[jira] [Commented] (PIVOT-965) Java 8 BXML scripting security issues in Apache Pivot RIAs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (PIVOT-965) Java 8 BXML scripting security issues in Apache Pivot RIAs

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445123#comment-15445123 ]

Karel Hübl commented on PIVOT-965:

Hi Roger,
you have to add your testing site (for example http://localhost:8080) to Exception Site List on Security tab in Java Control Panel. Then you can launch the app and replicate the problem.

Regarding BXML scripting - we use BXML scripting just to delegate handling of UI events (like button click) to controller's methods implemented in trusted Java code. But once the call is initiated from untrusted code (script engine), security warnings and exceptions are thrown...

I reported bug to Java team, but the communication stopped suddenly after proving the problem is not in the app. Since this non pivot code (https://github.com/kaja78/jnlpScripting/blob/master/jnlpScripting/src/org/kh/jnlpScripting/Main.java) has the same problems, the problem should not be in the pivot code. The problem still could be in the security settings of JNLP / jar files, but I was not able to find any working setting.

So I gave it up and kept including signed Rhino script engine jars as part of our Pivot webstart applications.

> Java 8 BXML scripting security issues in Apache Pivot RIAs
> ----------------------------------------------------------
>                 Key: PIVOT-965
>                 URL: https://issues.apache.org/jira/browse/PIVOT-965
>             Project: Pivot
>          Issue Type: Bug
>          Components: core-serialization
>    Affects Versions: 2.0.4
>         Environment: Windows, Sun JRE 64-bit 1.8.0_31b13
>            Reporter: Karel Hübl
>            Assignee: Roger Whitcomb
>              Labels: java8, jdk8
>             Fix For: 2.1, 2.0.5
>         Attachments: 965.diffs, BXMLSerializer.patch, jnlpScripting.war
> We encounter security issues in our pivot application after upgrading to JRE 1.8. The application is deployed as RIA using Java Web Start.
> I found out, that the problem is connected with nashorn script engine which replaced rhino script engine from previous java version. BXMLSerializer is using ScriptEngine to evaluate scripts in BXML files. It seems, that all calls initiated from BXML scripts, are considered untrusted in JRE 1.8 RIA Environment - this means security dialogs and exceptions are thrown, when trying execute privileged actions (network communication, reflection ...).
> Currently, I am not sure, if this is Pivot or Nashorn bug, but it is problem for current Apache Pivot RIAs. To investigate the srcipting behaviour in RIAs, I created testing non Pivot project https://github.com/kaja78/jnlpScripting The project contains testing application, which is deployed as JWS. When you execute the java web start app in JRE 1.8, the security dialog is displayed when testing method is executed from nashorn script engine (if you press cancel button on security dialog, you get SecurityException). When you uncomment 2 lines in Webcontent/jnlpScripting.jnlp file, rhino script engine is used instead of nashorn and no security dialog is displayed. This fix works also for our Pivot RIAs.
> I believe, Pivot should work in JRE 1.8 RIA Environment without security issues by default, so it should be fixed somehow in Pivot - may be, by correct ScriptEngine configuration in BXMLSerializer or by including Rhino libraries in Pivot distribution. Any idea how to "correctly" fix this issue?
> Btw.: I found this bug: http://bugs.java.com/view_bug.do?bug_id=8045075 I am not sure, if it is the same problem. But anyway, it should be fixed in
> 1.8.25.b01 and we are encountering above issues in latest

This message was sent by Atlassian JIRA