[jruby-dev] [jira] Created: (JRUBY-6110) Security issue with org.jruby.embed.class.path in unsigned JavaFX applet.

peter (JIRA) Wed, 05 Oct 2011 12:42:26 -0700

Security issue with org.jruby.embed.class.path in unsigned JavaFX applet.
-------------------------------------------------------------------------


                 Key: JRUBY-6110
                 URL: https://jira.codehaus.org/browse/JRUBY-6110
             Project: JRuby
          Issue Type: Bug
          Components: Standard Library
    Affects Versions: JRuby 1.6.4
         Environment: win xp
            Reporter: peter
            Assignee: Thomas E Enebo
            Priority: Blocker
             Fix For: JRuby 1.6.4


Hi,

I have security issues when using embeded Ruby in a unsigned JavaFX Applet.
I encountered this already in swing but I was able to workaround it by signing 
the applet, javaFx breaks somehow when I try to sign it. 
Sorry for my ignorance if this is a double post and/or can't be resolved.

Heres some Codes for the JavaFx Application:
/*
 * To change this template, choose Tools | Templates and open the template in
 * the editor.
 */
package javafxapplication2;

import javafx.application.Application;
import javafx.event.ActionEvent;
import javafx.event.EventHandler;
import javafx.scene.Group;
import javafx.scene.Scene;
import javafx.scene.control.Button;
import javafx.stage.Stage;
import javax.swing.JPanel;
import org.jruby.embed.LocalContextScope;
import org.jruby.embed.ScriptingContainer;

/**
 *
 * @author Administrator
 */
public class JavaFXApplication2 extends Application {

    /**
     * @param args the command line arguments
     */
    private ScriptingContainer c;
    public static void main(String[] args) {
        Application.launch(args);
    }
   
    @Override
    public void start(Stage primaryStage) {
        primaryStage.setTitle("Hello World");
        Group root = new Group();
        Scene scene = new Scene(root, 300, 250);
        Button btn = new Button();
       
        btn.setLayoutX(100);
        btn.setLayoutY(80);
        btn.setText("Hello World");
        JPanel panel = new JPanel();
        btn.setOnAction(new EventHandler<ActionEvent>() {
       
            public void handle(ActionEvent event) {
                System.out.println("Hello World");
                 c = new ScriptingContainer(LocalContextScope.THREADSAFE);
                 c.runScriptlet("puts 'wooopwoop'");
            }
        });
        root.getChildren().add(btn);       
        primaryStage.setScene(scene);       
        primaryStage.show();
    }
}

An here the errors:
Java-Plug-in 10.0.1.255
JRE-Version verwenden 1.7.0-b147 Java HotSpot(TM) Client VM

Got ConfigEvent[type=SetVisible, value=true]

Got DownloadEvent[type=verify,loaded=1, total=1, percent=100]

Got AppletInitEvent[type=CallConstructor]

Got AppletInitEvent[type=CallInit]

Got AppletInitEvent[type=CallStart]

Hello World

java.security.AccessControlException: access denied 
("java.util.PropertyPermission" "org.jruby.embed.class.path" "read")

    at java.security.AccessControlContext.checkPermission(Unknown Source)

    at java.security.AccessController.checkPermission(Unknown Source)

    at java.lang.SecurityManager.checkPermission(Unknown Source)

    at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

    at java.lang.System.getProperty(Unknown Source)

    at 
org.jruby.embed.util.SystemPropertyCatcher.findLoadPaths(SystemPropertyCatcher.java:242)

    at 
org.jruby.embed.ScriptingContainer.initConfig(ScriptingContainer.java:249)

    at org.jruby.embed.ScriptingContainer.<init>(ScriptingContainer.java:223)

    at org.jruby.embed.ScriptingContainer.<init>(ScriptingContainer.java:187)

    at 
javafxapplication2.JavaFXApplication2$1.handle(JavaFXApplication2.java:47)

    at 
javafxapplication2.JavaFXApplication2$1.handle(JavaFXApplication2.java:43)

    at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at 
com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEventImpl(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEvent(Unknown Source)

    at javafx.event.Event.fireEvent(Unknown Source)

    at javafx.scene.Node.fireEvent(Unknown Source)

    at javafx.scene.control.Button.fire(Unknown Source)

    at 
com.sun.javafx.scene.control.behavior.ButtonBehavior.mouseReleased(Unknown 
Source)

    at com.sun.javafx.scene.control.skin.SkinBase$4.handle(Unknown Source)

