This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 231951 - Accomodate new "No-Redeploy" WebStart security introduced in JDK 7u25
Summary: Accomodate new "No-Redeploy" WebStart security introduced in JDK 7u25
Status: RESOLVED FIXED
Alias: None
Product: projects
Classification: Unclassified
Component: Java Webstart (show other bugs)
Version: 7.4
Hardware: PC Windows 7
: P2 normal (vote)
Assignee: Petr Somol
URL:
Keywords:
Depends on:
Blocks: 234231
  Show dependency tree
 
Reported: 2013-06-27 17:50 UTC by Petr Somol
Modified: 2013-11-20 13:04 UTC (History)
3 users (show)

See Also:
Issue Type: TASK
Exception Reporter:

Attachments
mockup of extended WebStart panel in SE project (81.24 KB, image/png)
2013-06-27 17:50 UTC, Petr Somol 		Details
mockup of extended Deployment panel in FX project (87.61 KB, image/png)
2013-06-27 17:55 UTC, Petr Somol 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Somol 2013-06-27 17:50:16 UTC 
Created attachment 136424 [details]
mockup of extended WebStart panel in SE project

JDK 7u25 introduces new security features described at

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html

They consist in adding two new jar manifest attributes: Permissions, and Codebase. When WebStart launcher invokes the jar through jnlp, it first checks that the values of these two attributes (if present) match the settings specified in jnlp. In case of Codebase attribute it is verified that the jar is launched from a url specified in the Codebase attribute.

NetBeans 7.4 needs to accomodate these two new attributes to keep WebStart support up-to-date (Note that the change in JDK 7u25 had not been reflected in original 7.4 planning as it came to existence only very recently). This involves changing the UI both in Java SE and Java FX projects. This is not trivial due to possible unforseeable and complicated consequences, thus I am asking for help with the review.

Note that the Codebase attribute should contain any user defined jnlp Codebase values in order to fulfill the condition stated above. From UI point of view this implies that users should not need to explicitly copy jnlp Codebase user definition to the newly introduced Manifest Codebase text input component. It should be also communicated that a copy of user defined codebase is added automatically. (Should it be so?)

The question is whether to allow Permissions / Codebase attribute specification per project configuration or regardless configurations. It may seem practical to allow configuration-dependent settings, but this is not in line with current WebStart related UI nor in SE nor in FX. Configurations are considered to be Run Configurations, while all deployment settings are specified in Deployment, Packaging, and WebStart categories regardless configuration context. This can hardly be changed now being too close to UI and code freeze.


Java SE WebStart
----------------
The current implementation does not allow other than <all-permissions/> security setting, thus it seems reasonable to set Permissions attribute to the same value always. The UI needs to be extended to allow user defined Codebase specification.


Java FX WebStart
----------------
JavaFX current UI also does not allow other than <all-permissions/> security setting, thus it seems reasonable to set Permissions attribute to the same value always. The UI needs to be extended to allow user defined Codebase specification. The problem here is that there is currently no support for jnlp user defined Codebase in FX project (codebase definition is supported only in quite recent FX2 SDK versions). Therefore, it should be enough to provide a text input component for manual definition of Manifest Codebase without any reference to jnlp codebase.

I am going to attach panel mockups for discussion. 
Note that decision needs to be reached quite quickly due to upcoming deadlines.
Comment 1 Petr Somol 2013-06-27 17:55:32 UTC 
Created attachment 136425 [details]
mockup of extended Deployment panel in FX project
Comment 2 Petr Somol 2013-08-13 11:50:40 UTC 
Eventually we opted for a solution without UI change, due to the fact that we are now several months after NB7.4 feature freeze.

fixed in jetmain separately for SE and FX:
http://hg.netbeans.org/jet-main/rev/6f7b1939cd99
http://hg.netbeans.org/jet-main/rev/b62d48762fec

In SE the Codebase value is set based on what codebase type is selected in WebStart panel. In FX the Codebase is set by default to *.
Permissions attribute is set according to whether signing is enabled or not, following the previous convention used when generating jnlp (both in SE and FX).

Both in SE and FX the default Codebase and Permission attributes can be overridden by setting project properties:
manifest.custom.codebase
manifest.custom.permissions
Comment 3 PatrikOlsson 2013-11-20 13:04:43 UTC 
For anyone who encounter this problem and need a simple fix for web hosted JNLP all you have do is to edit the manifest.mf template file located in your project's root folder in Netbeans and add these attributes:

Permissions: all-permissions
Codebase: download.domain.company.com

More information:

https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias