pivot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roger Whitcomb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PIVOT-965) Java 8 BXML scripting security issues in Apache Pivot RIAs
Date Wed, 18 Nov 2015 22:36:10 GMT

    [ https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15012211#comment-15012211

Roger Whitcomb commented on PIVOT-965:

Hi Karel,
Have you tried using a "trunk" build of Pivot with this?  I have added several manifest entries
(security-related) to the trunk version that are not in the 2.0.x branch.  Maybe this will
help with your security issue.  I agree that the Java bug you identified is probably the underlying
issue, but it should be corrected in the latest Java 8, so I'm not sure what the problem is.
 But I'm thinking that the Pivot .jar files would have to have the correct security settings
in the manifest also (not just in your application manifest).  So, I'm just checking to make
sure you have tried this.

I'm working on trying to resolve the other "include" problem with mapping functions -- pretty
tricky code that I'm not quite understanding yet.


> Java 8 BXML scripting security issues in Apache Pivot RIAs
> ----------------------------------------------------------
>                 Key: PIVOT-965
>                 URL: https://issues.apache.org/jira/browse/PIVOT-965
>             Project: Pivot
>          Issue Type: Bug
>          Components: core-serialization
>    Affects Versions: 2.0.4
>         Environment: Windows, Sun JRE 64-bit 1.8.0_31b13
>            Reporter: Karel Hübl
>            Assignee: Roger Whitcomb
>              Labels: java8, jdk8
>             Fix For: 2.1, 2.0.5
>         Attachments: BXMLSerializer.patch
> We encounter security issues in our pivot application after upgrading to JRE 1.8. The
application is deployed as RIA using Java Web Start.
> I found out, that the problem is connected with nashorn script engine which replaced
rhino script engine from previous java version. BXMLSerializer is using ScriptEngine to evaluate
scripts in BXML files. It seems, that all calls initiated from BXML scripts, are considered
untrusted in JRE 1.8 RIA Environment - this means security dialogs and exceptions are thrown,
when trying execute privileged actions (network communication, reflection ...).
> Currently, I am not sure, if this is Pivot or Nashorn bug, but it is problem for current
Apache Pivot RIAs. To investigate the srcipting behaviour in RIAs, I created testing non Pivot
project https://github.com/kaja78/jnlpScripting The project contains testing application,
which is deployed as JWS. When you execute the java web start app in JRE 1.8, the security
dialog is displayed when testing method is executed from nashorn script engine (if you press
cancel button on security dialog, you get SecurityException). When you uncomment 2 lines in
Webcontent/jnlpScripting.jnlp file, rhino script engine is used instead of nashorn and no
security dialog is displayed. This fix works also for our Pivot RIAs.
> I believe, Pivot should work in JRE 1.8 RIA Environment without security issues by default,
so it should be fixed somehow in Pivot - may be, by correct ScriptEngine configuration in
BXMLSerializer or by including Rhino libraries in Pivot distribution. Any idea how to "correctly"
fix this issue?
> Btw.: I found this bug: http://bugs.java.com/view_bug.do?bug_id=8045075 I am not sure,
if it is the same problem. But anyway, it should be fixed in
> 1.8.25.b01 and we are encountering above issues in latest

This message was sent by Atlassian JIRA

View raw message