Plugin and Beans with Java 6 update 19

Questions and answers on developing, deploying and using plugins and JavaBeans

Plugin and Beans with Java 6 update 19

Postby Jan Blok » Fri Apr 09, 2010 11:43 am

As you might have noticed Oracle/Sun change the security level requirement in a minor update.
This change requires to:
1) Have all beans/plugins signed with a certificate (a self signed certificate will suffice, but does result in warning for enduser, which is better to avoid)
2) Change the dedicated plugin jnlp file if used, it needs to contain:
<security>
<all-permissions/>
</security>

In the future we might be able to drop these requirements with use of classloaders and the new jar manifest options provided in Java 6 update 19, we are researching this currently.
Jan Blok
Servoy
Jan Blok
 
Posts: 2684
Joined: Mon Jun 23, 2003 11:15 am
Location: Amsterdam

Re: Plugin and Beans with Java 6 update 19

Postby IT2Be » Fri Apr 09, 2010 11:55 am

Jan Blok wrote:In the future we might be able to drop these requirements with use of classloaders and the new jar manifest options provided in Java 6 update 19, we are researching this currently.
But I assume/hope we don't have to remove the signatures anymore now the work is almost done for us...
Marcel J.G. Trapman (IT2BE)
SAN partner - Freelance Java and Servoy
Servoy Components - IT2BE Plug-ins and Beans for Servoy
ServoyForge - Open Source Components for Servoy
User avatar
IT2Be
Servoy Expert
 
Posts: 4766
Joined: Tue Oct 14, 2003 7:09 pm
Location: Germany

Re: Plugin and Beans with Java 6 update 19

Postby jcompagner » Fri Apr 09, 2010 1:30 pm

We will keep supporting signed plugins.
The only thing is that we need to look for plugins without there own plugin.jnlp if we need to generate <all permissions> in the jnlp or not (unsigned can't have that and signed need it...)


I created a tool where you can quickly validate your complete application server directory:
http://downloads.servoy.com/downloads/m ... tester.zip
unzip that file and you will get a signtester.jar file

this file you can place in the application_server dir of a servoy install.
then you can run this jar with:

java -jar signtester.jar

that will then validate all the right dirs.

If you see reports of not signed jars then you have to create your own self signed key:

keytool -genkey -keystore mykeystore -alias MyPlugins -validity 10000

(keytool is a part of the java (jre) install of java 6 see the bin dir in the java install)

fill in all the needed data. That will make a file mykeystore in the dir you are in.
then you can run the tool once more:

java -jar signtester.jar mykeystore yourpassword MyPlugins

so the first argument must point the the keystore file you made with the keytool
the second argument must be the password you entered when creating the keystore.
the third argument "MyPlugins" must be the same as the -alias MyPlugins argument of the keystore (you can change this name if you want)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8863
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Plugin and Beans with Java 6 update 19

Postby IT2Be » Fri Apr 09, 2010 1:44 pm

So. What you are saying is that it is possible for developers that create their own in-house plugins/beans or use third-party plugins/beans that are unsigned it is possible to sign the plugins and beans themselves?
Marcel J.G. Trapman (IT2BE)
SAN partner - Freelance Java and Servoy
Servoy Components - IT2BE Plug-ins and Beans for Servoy
ServoyForge - Open Source Components for Servoy
User avatar
IT2Be
Servoy Expert
 
Posts: 4766
Joined: Tue Oct 14, 2003 7:09 pm
Location: Germany

Re: Plugin and Beans with Java 6 update 19

Postby jcompagner » Fri Apr 09, 2010 1:53 pm

yes but with a self signed certificate
So you will get a warning dialog about that (not the new warning dialog but the warning dialog we always had when using self signed)
The good thing about this warning dialog is that that one has an accept always checkbox.. So you only have to accept it once with the first download.
(and that dialog doesnt hang with 6_u19)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8863
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Plugin and Beans with Java 6 update 19

Postby Harjo » Fri Apr 09, 2010 2:29 pm

johan,

does this work also the same way in a Servoy 3.5 environment?
I'm getting a long long list of not signed plugins/bean in Servoy ;-) (non servoy plugins/beans)
Harjo Kompagnie
byKom B.V.
ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
Harjo
 
Posts: 4321
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Plugin and Beans with Java 6 update 19

Postby jcompagner » Fri Apr 09, 2010 4:41 pm

yes but you need a new build then first of 3.5 because of the plugins need for the <all-permissions> tag in the jnlp and you need different kind of beans loading.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8863
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Plugin and Beans with Java 6 update 19

Postby ptalbot » Fri Apr 09, 2010 7:14 pm

jcompagner wrote:We will keep supporting signed plugins.
The only thing is that we need to look for plugins without there own plugin.jnlp if we need to generate <all permissions> in the jnlp or not (unsigned can't have that and signed need it...)

