Bug Tracker item #3418256, was opened at 2011-10-04 02:14
Message generated for change (Comment added) made by dcommander
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1126848&aid=3418256&group_id=254363
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Java viewer
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: D. R. Commander (dcommander)
Assigned to: Brian Hinz (bphinz)
Summary: New Java viewer does not start when loaded from Xvnc
Initial Comment:
The new Java viewer in trunk aborts with:
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
when served from Xvnc's embedded HTTP server running on a Linux host. This may
have always been the case, as previously, I've only tested the Java viewer by
invoking it in standalone mode.
----------------------------------------------------------------------
>Comment By: D. R. Commander (dcommander)
Date: 2011-10-05 16:40
Message:
I figured out the problem with the clipboard. Whenever I was having
problems with TigerVNC picking up the RealVNC Java classes, I uninstalled
RealVNC from my system. Well, it turns out that TigerVNC was picking up
the RealVNC vncconfig as well. Ugh. So, once I uninstalled RealVNC,
TigerVNC's xstartup file, which launches 'vncconfig -iconic', couldn't find
vncconfig anymore, because it is installed in /opt/TigerVNC/bin rather than
/usr/bin.
I modified vncserver such that it now launches vncconfig all the time
rather than relying on xstartup.
As far as UserPrefs, try printing separator in applet mode, and you will
see that it is very clearly null. My way works properly. As such, I have
committed it.
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-05 15:30
Message:
I agree that there seems to be something different, and if anything OpenJDK
on RHEL5 seems more strict so I'd probably be better off building and
testing there (or at least setting the linter flags to be equally strict).
I don't know if I can get to that tonight, but will do so in the next few
days. I'll look at my current dev box first, maybe I've got some mix of
sun-jdk and open jdk in /etc/alternatives that's messing me up.
The only reason there is a null-pointer exception is because the security
policy is preventing the applet from accessing the system properties,
resulting in (null).toString(). However, getProperty already returns a
string so it's perfectly safe to remove the toString() (in fact, the cast
may not even be necessary). According to the Oracle documentation,
file.separator is a property key that the Sytem class should always have a
valid value set for, so barring an exception being thrown, it should never
be null. Besides, I believe that eventually the UserPrefs class checks to
see that any file or directory it reads from or writes to is valid before
actually doing so, so even if a value of "null" was returned it should
still be safe.
IMHO, the bigger issue is what to do about the security policy problems in
applet mode. I think clipboard access is critical, and I don't think it's
reasonable to expect people to alter their security policies in order to
allow it. I know for sure that (prior to all the hacking I did yesterday)
the viewer did support cut/copy/paste between the local and remote
clipboards in stand-alone mode and when deployed via WebStart.
----------------------------------------------------------------------
Comment By: D. R. Commander (dcommander)
Date: 2011-10-05 14:11
Message:
I think you need to get a RHEL 5 VM up and running, because there are
apparently some differences between our versions of OpenJDK.
Also, I disagree with your patch. The underlying problem is that
System.getProperties().get("file.separator") is returning NULL in the
applet, due to permissions issues, so casting it to String doesn't make it
non-NULL. Another approach is needed to obtain the actual file separator.
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-05 06:40
Message:
Thanks, I kept seeing that null pointer issue but strangely only if the
applet was launched from chromium, it worked fine in firefox! I chalked it
up to chromium caching an old copy of the applet but obviously that was
wrong. I just committed a slightly different fix (just used a cast rather
than toString like all the other variables).
Can you provide some more detail about OpenJDK's jarsigner? I'm using it
and it seems fine.
As far as clipboard access goes, I think it's working just the same as
TurboVNC. It may be due to the signer certificate being untrusted, but I'm
not sure. Looking at the security policy file it seems like some of the
AccessControlExceptions should not have been thrown in the first place.
I'll have to take a closer look at that tonight.
----------------------------------------------------------------------
Comment By: D. R. Commander (dcommander)
Date: 2011-10-05 03:04
Message:
I added the signing functionality to the CMake Java build. Note that the
OpenJDK jarsigner appears to be broken, so I am having to use the Oracle
JDK jarsigner to sign the JAR. I found several web pages indicating that
others have had the same problem.
I also had to apply
Index: UserPrefs.java
===================================================================
--- UserPrefs.java (revision 4696)
+++ UserPrefs.java (working copy)
@@ -160,7 +160,7 @@
final public static String getFileSeperator() {
String seperator = null;
try {
- seperator =
System.getProperties().get("file.separator").toString();
+ seperator =
Character.toString(java.io.File.separatorChar);
} catch(java.security.AccessControlException e) {
System.out.println("Cannot access file.separator system
property");
}
in order to keep the applet from throwing a NullPointerException. If that
seems like an innocuous patch, then I'll go ahead and commit it.
Unfortunately, clipboard access still doesn't work, nor does the
Configuration File "Save As" button, but I can't make them work in
standalone mode either.
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-04 19:07
Message:
I just looked at the TurboVNC Makefile and that's a really cool trick to
generate a signing key. I thought that the authenticity of the signer
certs needed to be verified against a CA, but I guess not. I'll duplicate
what you did for TurboVNC and re-enable clipboard access for applets.
Thanks!
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-04 18:41
Message:
Yeah, I'm not thrilled with this solution either. Yes, signing the applet
would fix the problem.
----------------------------------------------------------------------
Comment By: D. R. Commander (dcommander)
Date: 2011-10-04 18:38
Message:
Urrr, but wait a second... Accessing the clipboard from the applet is kind
of crucial. TurboVNC can do that as long as the applet is signed. Would
signing the applet fix that for TigerVNC as well?
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-04 17:54
Message:
Patch committed in r4693 that should fix this. Need to verify that this
patch does not disable access to the clipboard for applets launched via
Java WebStart (regular applets, even signed ones, cannot access the
clipboard but JWS applets can.)
----------------------------------------------------------------------
Comment By: Brian Hinz (bphinz)
Date: 2011-10-04 05:30
Message:
I think that this is because by default applets cannot access the
filesystem and the new viewer wants to load a preferences file. I only
ever use it standalone, so I hadn't noticed this. Should be a pretty easy
fix, I'll take a look today.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1126848&aid=3418256&group_id=254363
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Tigervnc-devel mailing list
Tigervnc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
