This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
I will attach a patch that allows us to run our JNLP application without signing the jars files. It replaces the Web start security manager and grants all permissions to everyone ...
Created attachment 30112 [details] patch against trunk as of 20060427
When I think about it - it might be better to use the patch only if some system property is set? What about "netbeans.jnlp.allPermissionsSecurityManager"? Better names? For Jarda: #75639 is also related to this ...
RuntimePermissionCollection could probably be replaced by AllPermissions. I am confused by this. Is the app declared as <all-permissions/> or no? Seems like a loophole in the JNLP impl if this actually works - the JNLP sec mgr should prevent you from overriding itself before it has checked your signatures.
It definitelly works for us ;-) With this you can declare only one jar with <all-permissions/> - the rest can stay even unsigned, without the <security/> tag at all. Works on JDK 1.4.2_xx just fine. And it is way way faster during the startup (without the signatures). AllPermission: you would need AllPermissionCollection which is in file AllPermission.java (java.security) but it is not public class ...
Ha, just checked. Maybe we could use new AllPermission().newPermissionCollection() but the class does something. Would have to check. BTW I am not the author of that class.
Ah, you sign just the first JAR. Useful trick. Not sure if it ought to be made the default or not. Yarda any opinion on this?
I have made the commit to the trunk. Not sure what the target milestone should be here (no dev) 5.0u2 ??? Checking in arch.xml; /cvs/apisupport/harness/arch.xml,v <-- arch.xml new revision: 1.4; previous revision: 1.3 done Checking in jnlp-src/org/netbeans/modules/apisupport/jnlplauncher/Main.java; /cvs/apisupport/harness/jnlp-src/org/netbeans/modules/apisupport/jnlplauncher/Main.java,v <-- Main.java new revision: 1.4; previous revision: 1.3 done Checking in jnlp-src/org/netbeans/modules/apisupport/jnlplauncher/RuntimePolicy.java; /cvs/apisupport/harness/jnlp-src/org/netbeans/modules/apisupport/jnlplauncher/RuntimePolicy.java,v <-- RuntimePolicy.java new revision: 1.2; previous revision: 1.1 done RCS file: /cvs/apisupport/harness/test/unit/src/org/netbeans/modules/apisupport/jnlplauncher/FixPolicyTest.java,v done Checking in test/unit/src/org/netbeans/modules/apisupport/jnlplauncher/FixPolicyTest.java; /cvs/apisupport/harness/test/unit/src/org/netbeans/modules/apisupport/jnlplauncher/FixPolicyTest.java,v <-- FixPolicyTest.java initial revision: 1.1 done
Is this really generally useful to justify integration into code that every JNLP app is using? I mean, David, you have your own Main class anyway, why do not you put such a hack there? If it is that useful, then I'd like to know: 1. what if someone wants less than AllPermission? How that is done 2. why is the Policy subclass public?
Hello, We have started to use your main class from 5.0. I have applied modified diff - I have put there a system property that turns this on only per request (the default is *not* to use this hack). The policy subclass is not public in the final diff. I am using AllPermission instead of the original (per Jesse's suggestion). I have added a test + changed the arch doc about the system property. Hope it is ok like this ... if not please check the actual trunk sources and file bugs against me (or reopen this one).
Haven't got cvs@ messages yet (delayed?) but sounds OK from description. Will let you know if I see anything that needs polishing. Thanks for this, didn't realize it was possible.