Java-Gaming.org    
Featured games (78)
games approved by the League of Dukes
Games in Showcase (427)
Games in Android Showcase (89)
games submitted by our members
Games in WIP (466)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2 3
  ignore  |  Print  
  Security update breaks A LOT OF STUFF!  (Read 17901 times)
0 Members and 1 Guest are viewing this topic.
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Posted 2010-04-11 23:37:30 »

So creating the LWJGL 2.4 release.

We already added the needed Trusted-Library and stuff. Applets all good.

Then I updated the webstart...

*nothing* worked...

Issue 1:
Proper signed jar, proper manifest - just wouldn't load. Cause: A Trusted-Only jar cannot be run from "sandbox" mode.
Solution: Add <security><all-permissions/></security> even though I DONT NEED it

Issue 2:
Proper signed jar, proper manifest, excess security rights. Error: java.lang.NullPointerException at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
Solution: Don't use resource only jars. You must add code to jars.  persecutioncomplex

Issue 3:
Proper signed jar, proper manifest, excess security rights, messy resources into jar where I dont want it. Error: NullPointerException when accessing said resources.
Cause: My lwjgl_test.jar (in Trusted-Only: true mode) with all my resources could not use the LWJGL util class for loading wave files because that was implemented like this:
1  
2  
3  
   public static WaveData create(String path) {
      return create(WaveData.class.getClassLoader().getResource(path));
   }

and since update 19, the extension and the application jar are no longer running in the same classloader - so there is no resource to be found.
Only about everybody is using a syntax similar to the above - including the java tutorials.

Now, security aside - why the HELL did anyone approve this piece of shit update??? Pardon my language but this has got to be the most f* up EVER point release in the history of software updates.

* Matzon shakes fist

EDIT: hang on to issue 3 - may be cause by something else ... investigating .... nope, its valid Sad - fix: switch to context classloader, as per comments

Online kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #1 - Posted 2010-04-11 23:47:22 »

damn, so basically issue 3 means you can no longer use classloaders to fetch resources due to different JRE's now putting jars in random classloaders depending on how you sign/don't sign your jars!

Now that breaks a hell lot of code.

They should fire someone for this, maybe Gosling *oh wait*  Smiley
Offline bobjob

JGO Knight


Medals: 10
Projects: 4


David Aaron Muhar


« Reply #2 - Posted 2010-04-11 23:49:59 »

is there any official way to raise concern about the changes to oracle, as a community?

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Online kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #3 - Posted 2010-04-12 00:25:20 »

issue 3 also breaks code using things like Class.ForName(String) if the jars get loaded in separate classloaders.

Also what's strange is that under Sun almost every release of Java6N Update had an alpha/beta before a final release, Java6u19 being the first release under Oracle didn't have a public alpha/beta. The update was also pushed straight to the masses via the java auto updater and didn't even get released to developers for a small period so that they could test their apps.
Offline Nate

JGO Kernel


Medals: 129
Projects: 3
Exp: 14 years


Esoteric Software


« Reply #4 - Posted 2010-04-12 09:01:43 »

Wow. That can't be right, can it?

Offline kevglass

JGO Kernel


Medals: 85
Projects: 22


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #5 - Posted 2010-04-12 09:04:40 »

1  
Thread.currentThread().getContextClassLoader().getResource()


Should work if they've implemented it as expected. There should be a delegating class loader across all the resource/code JARs that can be used to see all of them. In a JEE world you'd expect to see this classloader being passed around on the thread.

Kev

Offline DzzD
« Reply #6 - Posted 2010-04-12 09:44:51 »

1  
Thread.currentThread().getContextClassLoader().getResource()


Should work if they've implemented it as expected. There should be a delegating class loader across all the resource/code JARs that can be used to see all of them. In a JEE world you'd expect to see this classloader being passed around on the thread.

Kev

nice, could you explain a little more plz ?

Offline h3ckboy

JGO Coder


Medals: 5



« Reply #7 - Posted 2010-04-12 10:33:40 »

1  
Thread.currentThread().getContextClassLoader().getResource()


Should work if they've implemented it as expected. There should be a delegating class loader across all the resource/code JARs that can be used to see all of them. In a JEE world you'd expect to see this classloader being passed around on the thread.

Kev


should and if being the key words Wink
Offline kevglass

JGO Kernel


Medals: 85
Projects: 22


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #8 - Posted 2010-04-12 11:00:54 »

Classloaders don't have to be one big lump. Quite often is useful and more flexibile to be able to load seperate application artifacts in different class loaders to support isolation between artifacts and co-hosting of applications. Seems like this is the case here, each artifact is being loaded in a seperate classloader.

In these cases the context class loader of the thread is normally set to a class loader that gives you the complete context of the application as viewed by the current piece of code. In this case it means that before the webstart client calls main the context class loader "should" (as hackboy rightly points out) be set to a class loader than spans all the others.

Has anyone tried it yet? Until then it's just speculation.

Kev

Offline jojoh

JGO Knight


Medals: 5
Projects: 7


games4j.com


« Reply #9 - Posted 2010-04-12 12:23:57 »

Thanks kapta for pointing me in the right direction in the other thread.

