Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (476)
Games in Android Showcase (106)
games submitted by our members
Games in WIP (533)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Weird symbol on java applet windows  (Read 12214 times)
0 Members and 1 Guest are viewing this topic.
Offline jezek2
« Reply #30 - Posted 2008-12-10 23:00:21 »

About the 3D acceleration:

I think that it should display some warning dialog (instead of normal security dialog and ideally just embedded into applet area as mentioned by someone so it doesn't block browsing in other tabs) that 3D acceleration is going to be used and what risks it posses, which unfortunatelly are because of bad drivers... Though JRE 6u10 and it's out-of-process ability can fix a lot (eg. disabling any D3D usage and not messing with browser process).

The warning dialog should ask only the first time. It could detect if 3D is alright when the applet/application ends successfully and mark that the user shouldn't be asked again as it's working for him.

This should cover both of JOGL/JOAL and LWJGL. OpenGL API is pretty secure by design (don't know how JOGL handles it, but for example LWJGL is checking inputs and tracks state to prevent any bad memory access), so it shouldn't be problem to allow it's usage for unsigned applet/app.
Offline jezek2
« Reply #31 - Posted 2008-12-10 23:09:16 »

Matzon has big paranoia about applets being allowed to run if signed when he hasn't explicitly allowed it - but I bet you he's perfectly happy to download a .exe installer and install anything on his hard drive at face value. That's where it all breaks down. People already are entirely happy to compromise their own security by clicking "yes" when they want to run something when they honestly have no idea what it's really doing.

The question is, why you need signed application? I bet it's because of 3D acceleration. If that would be handled gracefully (as outlined in my previous post here), it would leave signed applications only for special purpose things, where I find current security dialog a very proper solution. I agree with Matzon that signed code shouldn't be allowed to run by default.
Offline thijs

Junior Member




Lava games rock!


« Reply #32 - Posted 2008-12-10 23:18:24 »

Nice.  How does it do that? Reload a signed version of the applet or something?

It works like this:
An additional jar is added to the applet archive list, which is signed containing a loader class and a custom classloader. When this loader class is called it replaces the loaded securitymanager with its own (after the user has accepted the security question), which basically allows everything. Now you can tell the loader class to load a jar, it will load its classes through the custom classloader which has the original classloader as a parent. The beauty of this, is that the security popup is deferred until the unsigned applet loads the loader class from the signed jar.

The question is, why you need signed application? I bet it's because of 3D acceleration. If that would be handled gracefully (as outlined in my previous post here), it would leave signed applications only for special purpose things, where I find current security dialog a very proper solution. I agree with Matzon that signed code shouldn't be allowed to run by default.

I agree the current way it works (security popup) is fine for privileged actions, the user can accept it or not. And we developers can detect if the user accepted or not and act accordingly. Instead of using an "extensionloader" like I outlined above it would be nice if the JVM did this for us, check if an privileged action is invoked, check if the user accepted the security popup or not. Of course with this security popup it should have an option "reject", "accept once" and "always accept (for this applet)".

<a href="http://www.dzzd.net">3DzzD!</a>
<a href="http://www.arcazoid.com">Arcazoid!</a>
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #33 - Posted 2008-12-11 00:18:55 »

Quote
A signed applet isn't in the least bit safe - it can do anything.
Yes, and that is why it shouldn't be allowed to run - by default.
We should however, work on allowing as much as possible without annoying the developers and end users - and still keep it safe.

When I run an exe file, its an active conscious thing I do. Having all sorts of applets execute isn't one (especially from shady sites).

Offline DzzD
« Reply #34 - Posted 2008-12-11 00:54:51 »

Quote
When I run an exe file, its an active conscious thing I do. Having all sorts of applets execute isn't one (especially from shady sites).
+1

yes and even if they are signed/verified and from great compagny this is bad things, I mean if I go to sun web site and they have put a signed applet to do something great, I dont want this applet to be able to access my computer and for example I dont want him to write file even if those writing are not intended to hack or break anything, I just dont want new files in uncontrolled folders on my computer without having previously granted permission to it. 

This is only a very simple  example but even well written code that are not intended to break or hack can do computer dammage or cause dammage to the end user and end user should be able to go anywhere on the Web with NO risk except if he know.

Offline princec

JGO Kernel


Medals: 342
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #35 - Posted 2008-12-11 10:10:39 »

You've got a point about applets executing whether you like them to or not - rather like Flash executes whether you want it to or not. But that's why I suggest having the ability for users to turn the dialog back on if they want to.

It would indeed solve the vast majority of problems if we had that endorsed library Sun-signed thing (so we could get LWJGL signed for example and then it wouldn't need any further permissions) but as you can see even JavaFX fell foul of the whole issue on its maiden voyage and screwed it up, so fat chance of that ever happening.

