Page 1 of 6

Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 11:43 am
by Jan Blok
As you might have noticed Oracle/Sun change the security level requirement in a minor update.
This change requires to:
1) Have all beans/plugins signed with a certificate (a self signed certificate will suffice, but does result in warning for enduser, which is better to avoid)
2) Change the dedicated plugin jnlp file if used, it needs to contain:
<security>
<all-permissions/>
</security>

In the future we might be able to drop these requirements with use of classloaders and the new jar manifest options provided in Java 6 update 19, we are researching this currently.

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 11:55 am
by IT2Be
Jan Blok wrote:In the future we might be able to drop these requirements with use of classloaders and the new jar manifest options provided in Java 6 update 19, we are researching this currently.
But I assume/hope we don't have to remove the signatures anymore now the work is almost done for us...

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 1:30 pm
by jcompagner
We will keep supporting signed plugins.
The only thing is that we need to look for plugins without there own plugin.jnlp if we need to generate <all permissions> in the jnlp or not (unsigned can't have that and signed need it...)


I created a tool where you can quickly validate your complete application server directory:
http://downloads.servoy.com/downloads/m ... tester.zip
unzip that file and you will get a signtester.jar file

this file you can place in the application_server dir of a servoy install.
then you can run this jar with:

java -jar signtester.jar

that will then validate all the right dirs.

If you see reports of not signed jars then you have to create your own self signed key:

keytool -genkey -keystore mykeystore -alias MyPlugins -validity 10000

(keytool is a part of the java (jre) install of java 6 see the bin dir in the java install)

fill in all the needed data. That will make a file mykeystore in the dir you are in.
then you can run the tool once more:

java -jar signtester.jar mykeystore yourpassword MyPlugins

so the first argument must point the the keystore file you made with the keytool
the second argument must be the password you entered when creating the keystore.
the third argument "MyPlugins" must be the same as the -alias MyPlugins argument of the keystore (you can change this name if you want)

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 1:44 pm
by IT2Be
So. What you are saying is that it is possible for developers that create their own in-house plugins/beans or use third-party plugins/beans that are unsigned it is possible to sign the plugins and beans themselves?

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 1:53 pm
by jcompagner
yes but with a self signed certificate
So you will get a warning dialog about that (not the new warning dialog but the warning dialog we always had when using self signed)
The good thing about this warning dialog is that that one has an accept always checkbox.. So you only have to accept it once with the first download.
(and that dialog doesnt hang with 6_u19)

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 2:29 pm
by Harjo
johan,

does this work also the same way in a Servoy 3.5 environment?
I'm getting a long long list of not signed plugins/bean in Servoy ;-) (non servoy plugins/beans)

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 4:41 pm
by jcompagner
yes but you need a new build then first of 3.5 because of the plugins need for the <all-permissions> tag in the jnlp and you need different kind of beans loading.

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 7:14 pm
by ptalbot
jcompagner wrote:We will keep supporting signed plugins.
The only thing is that we need to look for plugins without there own plugin.jnlp if we need to generate <all permissions> in the jnlp or not (unsigned can't have that and signed need it...)

What about beans? Will they also be loaded by this classloader you talk about?

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 9:45 pm
by jcompagner
yes if they are unsigned.

Re: Plugin and Beans with Java 6 update 19

PostPosted: Fri Apr 09, 2010 9:52 pm
by ptalbot
jcompagner wrote:yes if they are unsigned.

How will you know if they are? Will you check the jar and have 2 different classloaders?
I'm curious.

Anyway, nice little tool you did, thanks.
I see that you have shipped a lot of java tools - including javac/javadoc/applet etc. - with it, why is that?

Re: Plugin and Beans with Java 6 update 19

PostPosted: Sat Apr 10, 2010 4:09 pm
by Infop
Does it require, all the resource jars that are being used by the Beans and Plug-ins, are to be signed??

Thanks

Re: Plugin and Beans with Java 6 update 19

PostPosted: Sat Apr 10, 2010 4:11 pm
by IT2Be
Infop wrote:Does it require, all the resource jars that are being used by the Beans and Plug-ins, are to be signed??
That is indeed what it looks like.

Re: Plugin and Beans with Java 6 update 19

PostPosted: Sat Apr 10, 2010 6:07 pm
by Infop
Thanks Marcel, for your reply.

I ran the above signtester.jar from my application_server directory, It is reporting almost all the jars present in the beans, plugins and lib directory. Do I have sign all the jars, including those, coming with servoy as well??? Or Servoy is going to provide the signed jars for those that are used by Servoy itself??

PS: I am running with Servoy 4.1.5

Thanks,

Re: Plugin and Beans with Java 6 update 19

PostPosted: Sat Apr 10, 2010 6:42 pm
by IT2Be
Infop wrote:PS: I am running with Servoy 4.1.5
In that case your observation makes sense.
I don't know if you realize you are reading this in 'Plugins and Beans'?
Anyway, you should read the following 'Announcements' post because that will give you an answer: viewtopic.php?f=16&t=13976

Re: Plugin and Beans with Java 6 update 19

PostPosted: Sat Apr 10, 2010 6:49 pm
by Infop
IT2Be wrote:
Infop wrote:PS: I am running with Servoy 4.1.5

I don't know if you realize you are reading this in 'Plugins and Beans'?
Anyway, you should read the following 'Announcements' post because that will give you an answer: viewtopic.php?f=16&t=13976


I have not seen that announcement thread. Thanks for notifying me.