionManager()
would have been supplied to this call.

Is there a specific reason to pass null for extensionManager into addURLToURLClassLoader()?


was (Author: walkerr):
One other curiosity - a Q for Karl.

In the patched code, I noticed the following:

{format}
            Felix.m_secureAction.addURLToURLClassLoader(Felix.m_secureAction.createURL(
                Felix.m_secureAction.createURL(null, "http:", extensionManager),
                "http://felix.extensions:9/", extensionManager),
                Felix.class.getClassLoader());

                extensionManager = new ExtensionManager();
{format}

Was curious why the extensionManager  is only set non-null after the addURLToURLClassLoader()
call. In the original version this would not have been a null value, the new ExtensionManager()
would have been supplied to this call.

Is there a specific reason to pass null for extensionManager into addURLToURLClassLoader()?

> Security Warning: Felix with Java Web Start
> -------------------------------------------
>
>                 Key: FELIX-4281
>                 URL: https://issues.apache.org/jira/browse/FELIX-4281
>             Project: Felix
>          Issue Type: Bug
>         Environment: Windows 7 with Java 7 update 40, 64 bits
>            Reporter: Cesar Souza
>            Assignee: Karl Pauls
>            Priority: Minor
>         Attachments: message.zip, sec_action.patch, viewer.jnlp, webstart.patch
>
>
> Since the release of Java 7 update 40 the following warning occurs when you try to execute
a signed (with valid certificate) Java Web Start application: 
> -----------------------------
> Security Warning
> Do you want to run this application?
> An unsigned application from the location below is requesting permission to run.
> http://......
> Running unsigned applications like this will be blocked in a future
> release because it is potentially unsafe and a security risk
> -----------------------------
> Although the Java recognizes the certificate in the first dialog, it shows the warning
message when the Felix's init method is invoked.
> I have tested a same application over Java 7 update 21 and everything is ok.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message