felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas Roduit <Nicolas.Rod...@jmicrovision.com>
Subject Re: Security Warning: Felix with Java Web Start
Date Sun, 27 Oct 2013 11:33:50 GMT
I made more investigations and I managed to reproduce the issue with 
only the Felix framework (4.2.1 and 4.3).

This warning dialog appears in framework/BundleWiringImpl.java (line 
1320) when it try to find a class which doesn't exist 
"Class.forName("dalvik.system.DexFile");"

I can reproduce the issue with the contextClassloader which is 
JNLPClassLoader:
             ClassLoader cl2 = 
Thread.currentThread().getContextClassLoader();
             try {
                  Class.forName("dalvik.system.DexFile", true, cl2);
             } catch (Throwable e) {
                 e.printStackTrace();
             }

Error:
java.lang.RuntimeException: ExitException[ 
0]java.lang.SecurityException: User declined to run unsigned sandbox app
     at com.sun.jnlp.JNLPClassLoader.getTrustedCodeSources(Unknown Source)
     at 
com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
     at 
com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown 
Source)
     at 
com.sun.deploy.security.DeployURLClassPath$UrlLoader.<init>(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown 
Source)
     at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
     at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:270)
     at 
org.apache.felix.framework.BundleWiringImpl.<clinit>(BundleWiringImpl.java:1325)
     at 
org.apache.felix.framework.StatefulResolver.markResolvedRevisions(StatefulResolver.java:938)
     at 
org.apache.felix.framework.StatefulResolver.resolve(StatefulResolver.java:427)
     at org.apache.felix.framework.Felix.init(Felix.java:684)
     at org.weasis.launcher.WeasisLauncher.launch(WeasisLauncher.java:347)
     at org.weasis.launcher.WebstartLauncher.main(WebstartLauncher.java:58)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:606)
     at com.sun.javaws.Launcher.executeApplication(Unknown Source)
     at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
     at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
     at com.sun.javaws.Launcher.run(Unknown Source)
     at java.lang.Thread.run(Thread.java:744)
Caused by: ExitException[ 0]java.lang.SecurityException: User declined 
to run unsigned sandbox app
     at com.sun.javaws.security.AppPolicy.grantRestrictedAccess(Unknown 
Source)
     at com.sun.javaws.security.AppPolicy.addPermissions(Unknown Source)
     ... 34 more


... but with the system SystemClassLoader 
"sun.misc.Launcher$AppClassLoader" or with null it triggers the normal 
exception "ClassNotFoundException" without security dialog.

I managed to pass the felix.init() without having the dialog by changing 
in 3 places in the framework "Class.forName("class");" by 
"Class.forName("class", true, null);". However, I get the security 
dialog with Gogo bundle starting, so it doesn't seem to be a good way to 
fix the issue.

I also notice that once the dialog has appeared, JNLPClassLoader has a 
normal behavior.

You'll find a simple test case 
(https://issues.apache.org/jira/browse/FELIX-4281) which try to find a 
class with JNLPClassLoader (same as Felix does), but the dialog never 
appears !!!!!

This bug is elusive. It doesn't appears in debug mode and I really don't 
see the difference when running Felix or not (printing all the variable 
of JNLPClassLoader doesn't show any differences). I guess there is a 
contextual difference but where?

Setting "System.setSecurityManager(null)" doesn't help.

Nicolas

Le 23. 10. 13 22:57, Nicolas Roduit a écrit :
> Hi all,
>
> I had JNLP file in https://issues.apache.org/jira/browse/FELIX-4281 to 
> show the issue. The problem seems to be located in the Felix 
> initialization, but I am not 100% sure because I modified felix.Main 
> (https://github.com/nroduit/Weasis/blob/master/weasis-launcher/src/main/java/org/weasis/launcher/WeasisLauncher.java)

> and the problem doesn't appear when I try to debug Java Web Start with 
> the command:
> javaws -verbose -J-Xdebug -J-Xnoagent 
> -J-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8787 
> viewer.jnlp
>
> Even "javaws -verbose viewer.jnlp" doesn't show the security message 
> but "javaws viewer.jnlp" does! And the application loads correctly 
> when you cancel the security message!
>
> Nicolas


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message