What about beans? Will they also be loaded by this classloader you talk about?
Patrick Talbot
Freelance - Open Source - Servoy Valued Professional
https://www.servoyforge.net
Velocity rules! If you don't use it, you don't know what you're missing!
User avatar
ptalbot
 
Posts: 1659
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: Plugin and Beans with Java 6 update 19

Postby jcompagner » Fri Apr 09, 2010 9:45 pm

yes if they are unsigned.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8863
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Plugin and Beans with Java 6 update 19

Postby ptalbot » Fri Apr 09, 2010 9:52 pm

jcompagner wrote:yes if they are unsigned.

How will you know if they are? Will you check the jar and have 2 different classloaders?
I'm curious.

Anyway, nice little tool you did, thanks.
I see that you have shipped a lot of java tools - including javac/javadoc/applet etc. - with it, why is that?
Patrick Talbot
Freelance - Open Source - Servoy Valued Professional
https://www.servoyforge.net
Velocity rules! If you don't use it, you don't know what you're missing!
User avatar
ptalbot
 
Posts: 1659
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: Plugin and Beans with Java 6 update 19

Postby Infop » Sat Apr 10, 2010 4:09 pm

Does it require, all the resource jars that are being used by the Beans and Plug-ins, are to be signed??

Thanks
User avatar
Infop
 
Posts: 151
Joined: Fri Nov 30, 2007 3:00 pm

Re: Plugin and Beans with Java 6 update 19

Postby IT2Be » Sat Apr 10, 2010 4:11 pm

Infop wrote:Does it require, all the resource jars that are being used by the Beans and Plug-ins, are to be signed??
That is indeed what it looks like.
Marcel J.G. Trapman (IT2BE)
SAN partner - Freelance Java and Servoy
Servoy Components - IT2BE Plug-ins and Beans for Servoy
ServoyForge - Open Source Components for Servoy
User avatar
IT2Be
Servoy Expert
 
Posts: 4766
Joined: Tue Oct 14, 2003 7:09 pm
Location: Germany

Re: Plugin and Beans with Java 6 update 19

Postby Infop » Sat Apr 10, 2010 6:07 pm

Thanks Marcel, for your reply.

I ran the above signtester.jar from my application_server directory, It is reporting almost all the jars present in the beans, plugins and lib directory. Do I have sign all the jars, including those, coming with servoy as well??? Or Servoy is going to provide the signed jars for those that are used by Servoy itself??

PS: I am running with Servoy 4.1.5

Thanks,
User avatar
Infop
 
Posts: 151
Joined: Fri Nov 30, 2007 3:00 pm

Re: Plugin and Beans with Java 6 update 19

Postby IT2Be » Sat Apr 10, 2010 6:42 pm

Infop wrote:PS: I am running with Servoy 4.1.5
In that case your observation makes sense.
I don't know if you realize you are reading this in 'Plugins and Beans'?
Anyway, you should read the following 'Announcements' post because that will give you an answer: viewtopic.php?f=16&t=13976
Marcel J.G. Trapman (IT2BE)
SAN partner - Freelance Java and Servoy
Servoy Components - IT2BE Plug-ins and Beans for Servoy
ServoyForge - Open Source Components for Servoy
User avatar
IT2Be
Servoy Expert
 
Posts: 4766
Joined: Tue Oct 14, 2003 7:09 pm
Location: Germany

Re: Plugin and Beans with Java 6 update 19

Postby Infop » Sat Apr 10, 2010 6:49 pm

IT2Be wrote:
Infop wrote:PS: I am running with Servoy 4.1.5

I don't know if you realize you are reading this in 'Plugins and Beans'?
Anyway, you should read the following 'Announcements' post because that will give you an answer: viewtopic.php?f=16&t=13976


I have not seen that announcement thread. Thanks for notifying me.
User avatar
Infop
 
Posts: 151
Joined: Fri Nov 30, 2007 3:00 pm

Next

Return to Plugins and Beans

Who is online

Users browsing this forum: No registered users and 9 guests