    at com.sun.javafx.scene.control.skin.SkinBase$4.handle(Unknown Source)

    at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at 
com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEventImpl(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEvent(Unknown Source)

    at javafx.event.Event.fireEvent(Unknown Source)

    at javafx.scene.Scene$MouseHandler.process(Unknown Source)

    at javafx.scene.Scene$MouseHandler.process(Unknown Source)

    at javafx.scene.Scene$MouseHandler.access$1200(Unknown Source)

    at javafx.scene.Scene.impl_processMouseEvent(Unknown Source)

    at javafx.scene.Scene$ScenePeerListener.mouseEvent(Unknown Source)

    at com.sun.javafx.tk.quantum.GlassViewEventHandler.handleMouseEvent(Unknown 
Source)

    at com.sun.glass.ui.View.handleMouseEvent(Unknown Source)

    at com.sun.glass.ui.View.notifyMouse(Unknown Source)

    at com.sun.glass.ui.win.WinApplication._runLoop(Native Method)

    at com.sun.glass.ui.win.WinApplication.access$100(Unknown Source)

    at com.sun.glass.ui.win.WinApplication$2$1.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

java.lang.RuntimeException: java.security.AccessControlException: access denied 
("java.util.PropertyPermission" "org.jruby.embed.class.path" "read")

    at org.jruby.embed.ScriptingContainer.<init>(ScriptingContainer.java:227)

    at org.jruby.embed.ScriptingContainer.<init>(ScriptingContainer.java:187)

    at 
javafxapplication2.JavaFXApplication2$1.handle(JavaFXApplication2.java:47)

    at 
javafxapplication2.JavaFXApplication2$1.handle(JavaFXApplication2.java:43)

    at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at 
com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEventImpl(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEvent(Unknown Source)

    at javafx.event.Event.fireEvent(Unknown Source)

    at javafx.scene.Node.fireEvent(Unknown Source)

    at javafx.scene.control.Button.fire(Unknown Source)

    at 
com.sun.javafx.scene.control.behavior.ButtonBehavior.mouseReleased(Unknown 
Source)

    at com.sun.javafx.scene.control.skin.SkinBase$4.handle(Unknown Source)

    at com.sun.javafx.scene.control.skin.SkinBase$4.handle(Unknown Source)

    at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(Unknown 
Source)

    at 
com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(Unknown 
Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEventImpl(Unknown Source)

    at com.sun.javafx.event.EventUtil.fireEvent(Unknown Source)

    at javafx.event.Event.fireEvent(Unknown Source)

    at javafx.scene.Scene$MouseHandler.process(Unknown Source)

    at javafx.scene.Scene$MouseHandler.process(Unknown Source)

    at javafx.scene.Scene$MouseHandler.access$1200(Unknown Source)

    at javafx.scene.Scene.impl_processMouseEvent(Unknown Source)

    at javafx.scene.Scene$ScenePeerListener.mouseEvent(Unknown Source)

    at com.sun.javafx.tk.quantum.GlassViewEventHandler.handleMouseEvent(Unknown 
Source)

    at com.sun.glass.ui.View.handleMouseEvent(Unknown Source)

    at com.sun.glass.ui.View.notifyMouse(Unknown Source)

    at com.sun.glass.ui.win.WinApplication._runLoop(Native Method)

    at com.sun.glass.ui.win.WinApplication.access$100(Unknown Source)

    at com.sun.glass.ui.win.WinApplication$2$1.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

Caused by: java.security.AccessControlException: access denied 
("java.util.PropertyPermission" "org.jruby.embed.class.path" "read")

    at java.security.AccessControlContext.checkPermission(Unknown Source)

    at java.security.AccessController.checkPermission(Unknown Source)

    at java.lang.SecurityManager.checkPermission(Unknown Source)

    at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

    at java.lang.System.getProperty(Unknown Source)

    at 
org.jruby.embed.util.SystemPropertyCatcher.findLoadPaths(SystemPropertyCatcher.java:242)

    at 
org.jruby.embed.ScriptingContainer.initConfig(ScriptingContainer.java:249)

    at org.jruby.embed.ScriptingContainer.<init>(ScriptingContainer.java:223)

    ... 44 more

Thanks a lot in advance for your effort !

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

[jruby-dev] [jira] Created: (JRUBY-6110) Security issue with org.jruby.embed.class.path in unsigned JavaFX applet.

Reply via email to