[jira] [Created] (PIVOT-965) Java 8 BXML scripting security issues in Apache Pivot RIAs

Mon, 09 Feb 2015 11:53:15 -0800 

Karel Hübl created PIVOT-965:
--------------------------------

             Summary: Java 8 BXML scripting security issues in Apache Pivot RIAs
                 Key: PIVOT-965
                 URL: https://issues.apache.org/jira/browse/PIVOT-965
             Project: Pivot
          Issue Type: Bug
          Components: core-serialization
    Affects Versions: 2.0.4
         Environment: Windows, Sun JRE 64-bit 1.8.0_31b13
            Reporter: Karel Hübl


We encounter security issues in our pivot application after upgrading to JRE 
1.8. The application is deployed as RIA using Java Web Start.

I found out, that the problem is connected with nashorn script engine which 
replaced rhino script engine from previous java version. BXMLSerializer is 
using ScriptEngine to evaluate scripts in BXML files. It seems, that all calls 
initiated from BXML scripts, are considered untrusted in JRE 1.8 RIA 
Environment - this means security dialogs and exceptions are thrown, when 
trying execute privileged actions (network communication, reflection ...).

Currently, I am not sure, if this is Pivot or Nashorn bug, but it is problem 
for current Apache Pivot RIAs. To investigate the srcipting behaviour in RIAs, 
I created testing non Pivot project https://github.com/kaja78/jnlpScripting The 
project contains testing application, which is deployed as JWS. When you 
execute the java web start app in JRE 1.8, the security dialog is displayed 
when testing method is executed from nashorn script engine (if you press cancel 
button on security dialog, you get SecurityException). When you uncomment 2 
lines in Webcontent/jnlpScripting.jnlp file, rhino script engine is used 
instead of nashorn and no security dialog is displayed. This fix works also for 
our Pivot RIAs.

I believe, Pivot should work in JRE 1.8 RIA Environment without security issues 
by default, so it should be fixed somehow in Pivot - may be, by correct 
ScriptEngine configuration in BXMLSerializer or by including Rhino libraries in 
Pivot distribution. Any idea how to "correctly" fix this issue?

Btw.: I found this bug: http://bugs.java.com/view_bug.do?bug_id=8045075 I am 
not sure, if it is the same problem. But anyway, it should be fixed in
1.8.25.b01 and we are encountering above issues in latest 1.8.0.31.b13.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to