Uploaded image for project: 'Pivot'
  1. Pivot
  2. PIVOT-920

Update Pivot to New security requirements for RIAs in 7u51

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1, 2.0.5
    • Component/s: project, site
    • Labels:
      None

      Description

      As seen here ( https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias ), we have to update our jars or users won't be able to run our Tutorials/Demos from the Web Site ... and even when running from related war files in our distribution.

      Note that for signed jars we have only a self-signed certificate, so we have to check with ASF if it's something that could be handled at Infra level (from a Build Server, or something that takes released jars and sign them ...). Note that the same apply even with pack200 version of our jars.
      Maybe a related issue for INFRA could be useful ...

      Some discussions here:
      http://apache-pivot-developers.417237.n3.nabble.com/Update-Pivot-to-New-security-requirements-for-RIAs-in-7u51-td4026251.html

        Issue Links

          Activity

          Hide
          smartini Sandro Martini added a comment - - edited

          Verify if fix even in 2.0.x maintenance branch ... no (see comments under).

          Show
          smartini Sandro Martini added a comment - - edited Verify if fix even in 2.0.x maintenance branch ... no (see comments under).
          Hide
          smartini Sandro Martini added a comment - - edited

          Note that even without changes in our build (to include new attributes in the manifest inside any jar files, and use the signed version of jars, etc) a workaround is to add http://pivot.apache.org in Site exception list under the Tab Security in the Java Control Panel (at least in Windows).

          Finally, check if it makes sense now to use in Tutorials and Demos the unsigned version of our jars (and copy inside generated war files) ...

          Note that the signing certificate that we use is self-signed so I'm not sure we could resolve this issue without some help from Infra. After some small local changes (but still not committed) Applets doesn't work because updated JRE 7 block them.

          Some info here:
          http://www.java.com/en/download/help/appsecuritydialogs.xml#selfsigned
          http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html

          Test pages are available here (and served by the real http server):
          http://svn.apache.org/repos/asf/pivot/site/trunk/deploy/tests/
          After adding Pivot Web Site in Sites Exclusion List, all unsigned Applets restart to work (even without changes), so unless objections I'd make little changes but only in trunk (not under 2.0.x). But (self) signed Applets wont' work anymore the same (unless lowering a lot the Java Security bar I think).

          As seen here:
          http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html
          required changes could be to add new properties for manifest in jars in build.xml, but keep the value of Permissions to sandbox, and for Codebase to empty string in build.properties .
          And update generated applet properties to add something like this:
          parameters.permissions = "sandbox";
          in generated html pages for the web site and our war files.

          Show
          smartini Sandro Martini added a comment - - edited Note that even without changes in our build (to include new attributes in the manifest inside any jar files, and use the signed version of jars, etc) a workaround is to add http://pivot.apache.org in Site exception list under the Tab Security in the Java Control Panel (at least in Windows). Finally, check if it makes sense now to use in Tutorials and Demos the unsigned version of our jars (and copy inside generated war files) ... Note that the signing certificate that we use is self-signed so I'm not sure we could resolve this issue without some help from Infra. After some small local changes (but still not committed) Applets doesn't work because updated JRE 7 block them. Some info here: http://www.java.com/en/download/help/appsecuritydialogs.xml#selfsigned http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html Test pages are available here (and served by the real http server): http://svn.apache.org/repos/asf/pivot/site/trunk/deploy/tests/ After adding Pivot Web Site in Sites Exclusion List, all unsigned Applets restart to work (even without changes), so unless objections I'd make little changes but only in trunk (not under 2.0.x). But (self) signed Applets wont' work anymore the same (unless lowering a lot the Java Security bar I think). As seen here: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html required changes could be to add new properties for manifest in jars in build.xml, but keep the value of Permissions to sandbox, and for Codebase to empty string in build.properties . And update generated applet properties to add something like this: parameters.permissions = "sandbox"; in generated html pages for the web site and our war files.
          Hide
          smartini Sandro Martini added a comment -

          Roger (and others), is this good enough for you ?
          If it is, we have no more open issues for 2.0.4, so we can start the process for the release, ok ?

          Last, Roger, could you post (another time, sorry) in the next Report for the Board the question of signing code with a real certificate ? Thank you very much.

          Tell me.

          Show
          smartini Sandro Martini added a comment - Roger (and others), is this good enough for you ? If it is, we have no more open issues for 2.0.4, so we can start the process for the release, ok ? Last, Roger, could you post (another time, sorry) in the next Report for the Board the question of signing code with a real certificate ? Thank you very much. Tell me.
          Hide
          smartini Sandro Martini added a comment -

          Add link to related Infra issue.

          Show
          smartini Sandro Martini added a comment - Add link to related Infra issue.
          Hide
          rwhitcomb Roger Whitcomb added a comment -

          I will ask about this in the next board report, although we could ask Infra again before then ....

          Show
          rwhitcomb Roger Whitcomb added a comment - I will ask about this in the next board report, although we could ask Infra again before then ....
          Hide
          smartini Sandro Martini added a comment -

          Just received an email that say "Code signing service now available", so now Pivot PMC should ask to Infra keys to sign our artifacts.

          We should be able to do this even for 2.0.5 (for 2.1.0 surely).

          Show
          smartini Sandro Martini added a comment - Just received an email that say "Code signing service now available", so now Pivot PMC should ask to Infra keys to sign our artifacts. We should be able to do this even for 2.0.5 (for 2.1.0 surely).
          Hide
          smartini Sandro Martini added a comment -

          Didn't received any update from Code signing service (nor documentation on how to use it), maybe it's better to move to 2.1.0 .

          Show
          smartini Sandro Martini added a comment - Didn't received any update from Code signing service (nor documentation on how to use it), maybe it's better to move to 2.1.0 .
          Hide
          smartini Sandro Martini added a comment -

          Resolved, but code signing move to a dedicated issue.

          Show
          smartini Sandro Martini added a comment - Resolved, but code signing move to a dedicated issue.

            People

            • Assignee:
              smartini Sandro Martini
              Reporter:
              smartini Sandro Martini
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development