Hi Marlon, Is it possible to prevent the jars from being self-signed in XBaya's JNLP?
Thanks, Nadeem On Thu, Mar 6, 2014 at 6:48 AM, Marlon Pierce <[email protected]> wrote: > Nice detective work, Nadeem. We use several self-signed jars in XBaya's > JNLP. We used to sign them during the build process, but I think we > finally just placed the signed jars in the repo. > > Security problems with Java applets and webstart apps may be why the > default permissions have gotten more restrictive, so I suggest being > careful if turning the permissions down. > > Marlon > > On 3/5/14 6:59 PM, Nadeem Anjum wrote: > > Hi everyone, > > > > This is with reference to Heejon's issue [1] with Xbaya security issue > with > > the jre(51). > > > > I was able to recreate this issue on Windows. > > > > When the security level in java control panel is set to very high or > high, > > it gives the following error: > > "Your security settings have blocked a *self-signed application* from > > running " > > > > When the security level is set to medium or the application is added to > > exception site list, the application is allowed to run with a warning, > > which displays the *publisher* as "*unknown*" > > > > As per [2], there are two possible reasons for this: > > > > 1. *Jar file missing Permission Attribute* > > 2.* Self signed application* (Certificate not from trusted authority) > > > > I modified the permissions in the main jar adding *permissions: > > all-permissions *in the manifest.mf file, but the problem still persists. > > According to [3], The Permissions attribute is used to verify that the > > permissions level requested by the RIA when it runs matches the > permissions > > level that was set when the JAR file was created. *This attribute is > > required in the manifest of the main JAR file for the RIA, secondary JAR > > files and extensions are not required to have the Permissions attribute*. > > If the attribute is not present in the main JAR file, then the RIA is > > blocked > > > > So it appears the problem is not due to missing permissions in third > party > > jars. > > > > Rather the problem is apparently due to *self-signed signature*, as when > > providing a self-signed signature (the free kind), the "Publisher" field > > will always say "UNKNOWN" whether or not it is provided when creating the > > signature, as per [4] > > > > Please share your opinion on this issue. > > > > [1]: http://markmail.org/thread/c6exit64mmhhpew7 > > [2]: https://www.java.com/en/download/help/java_blocked.xml > > [3]: > > > http://download.java.net/jdk8/docs/technotes/guides/jweb/security/manifest.html > > [4]: https://code.google.com/p/jzebra/issues/detail?id=155 > > > > > > On Wed, Feb 5, 2014 at 11:47 PM, Suresh Marru <[email protected]> wrote: > > > >> Hi Nadeem, > >> > >> We still did not compile the list of GSoC projects for 2014, but > >> independent of other, I think we certainly can take some help on XBaya > and > >> we have major refactoring needs come up. Let me suggest a list of tasks > for > >> you to get started. > >> > >> * Can you subscribe to Airavata User Mailing list[1] and help Heejoon > with > >> this thread [2] > >> > >> * Heejoon and his advisor Prof. Sun Kim's research group uses XBaya for > >> interacting with Amazon EC2 Resources so better packaging of the JNLP > will > >> help them. > >> > >> As for the GSoC project itself, it will involve changing the current > XBaya > >> which reads the components in the workflow based on XML Schemas and > WSDL's > >> and we need to migrate that using in development thrift based data > models. > >> This will require also changes to XBaya communications to registry and > >> workflow interpreter to talk to the new Airavata API. I will clearly > >> elaborate on the GSoC project, but for now, please start with helping > >> Heejoon and understanding the inner workings of 5 and 10 minute > >> tutorials. Stick to Airavata 0.11 version for now. The trunk will be in > >> rapid development over the next few weeks. > >> > >> Suresh > >> [1] - http://airavata.apache.org/community/mailing-lists.html > >> [2] - http://markmail.org/thread/c6exit64mmhhpew7 > >> [3] - > >> > http://biohealth.snu.ac.kr/wiki/index.php/BioVLab_:_Biology_Virtual_Collaborative_Lab > >> > >> On Feb 5, 2014, at 12:57 PM, Nadeem Anjum <[email protected]> > wrote: > >> > >>> Hello Everyone, > >>> > >>> Over the last few days I have been going through Airavata codebase. I > >> specifically got interested in XBaya, and it will be great if I could > get a > >> chance to work on a project based on XBaya for GSoC 2014 > >>> Thanks, > >>> Nadeem > >> > >
