Mark,
thank you for you detailed bug report !
This was still a piece of old code from OCF 1.0. You are right, the
BACKGOUND constant is not used anymore.
I just removed the problem from our internal code and we will include the
fix in the next release.
For now, you may use the code below.
(See attached file: CardHolderVerificationGUI.java)(See attached file:
CardHolderVerificationGUI.class)
Best Regards,
Thomas
Thomas Schaeck
IBM Pervasive Computing Division - Smart Card Solutions
E-mail: [EMAIL PROTECTED] Tel.: ++49-7031-16-3479 Fax.:
++49-7031-16-4888
Address: IBM Deutschland Entwicklung GmbH, Schoenaicher Str. 220, 71032
Boeblingen, Germany
[EMAIL PROTECTED] on 11.06.99 13:09:15
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Thomas Schaeck/Germany/IBM)
Subject: [OCF] security exception.
mailto:[EMAIL PROTECTED]
Dear colleagues,
running a signed browser applet in IE4.01-SP1a (JVM build 3167) based on
the most recent OCF 1.1.1 reference implementation, a security exception
is thrown if the 'CardTerminal' instance used does NOT implement the
'VerifiedAPDUInterface' AND the method 'CardChannel.sendVerifiedAPDU()'
is used by the 'CardService'.
This faulty behaviour is caused by the privileged query
'System.getProperty( ... );' in the protected constructor of
class 'opencard.core.service.CardHolderVerificationGUI' to initialize
the 'BACKGROUND' string attribute (which is not used at all ;-)
In general, an implementation that complies with both the Netscape
Capabilities API and the Microsoft Authenticode-2 security framework
should employ the sequence
SystemAccess sa = SystemAccess.getSystemAccess();
String property = sa.getProperty( ... );
to query a system property value, due to the fact that this operation
runs outside the VM's sandbox. Maybe IBM could fix this in an upcoming
maintenance release.
Greetings.
----------------------------------------------------------------------
Dr.-Ing. Markus A. Stulle - Schleissheimer Stra�e 70 'Java Madman'
D-80797 Muenchen - Germany
Tel./FAX: (+49 89) 520 59 001
GSM: (+49 171) 213 - 70 84
GSM-FAX: (+49 171) 214 - 84 74, GSM-Data: - 86 74
AOL-FAX: (+40) 36 03 - 02 00 16
EMail: [EMAIL PROTECTED], [EMAIL PROTECTED]
-----------+===+------------------------------------------------------
> press |ESC| key once to abort program or twice to continue! <
-----------+===+------------------------------------------------------
Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
access to documentation, code, presentations, and OCF announcements.
---------------------------------------------------------------------------
--
To unsubscribe from the OCF Mailing list, send a mail to
"[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of
the
message.
CardHolderVerificationGUI.java
CardHolderVerificationGUI.class
