felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Walker <r...@ascert.com>
Subject Re: Security Warning: Felix with Java Web Start
Date Thu, 17 Oct 2013 12:49:47 GMT
Yep - I think using app arguments is probably what let you start the app.

I suspect the fact that you aren't signing the JNLP could account for 
why you are seeing the warning.

It was a pain when Sun introduced the need to sign JNLPs - there was a 
security hole they needed to close, but it made it very difficult to do 
any kind of dynamic handling with them.

-- Rob

On 17/10/2013 2:46 PM, Cesar Souza wrote:
> hi Rob
>
> I am not signing the JNLP file.
> But now all the properties are in application's arguments:
>
> https://github.com/nroduit/weasis-pacs-connector/blob/master/src/main/resources/weasis-jnlp-default.xml
>
> On Wed, Oct 16, 2013 at 4:36 PM, Rob Walker <robw@ascert.com> wrote:
>> Are you signing your JNLP file?
>>
>> If not, use of properties may have something to do with your problem:
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/signedJNLP.html
>>
>> -- Rob
>>
>>
>> On 16/10/2013 9:21 PM, Cesar Souza wrote:
>>> now the application is working again in Java 7u45, but the warning
>>> still appearing.
>>>
>>> before the jnlp code was:
>>>
>>> <resources>
>>>       <property name="felix.config.properties"
>>> value="conf/config.properties" />
>>>       <property name="gosh.args" value="-sc telnetd -p 17179 start" />
>>> </resources>
>>>
>>> we change it to:
>>>
>>> <application-desc main-class="...WebstartLauncher">
>>>
>>> <argument>-VMPfelix.config.properties="conf/config.properties"</argument>
>>>       <argument>-VMPgosh.args="-sc telnetd -p 17179 start"</argument>
>>> </application-desc>
>>>
>>> the whole project is here:
>>> http://www.dcm4che.org/confluence/display/WEA/Building+Weasis+from+source
>>>
>>> On Wed, Oct 16, 2013 at 10:25 AM, Karl Pauls <karlpauls@gmail.com> wrote:
>>>> Alternatively, can you try to get me more information about what is
>>>> failing
>>>> exactly?
>>>>
>>>> regards,
>>>>
>>>> Karl
>>>>
>>>>
>>>> On Wed, Oct 16, 2013 at 2:40 PM, Karl Pauls <karlpauls@gmail.com> wrote:
>>>>
>>>>> it would be really helpful if you could provide me with a failing toy
>>>>> example...
>>>>>
>>>>> regards,
>>>>>
>>>>> Karl
>>>>>
>>>>>
>>>>> On Wed, Oct 16, 2013 at 2:37 PM, Cesar Souza <cesar@animati.com.br>
>>>>> wrote:
>>>>>
>>>>>> Hi guys
>>>>>>
>>>>>> We are facing a big problem, our software cannot run under Java 7
>>>>>> update 45 due to the problem that I reported here.
>>>>>> Please, can you raise the priority of the issue on Jira ?
>>>>>>
>>>>>> On Fri, Oct 11, 2013 at 4:00 PM, Rob Walker <robw@ascert.com>
wrote:
>>>>>>> Will def update the issue with anything I find.
>>>>>>> Our examples are anything but small though - very hard to split
stuff
>>>>>> out, 40+ bundles and a ton of our own app code plus off the shelf
libs.
>>>>>>> Will report back with findings though!
>>>>>>> - Rob
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>
>>>>>>> From: "Cesar Souza" <cesar@animati.com.br>
>>>>>>> To: users@felix.apache.org
>>>>>>> Sent: Friday, 11 October, 2013 8:55:50 PM
>>>>>>> Subject: Re: Security Warning: Felix with Java Web Start
>>>>>>>
>>>>>>> Thanks, Rob
>>>>>>>
>>>>>>> If you have a small example, please attach it to the Jira issue
that
>>>>>>> I've just created.
>>>>>>>
>>>>>>> https://issues.apache.org/jira/browse/FELIX-4281
>>>>>>>
>>>>>>> On Fri, Oct 11, 2013 at 3:42 PM, Rob Walker <robw@ascert.com>
wrote:
>>>>>>>> I have J7u40, but I haven't tested the WebStart aspect since
>>>>>>>> updating.
>>>>>> Quite possible it will hit the same problem, saw the warnings in
the
>>>>>> release notes. Will give it a try next week if I get a chance and
>>>>>> report
>>>>>> back
>>>>>>>> - Rob
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>
>>>>>>>> From: "Cesar Souza" <cesar@animati.com.br>
>>>>>>>> To: users@felix.apache.org
>>>>>>>> Sent: Friday, 11 October, 2013 6:52:26 PM
>>>>>>>> Subject: Re: Security Warning: Felix with Java Web Start
