commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joerg Schaible (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CODEC-186) attributes are missing in MANIFEST.MF
Date Wed, 04 Jun 2014 16:39:03 GMT

    [ https://issues.apache.org/jira/browse/CODEC-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017834#comment-14017834
] 

Joerg Schaible commented on CODEC-186:
--------------------------------------

Actually I wonder if we should do anything here. From the referred specification:

{quote}
Trusted-Library Attribute

The Trusted-Library attribute is used for applications and applets that are designed to allow
untrusted components. No warning dialog is shown and an application or applet can load JAR
files that contain untrusted classes or resources. Set the value of the attribute to true,
for example:

Trusted-Library: true

This attribute prevents components in a privileged application or applet from being repurposed
with untrusted components. All classes and resources in a JAR file containing this manifest
attribute must be signed and request all permissions.
{quote}

We will never sign all classes and resources in our jar. With which key?

IMHO, if someone writes trusted applets or JNLP he has to modify the manifests anyway, especially
if the code must be signed ... typically with an own key.

All those manifest entries are there to ensure the integrity of the applet, so what sense
does it make to set all-permissions or a codebase of "*" when you really want "https://..."
?

> attributes are missing in MANIFEST.MF
> -------------------------------------
>
>                 Key: CODEC-186
>                 URL: https://issues.apache.org/jira/browse/CODEC-186
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.5, 1.9
>            Reporter: Jeff Yu
>
> We are encountering an issue using commons-codec-1.5.jar inside an applet.
> Since the 7U45 of java, the MANIFEST of a jar used inside an applet must be complete.
> 3 attributes are missing in the MANIFEST
> Trusted-Library : true
> Application-Name : <<as you want>>
> Permissions : all-permissions (or less if you want to be precise)
> Codebase : *
> see : http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
> Without these attributes, the JRE refuse to execute an applet containing commons-codec-1.5.jar.
> Could you please fix that in order to make this jar usable inside an applet?
> Thanks



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message