pivot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger and Beth Whitcomb <RogerandB...@rbwhitcomb.com>
Subject Re: Java 8 BXML scripting security issues in Apache Pivot RIAs
Date Mon, 09 Feb 2015 18:03:40 GMT
Hi Karel,
     Can you please create a JIRA issue that contains this information 
and someone will look into it as soon as possible.

Thanks,
~Roger

On 2/9/15 9:19 AM, Karel Hübl wrote:
> Hi all,
>
>   
>
> We encounter security issues in our pivot application after upgrading to JRE
> 1.8. The application is deployed as RIA using Java Web Start.
>
>   
>
> I found out, that the problem is connected with nashorn script engine which
> replaced rhino script engine from previous java version. BXMLSerializer is
> using ScriptEngine to evaluate scripts in BXML files. It seems, that all
> calls initiated from BXML scripts, are considered untrusted in JRE 1.8 RIA
> Environment - this means security dialogs and exceptions are thrown, when
> trying execute privileged actions (network communication, reflection .).
>
>   
>
> Currently, I am not sure, if this is Pivot or Nashorn bug, but it is problem
> for current Apache Pivot RIAs. To investigate the srcipting behaviour in
> RIAs, I created testing non Pivot project
> https://github.com/kaja78/jnlpScripting The project contains testing
> application, which is deployed as JWS. When you execute the java web start
> app in JRE 1.8, the security dialog is displayed when testing method is
> executed from nashorn script engine. When you uncomment 2 lines in
> Webcontent/jnlpScripting.jnlp file, rhino script engine is used instead of
> nashorn and no security dialog is displayed. This fix works also for our
> Pivot RIAs.
>
>   
>
> I believe, Pivot should work in JRE 1.8 RIA Environment without security
> issues by default, so it should be fixed somehow in Pivot - may be, by
> correct ScriptEngine configuration in BXMLSerializer or by including Rhino
> libraries in Pivot distribution. Any idea how to "correctly" fix this issue?
>
>   
>
> Btw.: I found this bug: http://bugs.java.com/view_bug.do?bug_id=8045075 I am
> not sure, if it is the same problem. But anyway, it should be fixed in
> 1.8.25.b01 and we are encountering above issues in latest 1.8.0.31.b13.
>
>   
>
> Regards Karel
>
>


Mime
View raw message