Re: Felix and WebStart - existing JIRA 4281

[Rob Walker]

Ok - so it seems my problem tracking wound up finding something already 
known:

https://issues.apache.org/jira/browse/FELIX-4281
We're hitting the exact same issue. Odd, because I did a JIRA search but 
must have missed this one.

I'll make further comments or proposed solutions in the JIRA issue.


-- Rob

On 05/06/2014 16:25, Rob Walker wrote:
I recall a thread some time back about issues using Felix with 
WebStart as a result of j7u45 security changes.

I'm not sure how far the investigations progressed, but I thought I'd 
report my findings in this area.

This will be rather a long email, but the summary is that with a 
latest trunk build, we are able to get Felix to WebStart.

All is not perfect though, and changes are needed - which I've 
described below. And at present 1 nasty issue remains, which I've also 
noted below. I'll update back if/when we resolve this final issue.

First off, some mods are needed to manifest attributes. We're an Ant 
user, and created a single task to do this for all our JARs in our top 
level build e.g.

    <target name="adjust-manifest-and-sign">
    <jar destfile = "${theFile}" update="true">
    <manifest>
    <!-- Add required attributes for Web Start -->
    <attribute name="Permissions" value="all-permissions"/>
    <attribute name="Codebase" value="*"/>
    <attribute name="Application-Name" value="VersaTest"/>
    </manifest>
    </jar>
    </target>

    There are other attributes mentioned in various articles on j7u45
    changes, specifically:

        |Application-Library-Allowable-Codebase: *
        Caller-Allowable-Codebase: *
        Trusted-Library: true
        Trusted-Only: true
        |


    So far I have not observed that any of these are needed or add any
    value to the webstart process at all. The Trusted-Library
    attribute is documented in various places as making matters worse.
    /Note here though our 1 outstanding issue - resolving this may
    alter our opinion on these./

    I'm doubtful that /Application-Name/ is really needed in every JAR
    too - but since it's one Ant task to do all of ours, it's no more
    work and doesn't seem harmful either

The next thing is that your JARs must be signed. I have read that a 
self-signing certificate can still be used if you use the Java Console 
to set a lower Security requirement. I can't report on this, we are 
signing with a full CA issue certificate.

With these mods and JARs signed, the application launches - but we 
always get this message during launch:



It seems almost spurious, since the application does launch. But it 
does remain on-screen for a long time blocking the launch. Pressing OK 
dismisses the dialog, and the application then launches fine despite 
the dialog message. I thought I'd seen a case where the dialog times 
out on it's own, but haven't been able to recreate that.

Doing a stack dump on the Java console actually shows where this 
dialog is coming from (trace below). It's low level in the classloader 
stack, rather nasty place for a dialog to pop up, but where it's 
happening makes perfect sense in terms of trust checking. The part in 
red is I think the section where the checking and problem occurs. What 
doesn't seem to make sense (yet) is why a trusted check would be 
failing in a signed application. This part we're still trying to isolate.


"Thread-15" #51 prio=6 os_prio=0 tid=0x000000002ba37000 nid=0x228c in 
Object.wait() [0x000000002a89a000]
java.lang.Thread.State: WAITING (on object monitor)
    at java.lang.Object.wait(Native Method)
    at java.lang.Object.wait(Unknown Source)
    at com.sun.javaws.ui.JavawsSysRun.delegate(Unknown Source)
    - locked <0x00000005c0f987e8> (a java.lang.Object)
    at com.sun.deploy.util.DeploySysRun.execute(Unknown Source)
    at com.sun.deploy.util.DeploySysRun$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.util.DeploySysRun.executePrivileged(Unknown Source)
*    at com.sun.deploy.ui.UIFactory.showPublisherInfo(Unknown Source)**
**    at 
com.sun.deploy.uitoolkit.impl.awt.ui.UIFactoryImpl.showPublisherInfo(Unknown 
Source)**
**    at 
com.sun.deploy.security.SandboxSecurity.showBlockedDialog(Unknown 
Source)**
**    - locked <0x00000005c141c9e0> (a java.lang.Object)**
**    at 
com.sun.deploy.security.SandboxSecurity.checkRunUntrusted(Unknown 
Source)**
**    at 
com.sun.deploy.security.SandboxSecurity.checkUnsignedSandboxSecurity(Unknown 
Source)**
**    - locked <0x00000005c142ebe0> (a 
com.sun.deploy.util.SessionProperties)**
**    at 
com.sun.deploy.security.SandboxSecurity.isPermissionGranted(Unknown 
Source)*
    at com.sun.javaws.security.AppPolicy.grantRestrictedAccess(Unknown 
Source)
    at com.sun.javaws.security.AppPolicy.addPermissions(Unknown Source)
    at com.sun.jnlp.JNLPClassLoader.getTrustedCodeSources(Unknown Source)
    at 
com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown 
Source)
    at 
com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown 
Source)
    - locked <0x00000005c0f1f390> (a 
com.sun.deploy.security.CPCallbackHandler$ParentCallback)
    at 
com.sun.deploy.security.DeployURLClassPath$UrlLoader.<init>(Unknown 
Source)
    at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown 
Source)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown 
Source)
    - locked <0x00000005c0f1f160> (a 
com.sun.deploy.security.DeployURLClassPath)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown 
Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    - locked <0x00000005c0f1dfc0> (a com.sun.jnlp.JNLPClassLoader)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    - locked <0x00000005c0f1df48> (a com.sun.jnlp.JNLPClassLoader)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at 
org.apache.felix.framework.BundleWiringImpl.<clinit>(BundleWiringImpl.java:1339)
    at 
org.apache.felix.framework.StatefulResolver.markResolvedRevisions(StatefulResolver.java:990)
    at 
org.apache.felix.framework.StatefulResolver.resolve(StatefulResolver.java:429)
    at org.apache.felix.framework.Felix.init(Felix.java:692)
    at com.ascert.vt.launch.VtLauncher.launchFelix(VtLauncher.java:1011)
    at com.ascert.vt.launch.VtLauncher.launchProfile(VtLauncher.java:983)
    at com.ascert.vt.launch.VtLauncher.start(VtLauncher.java:675)
    at 
com.ascert.vt.launch.VersionCheckLaunchPanel$2.run(VersionCheckLaunchPanel.java:161)
    at java.lang.Thread.run(Unknown Source)




--


Ascert - Taking systems to the edge
r...@ascert.com
www.ascert.com

--


Ascert - Taking systems to the edge
r...@ascert.com
SA +27 21 300 2028
UK +44 20 7488 3470 ext 5119
www.ascert.com