<edit> Just 1 further point you might want to chew on: you lot are all geeks. Proper, high-order grand wizard pointy propeller head geeks. You know about this stuff and even more strangely, you care. You are fundamentally interested in how things work and what they're doing. But the rest of the world does not give 2 shits. They just want stuff to work (which is largely why they click yes on nearly any dialog - "Do you want to grant permission to DodgyCorp.ru to access your computer so you can play Craptris?") Given that, they don't care about files being written to their hard drive any more than they care about how much heap the VM allocates on startup. They don't care, they don't understand, they don't even want to understand. All that matters to a normal person, a non-geek, is that the machine does what it is asked!

Cas Smiley

Offline zammbi

JGO Coder


Medals: 4



« Reply #36 - Posted 2008-12-11 10:24:37 »

I agree to the geeks thing.
Most people I know ignore the warnings and if its possible to turn off the warnings they will.

Current project - Rename and Sort
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #37 - Posted 2008-12-11 10:41:10 »

is that the machine does what it is asked
and just as important, that they dont do stuff I didn't ask them to do Wink

I realize your point, many users really are clueless and will say yes to anything, and then complain afterward. However if Sun sets the bar for security too low, they will get flamed.

Offline thijs

Junior Member




Lava games rock!


« Reply #38 - Posted 2008-12-11 10:47:33 »

<edit> Just 1 further point you might want to chew on: you lot are all geeks. Proper, high-order grand wizard pointy propeller head geeks. You know about this stuff and even more strangely, you care. You are fundamentally interested in how things work and what they're doing. But the rest of the world does not give 2 shits. They just want stuff to work (which is largely why they click yes on nearly any dialog - "Do you want to grant permission to DodgyCorp.ru to access your computer so you can play Craptris?") Given that, they don't care about files being written to their hard drive any more than they care about how much heap the VM allocates on startup. They don't care, they don't understand, they don't even want to understand. All that matters to a normal person, a non-geek, is that the machine does what it is asked!

Cas Smiley

True, true... And (I assume) we're all good geeks here, but we know there are evil geeks too. The problem with the web is that you can easily stumble upon a website you didnt want to (redirect, wrong click etc). And if such a page contains an evil applet that screws the computer without notice, the user probably wants to disable all applets, and asociates applets==bad, and then we're all back in 1997 again :/

A popup doesnt have to be bad, can be userfriendly and maybe popup only once per author (signer) if you tell it so, it can simply say something like: "Yes i want to play games from this author". The notice must be clear (the flash way), and prefably be skinnable in some way, because Sun's own look&feel doesnt look/feel too good.

<a href="http://www.dzzd.net">3DzzD!</a>
<a href="http://www.arcazoid.com">Arcazoid!</a>
Offline princec

JGO Kernel


Medals: 342
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #39 - Posted 2008-12-11 14:11:29 »

Skinnable dialog = scope for abuse.

But a single, userfriendly dialog that appears but once ever for any particular signing certificate would suffice, and I'd like to be able to turn it off or have it follow other OS settings (eg. on Vista, UAC)

And likewise any Sun-signed code need have no dialog at all.

Cas Smiley

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline ewjordan

Junior Member





« Reply #40 - Posted 2008-12-11 14:15:38 »

Has anybody filed a bug report or an RFE that we can vote for on either security granularity or the Sun-endorsed extensions thing?  IMO this stuff is almost so badly broken, or at least so hostile to both user and developer, that it could qualify as a bug.  The security model is plain effed for applets, it's been well known bad security practice for years to grant full permissions to anything that doesn't need them, and a model that requires full permissions to display 3d is just messed up and broken.  This really should be fixed, stuff like this does more security harm than good...
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #41 - Posted 2008-12-11 14:27:37 »

Just to point out that the 'weird symbol' is really not-fully-thought-through...

If you maximize a window, the icon is exactly over the close button (!) in the titlebar, making it hard to close the darn thing.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline bienator

Senior Member




OutOfCoffeeException


« Reply #42 - Posted 2008-12-11 15:15:48 »

I still think dialogs are not a good idea for applets in general. Applets are applications embedded in webpages, every user notification schould also be inside the browser and scroll with the page.
The only exception are applets which are invisible or have small bounds which could fallback to the current behavior.

regarding the "weird" symbol issue
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6749517

btw: ea u12b02 is available with initial 64bit plugin
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4802695

Offline brackeen

Junior Member





« Reply #43 - Posted 2008-12-11 15:50:34 »

I still think dialogs are not a good idea for applets in general. Applets are applications embedded in webpages, every user notification schould also be inside the browser and scroll with the page.
I agree, especially because popups are so annoying.

