[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145363#comment-15145363
]
Roger Whitcomb commented on PIVOT-965:
--------------------------------------
One more update on the scripting security issues:
Our application doesn't use *much* scripting in the BXML files, but we haven't
had any issues either, running as an applet using these security settings (in
Pivot):
<attribute name="Sealed" value="true"/>
<attribute name="Implementation-Vendor-Id"
value="org.apache"/>
<attribute name="Implementation-Vendor" value="The Apache
Software Foundation"/>
<attribute name="Implementation-Title" value="Apache Pivot
@{title}"/>
<attribute name="Implementation-Version"
value="${version}"/>
<attribute name="Permissions" value="all-permissions"/>
<attribute name="Codebase" value="*"/>
<attribute name="Caller-Allowable-Codebase" value="*"/>
<attribute name="Application-Library-Allowable-Codebase"
value="*"/>
And these attributes in our own .jar files:
Codebase: *
Permissions: all-permissions
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Implementation-Vendor: XYZ Corporation
Implementation-Title: Swizzy App
Implementation-Version: 2.0.0
Application-Name: Swizzy App
Created-By: XYZ Corporation
And, of course, signing ALL the .jar files with our real digital signature.
So, can you give us an update of how you're doing? Thanks!
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> ----------------------------------------------------------
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
> Project: Pivot
> Issue Type: Bug
> Components: core-serialization
> Affects Versions: 2.0.4
> Environment: Windows, Sun JRE 64-bit 1.8.0_31b13
> Reporter: Karel Hübl
> Assignee: Roger Whitcomb
> Labels: java8, jdk8
> Fix For: 2.1, 2.0.5
>
> Attachments: 965.diffs, BXMLSerializer.patch
>
>
> We encounter security issues in our pivot application after upgrading to JRE
> 1.8. The application is deployed as RIA using Java Web Start.
> I found out, that the problem is connected with nashorn script engine which
> replaced rhino script engine from previous java version. BXMLSerializer is
> using ScriptEngine to evaluate scripts in BXML files. It seems, that all
> calls initiated from BXML scripts, are considered untrusted in JRE 1.8 RIA
> Environment - this means security dialogs and exceptions are thrown, when
> trying execute privileged actions (network communication, reflection ...).
> Currently, I am not sure, if this is Pivot or Nashorn bug, but it is problem
> for current Apache Pivot RIAs. To investigate the srcipting behaviour in
> RIAs, I created testing non Pivot project
> https://github.com/kaja78/jnlpScripting The project contains testing
> application, which is deployed as JWS. When you execute the java web start
> app in JRE 1.8, the security dialog is displayed when testing method is
> executed from nashorn script engine (if you press cancel button on security
> dialog, you get SecurityException). When you uncomment 2 lines in
> Webcontent/jnlpScripting.jnlp file, rhino script engine is used instead of
> nashorn and no security dialog is displayed. This fix works also for our
> Pivot RIAs.
> I believe, Pivot should work in JRE 1.8 RIA Environment without security
> issues by default, so it should be fixed somehow in Pivot - may be, by
> correct ScriptEngine configuration in BXMLSerializer or by including Rhino
> libraries in Pivot distribution. Any idea how to "correctly" fix this issue?
> Btw.: I found this bug: http://bugs.java.com/view_bug.do?bug_id=8045075 I am
> not sure, if it is the same problem. But anyway, it should be fixed in
> 1.8.25.b01 and we are encountering above issues in latest 1.8.0.31.b13.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
