[
https://issues.apache.org/jira/browse/PIVOT-920?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13979648#comment-13979648
]
Sandro Martini edited comment on PIVOT-920 at 4/24/14 1:23 PM:
---------------------------------------------------------------
Note that even without changes in our build (to include new attributes in the
manifest inside any jar files, and use the signed version of jars, etc) a
workaround is to add http://pivot.apache.org in Site exception list under the
Tab Security in the Java Control Panel (at least in Windows).
Finally, check if it makes sense now to use in Tutorials and Demos the unsigned
version of our jars (and copy inside generated war files) ...
Note that the signing certificate that we use is self-signed so I'm not sure we
could resolve this issue without some help from Infra. After some small local
changes (but still not committed) Applets doesn't work because updated JRE 7
block them.
Some info here:
http://www.java.com/en/download/help/appsecuritydialogs.xml#selfsigned
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
Test pages are available here (and served by the real http server):
http://svn.apache.org/repos/asf/pivot/site/trunk/deploy/tests/
After adding Pivot Web Site in Sites Exclusion List, all unsigned Applets
restart to work (even without changes), so unless objections I'd make little
changes but only in trunk (not under 2.0.x). But (self) signed Applets wont'
work anymore the same (unless lowering a lot the Java Security bar I think).
As seen here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html
required changes could be to add new properties for manifest in jars in
build.xml, but keep the value of Permissions to sandbox, and for Codebase to
empty string in build.properties .
And update generated applet properties to add something like this:
parameters.permissions = "sandbox";
in generated html pages for the web site and our war files.
was (Author: smartini):
Note that even without changes in our build (to include new attributes in the
manifest inside any jar files, and use the signed version of jars, etc) a
workaround is to add http://pivot.apache.org in Site exception list under the
Tab Security in the Java Control Panel (at least in Windows).
Finally, check if it makes sense now to use in Tutorials and Demos the unsigned
version of our jars (and copy inside generated war files) ...
Note that the signing certificate that we use is self-signed so I'm not sure we
could resolve this issue without some help from Infra. After some small local
changes (but still not committed) Applets doesn't work because updated JRE 7
block them.
Some info here:
http://www.java.com/en/download/help/appsecuritydialogs.xml#selfsigned
Test pages are available here (and served by the real http server):
http://svn.apache.org/repos/asf/pivot/site/trunk/deploy/tests/
After adding Pivot Web Site in Sites Exclusion List, all unsigned Applets
restart to work (even without changes), so unless objections I'd make little
changes but only in trunk (not under 2.0.x). But (self) signed Applets wont'
work anymore the same (unless lowering a lot the Java Security bar I think).
As seen here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html
required changes could be to add new properties for manifest in jars in
build.xml, but keep the value of Permissions to sandbox, and for Codebase to
empty string in build.properties .
And update generated applet properties to add something like this:
parameters.permissions = "sandbox";
in generated html pages for the web site and our war files.
> Update Pivot to New security requirements for RIAs in 7u51
> -----------------------------------------------------------
>
> Key: PIVOT-920
> URL: https://issues.apache.org/jira/browse/PIVOT-920
> Project: Pivot
> Issue Type: New Feature
> Components: project, site
> Reporter: Sandro Martini
> Assignee: Sandro Martini
> Fix For: 2.1
>
>
> As seen here (
> https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
> ), we have to update our jars or users won't be able to run our
> Tutorials/Demos from the Web Site ... and even when running from related war
> files in our distribution.
> Note that for signed jars we have only a self-signed certificate, so we have
> to check with ASF if it's something that could be handled at Infra level
> (from a Build Server, or something that takes released jars and sign them
> ...). Note that the same apply even with pack200 version of our jars.
> Maybe a related issue for INFRA could be useful ...
> Some discussions here:
> http://apache-pivot-developers.417237.n3.nabble.com/Update-Pivot-to-New-security-requirements-for-RIAs-in-7u51-td4026251.html
--
This message was sent by Atlassian JIRA
(v6.2#6252)