I wonder if there are users out there who are so accostomed to closing popup-ads that they just close security dialogs without reading them. Or they just go with the default, which is "cancel" for self-signed applets. It would certainly explain a lot.
Offline bienator

Senior Member




OutOfCoffeeException


« Reply #44 - Posted 2008-12-11 16:00:20 »

I wonder if there are users out there who are so accostomed to closing popup-ads that they just close security dialogs without reading them. Or they just go with the default, which is "cancel" for self-signed applets. It would certainly explain a lot.
The importand thing is telling the user what he did in this situation. E.g an canceled applet could contain a standardized banner telling the user that it has been canceled by him and if he clicks on the applet area it will relaunch. solved Wink

Offline DzzD
« Reply #45 - Posted 2008-12-11 16:13:41 »

Quote
I wonder if there are users out there who are so accostomed to closing popup-ads that they just close security dialogs without reading them. Or they just go with the default, which is "cancel" for self-signed applets. It would certainly explain a lot.

I refuse several security dialog including lot of webstart asking privilege including some showed here, not because I think there is a virus or anything, just bacause I dont want for example that webstart or signed applets install something in my computer or because I have other application opened and I dont want them to be crashed due to lack of memory or other

EDIT: because.... hum.. I could not understand what I wrote , so even if my english is worse I think I wrote this post a litlle bit too fast Smiley

Offline brackeen

Junior Member





« Reply #46 - Posted 2008-12-11 16:25:29 »

The importand thing is telling the user what he did in this situation. E.g an canceled applet could contain a standardized banner telling the user that it has been canceled by him and if he clicks on the applet area it will relaunch. solved Wink
I wish that were possible with the Java security dialogs. Right now if someone clicks cancel, they have to restart the browser just to get the question again.

... not because I think there is a virus or anything...
Yeah that's another thing, how many people think those dialogs are malware? Typical IE+MySpace users, I'm looking your way Wink Oh well, they probably don't want to play games anyway.
Offline bienator

Senior Member




OutOfCoffeeException


« Reply #47 - Posted 2008-12-11 18:13:27 »

I wish that were possible with the Java security dialogs. Right now if someone clicks cancel, they have to restart the browser just to get the question again.
this is actually what i had in mind, this functionality should be provided by the browser plugin rather than by the application.

RFE:
-replace dialogs with in browser rendered content
-specify a default behavior which solves the "user canceled applet" + "applet failed to load" scenarios by providing a default relaunch button rendered instead of the failed applet

what do you think?

Offline princec

JGO Kernel


Medals: 342
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #48 - Posted 2008-12-11 19:52:51 »

Prototype it and show us.

Cas Smiley

Offline bienator

Senior Member




OutOfCoffeeException


« Reply #49 - Posted 2008-12-11 21:57:05 »

Prototype it and show us.
maybe i would give it a try... if webstart would be open source...

Offline phu004

JGO Coder


Medals: 4
Projects: 9
Exp: 10 years


NoSuchPersonException


« Reply #50 - Posted 2008-12-11 22:43:50 »

I didn't see any yellow sign  for java applets, Huh Huh  I only got those when I am running webstart application.
Offline DzzD
« Reply #51 - Posted 2008-12-11 23:20:13 »

Quote
Most people I know ignore the warnings and if its possible to turn off the warnings they will.
you can do it with IE, but really dont this is a bad idea.

Quote
this is actually what i had in mind, this functionality should be provided by the browser plugin rather than by the application.

RFE:
-replace dialogs with in browser rendered content
-specify a default behavior which solves the "user canceled applet" + "applet failed to load" scenarios by providing a default relaunch button rendered instead of the failed applet

I think that possible to use a workaround simulating that for self signed (or for people with lot of money that can afford two certificate...) it is probably already possible using two similar applet version server side signed with two different certificates, first you try to load the first one then if it fail you warn the user on a nice way and pretty window "hey you cannot play doing that ...blabla..." then you propose him to click somewhere to start again and then load the second signed Applet... maybe a work around but I realize that it is a bit too much complicated to be usable Smiley

Offline trembovetski

Senior Member




If only I knew what I'm talking about!


« Reply #52 - Posted 2008-12-12 00:31:36 »

> If you maximize a window, the icon is exactly over the close button (!) in the titlebar, making it hard to close the darn thing.

I think that got fixed in 6u12 (btw, early access builds are available at http://jdk6.dev.java.net, b02 has slightly different warning icons).

Also, as I mentioned, there's an API which allows you to place the icon.

Dmitri
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #53 - Posted 2008-12-14 15:50:26 »

The icon besides the applet window is really strange, true, but what's the big deal anyway?
Applet's shouldn't have any pop-up windows in the first place. If you're annoyed by the icon, just realize that your users are at least as annoyed by your popup, so do the most sensible thing and just get rid of the popup.