>>>>>>>>
>>>>>>>> Hi Rob
>>>>>>>>
>>>>>>>> I have already verified all jars in my application.
>>>>>>>> Are you using the Java 7 update 40 with your web start application
??
>>>>>>>>
>>>>>>>> Is there a way to turn on the debug log in Felix?
>>>>>>>> Maybe I can see what resource is causing the security warning.
>>>>>>>>
>>>>>>>> On Fri, Oct 11, 2013 at 2:26 AM, Rob Walker <robw@ascert.com>
wrote:
>>>>>>>>> That seems to imply at least one of the JARs or bundles
being loaded
>>>>>> isn't
>>>>>>>>> signed - probably worth a re-check on all JARs to make
sure
>>>>>> everything is
>>>>>>>>> signed.
>>>>>>>>>
>>>>>>>>> We also use a launcher, and WebStart Felix. Our production
build we
>>>>>> signs
>>>>>>>>> everything and we don't see that message - but in development,
where
>>>>>> we
>>>>>>>>> don't sign, we do get it.
>>>>>>>>>
>>>>>>>>> I think I remember reading the latest Java versions are
>>>>>>>>> progressively
>>>>>>>>> locking down the running of unsigned JARs, which is causing
some
>>>>>>>>> controversy.
>>>>>>>>>
>>>>>>>>> -- Rob
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 10/10/2013 9:37 PM, Cesar Souza wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> I have a valid certificate and I already successfully
signed a Java
>>>>>>>>>> Web Start application. So, there is no problem with
the certificate
>>>>>> or
>>>>>>>>>> the process to sign my applications.
>>>>>>>>>> But now I am trying to sign another application that
uses Felix.
>>>>>> There
>>>>>>>>>> is a launcher and all the libraries are in a remote
directory, all
>>>>>>>>>> them signed, accessed through a web server.
>>>>>>>>>> When I launch the application everything is OK until
the execution
>>>>>>>>>> of
>>>>>>>>>> the Felix's init method. In this moment a dialog
appears and show
>>>>>>>>>> the
>>>>>>>>>> following message:
>>>>>>>>>> -----------------------------------
>>>>>>>>>> "Security Warning
>>>>>>>>>>
>>>>>>>>>> Do you want to run this application?
>>>>>>>>>> An unsigned application from the location below is
requesting
>>>>>> permission
>>>>>>>>>> to run.
>>>>>>>>>>
>>>>>>>>>> Running unsigned applications like this will be blocked
in a future
>>>>>>>>>> release because it is potentially unsafe and a security
risk."
>>>>>>>>>> -----------------------------------
>>>>>>>>>>
>>>>>>>>>> Is this a Felix's security problem ?
>>>>>>>>>> Thanks for helping me.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ascert - Taking systems to the edge
>>>>>>>>> robw@ascert.com
>>>>>>>>> +27 21 300 2028 ext 5119
>>>>>>>>> www.ascert.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> atenciosamente,
>>>>>>>> Cesar Souza
>>>>>>>>
>>>>>>>> Animati Computação Aplicada
>>>>>>>> Santa Maria, RS - (55) 3286 4010
>>>>>>>> http://animati.com.br
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> atenciosamente,
>>>>>>> Cesar Souza
>>>>>>>
>>>>>>> Animati Computação Aplicada
>>>>>>> Santa Maria, RS - (55) 3286 4010
>>>>>>> http://animati.com.br
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> atenciosamente,
>>>>>> Cesar Souza
>>>>>>
>>>>>> Animati Computação Aplicada
>>>>>> Santa Maria, RS - (55) 3286 4010
>>>>>> http://animati.com.br
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>
>>>>>>
>>>>> --
>>>>> Karl Pauls
>>>>> karlpauls@gmail.com
>>>>> http://twitter.com/karlpauls
>>>>> http://www.linkedin.com/in/karlpauls
>>>>> https://profiles.google.com/karlpauls
>>>>>
>>>>
>>>> --
>>>> Karl Pauls
>>>> karlpauls@gmail.com
>>>> http://twitter.com/karlpauls
>>>> http://www.linkedin.com/in/karlpauls
>>>> https://profiles.google.com/karlpauls
>>>
>>>
>> --
>>
>>
>> Ascert - Taking systems to the edge
>> robw@ascert.com
>> +27 21 300 2028 ext 5119
>> www.ascert.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>> For additional commands, e-mail: users-help@felix.apache.org
>>
>
>

-- 


Ascert - Taking systems to the edge
robw@ascert.com
+27 21 300 2028 ext 5119
www.ascert.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message