Regarding the permission dialogs problem, I think many of those could be handled if there would be a number of standard GUI controls that don't need extra permissions, like print buttons, 'go full screen' buttons, browse buttons etc. If the user clicks such a button, he implicitly gives permission.

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #54 - Posted 2008-12-14 15:58:55 »

The icon besides the applet window is really strange, true, but what's the big deal anyway?
Applet's shouldn't have any pop-up windows in the first place. If you're annoyed by the icon, just realize that your users are at least as annoyed by your popup, so do the most sensible thing and just get rid of the popup.

Excuse me....? Not every applet is a game.

There are situations where a Dialog (with a lot of components, not just yes/no/ok/cancel buttons) makes perfect sense in an applet.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #55 - Posted 2008-12-14 16:20:30 »

Excuse me....? Not every applet is a game.

There are situations where a Dialog (with a lot of components, not just yes/no/ok/cancel buttons) makes perfect sense in an applet.

But every applet is embedded in a webpage, and most of them are games (hey isn't this java-gaming.org? Wink), and as such I don't think it's such a big deal. An applet breaking out of the browser is IMHO generally annoying, like other pop-ups for which we have popup blockers.

Of course there are some cases where dialogs make sense and of course the strange icon has to be fixed/removed, but maybe those cases would be better suited to JWS? And maybe it's better to have such applet dialogs internally inside the applet?

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #56 - Posted 2008-12-14 17:10:54 »

I guess we won't agree on this one Smiley (luckely we don't need to)

Anyway, JWS's reliability is worse than that of applets. Applets can cause the browser to display the yellow-plugin-installer-bar, while JWS simply shows the plain XML, which is a very bad user experience. Further, there are many bugs in JWS, like the 'it worked the second time' behaviour which occurs way too often, even in 1.6.0_u10.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #57 - Posted 2008-12-14 19:37:47 »

But every applet is embedded in a webpage, and most of them are games (hey isn't this java-gaming.org? Wink), and as such I don't think it's such a big deal. An applet breaking out of the browser is IMHO generally annoying, like other pop-ups for which we have popup blockers.
Applets shouldn't be second-rate citizens. Applets, like other applications, have just the same reason for having multiple windows like other application - jws. The Irony here is that WHEN an applet is properly sandbox, we are STILL warning the user that they have a suspicious-beware-cant-hurt-you-anyway window Roll Eyes If the windows is from a signed applet - and thus 1834984920% more unsafe, the user is never shown a warning. persecutioncomplex

There should not be a warning - EVER. It simply doesn't make sense. Not only because I can do it using javascript to open a new window with an applet in it - but also because there is absolutely no reason what so ever in warning users about a window.

Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #58 - Posted 2008-12-15 13:21:32 »

The Irony here is that WHEN an applet is properly sandbox, we are STILL warning the user that they have a suspicious-beware-cant-hurt-you-anyway window Roll Eyes If the windows is from a signed applet - and thus 1834984920% more unsafe, the user is never shown a warning.

Hehe, you're absolutely right!

Maybe we (well, me anyway) have to reconsider what an applet *is* and what the goals are.
They were typically always these small embedded parts of a webpage used for small games, banners and menu's and such. But with full applications running from the browser (RIA) becoming more popular, java Applets should be able to be the platform of choice for that.
So yeah, I have to admit I have to reconsider my previous standpoint that popups from an applet are annoying  persecutioncomplex. In many cases they are, but it should at least be possible to do without annoying everyone with intrusive pointless warnings.

But what do you all think about my previous idea about standard GUI controls that implicitly grant extra permissions (browse buttons, full screen buttons etc)? Might be worth an RFE, as I think it could solve many security dialog annoyances.

Offline jezek2
« Reply #59 - Posted 2008-12-15 14:22:05 »

But what do you all think about my previous idea about standard GUI controls that implicitly grant extra permissions (browse buttons, full screen buttons etc)? Might be worth an RFE, as I think it could solve many security dialog annoyances.

Would be too much limiting. And there is already support for such things in JNLP services (from 6u10 also for applets). It just needs to expand provided functionality.
Pages: 1 [2]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

pw (22 views)
2014-07-24 01:59:36

Riven (20 views)
2014-07-23 21:16:32

Riven (17 views)
2014-07-23 21:07:15

Riven (20 views)
2014-07-23 20:56:16

ctomni231 (48 views)
2014-07-18 06:55:21

Zero Volt (44 views)
2014-07-17 23:47:54

danieldean (35 views)
2014-07-17 23:41:23

MustardPeter (38 views)
2014-07-16 23:30:00

Cero (53 views)
2014-07-16 00:42:17

Riven (52 views)
2014-07-14 18:02:53
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!