When I first started my battle with u19 (from HELL!), my applets didn't start anymore AT ALL. Not even the initial messages in the console appeared, I am talking about the messages from the java plugin! That made it quite difficult debug, since nothing started. I managed to figure out that the boot loader that Dzzd had made, would actually bring up the mixed mode warning pop-up. I found out that I all along had copied and pasted a resource jar (menu sounds and stuff) that was signed to all my project. Removing sign got rid of mixed mode warning and the applet started, using boot loader.

Without the boot loader, the applet still didn't start. I use a script for all my builds, and in this particular instance, I used all software rendered resources, so I had one empty jar (just containing the manifest) that I didn't use, that wasn't signed, and that wasn't referenced from the applet tag, but was in the executed jar´s manifest. Not only does it not start, but the console buttons don't work, including the close and the windows [ x ] close button! Removing this empty jar made everything work just fine, but leaving it in, will completely lock everything up before the console menu even appears!!!   Shocked

I do use "Class.forName(getParameter("game")).newInstance();" in my framework code to be able to separate applet, standalone specific code from my game code. Not sure if that is affecting things.

Now, security aside - why the HELL did anyone approve this piece of shit update??? Pardon my language but this has got to be the most f* up EVER point release in the history of software updates.
I have not been bashing Sun or Java in the past, but I have to say very well put, and I could not agree more!

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline DzzD
« Reply #10 - Posted 2010-04-12 14:57:35 »

Smiley ok dont want to give to much hopes (but first try seems to work, just need to do some more tests) expecially if it finally dont solve it, but seems that I have find a really nice solution, will post some more informations tonight.

PS: the not so good thing is that it will probably be considered as a security hole and then will be patched...

Offline DzzD
« Reply #11 - Posted 2010-04-12 15:49:04 »

seems to work pretty well... unfortunatly it for now dont solve my problem (popup & load security at runtime) but it enable something new in Applet world that give the Applet Booter all its power :

here it what it offer : delay all the jar loading (even on unsigned Applet Smiley),applet tag do not requiere any archive tag, all jar are loaded after the applet have started this enable imediate applet start and custom loading, tested & working I ll post last details and sources code tonight.

It also enable mixing signed / unsigned without mixed warning and enable cross jar class access as long as you put the boot class in a signed jar and I suppose this one will help some of JGOs here ?

Offline DzzD
« Reply #12 - Posted 2010-04-12 18:53:11 »

here is what I got for now, not really as neat as I was thinking...

http://demo.dzzd.net/Test619/

below is the HTML code, as you can see there is no archive attribute on the Applet tag all Jars loading are delayed (and it does not requiere to be signed), but I am still facing a problem :

need to put Boot.class in a signed boot.jar to enable signed/unsigned mixing Jars, because if not each Jar are considered as being unsigned, I dont like it because I would like to be able to popup the security dialog at runtime as it was running before 1.6u19 (not at startup).

how/when this dialog is poped up ? I suppose it is related to Certificat / SourceCode / ProtectionDomain or some other classe like those, but how exacly, any ideas ? for now I can load those signed Jars but the signeds one act exactly the same as unsigned : the ClassLoader load them and seems to not see / ignore (I suppose because my classloader is stamped unsigned ..) the certificat of the signed Jar/classes...


1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
<APPLET
       code   = "Boot.class"
       width   = "600"
       height   = "338"
       MAYSCRIPT>
<PARAM NAME="IMAGE" VALUE="BLANK.GIF">  
<PARAM NAME="BOOTJARS" VALUE="LIB/dzzd.jar;LIB/timer.jar;LIB/extension.jar;game.jar">  
<PARAM NAME="BOOTBGCOLOR" VALUE="eeeeee">
<PARAM NAME="BOOTCLASS" VALUE="game.spiderExperiment.FPSSample">      
</APPLET>

Offline DzzD
« Reply #13 - Posted 2010-04-13 00:59:15 »

rather than doing our own plugin... we should all investigate in a trusted certificate and sign a generic Applet booter ( one like this ) and implements our own security manager ...

I know it look a bit security hole but... that what happen when security become too restrictive : people uninstall FireWall / Antivirus / Disable vista security center / click "yes" on any security dialog they are asked for / write there password on paper sheet / and so on... that's why once again I would say that Oracle have no idea of what is security or they have some commercial plan in mind

Offline Mr. Gol

Senior Member


Medals: 1



« Reply #14 - Posted 2010-04-13 12:04:16 »

I know it look a bit security hole but... that what happen when security become too restrictive : people uninstall FireWall / Antivirus / Disable vista security center / click "yes" on any security dialog they are asked for / write there password on paper sheet / and so on...

Or they will give up and say your application/game/x "doesn't work", I don't know which option is worse  Angry
Offline trembovetski

Senior Member




If only I knew what I'm talking about!


« Reply #15 - Posted 2010-04-14 03:10:40 »

u19 does look like one f**ked up puppy.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 612
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2010-04-14 04:45:51 »

u19 does look like one f**ked up puppy.

Seriously, thanks for sharing your opinion. At least now we know somebody with some influence in Oracle realizes what a serious regression this is.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline princec

JGO Kernel


Medals: 284
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #17 - Posted 2010-04-14 10:59:36 »

@tremobvetski - any idea about how quickly this might get sorted out satisfactorily? (First step - pull u19 and downgrade everyone back to u18 if possible using autoupdate?)

Cas Smiley

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 612
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #18 - Posted 2010-04-14 15:06:09 »

@tremobvetski - any idea about how quickly this might get sorted out satisfactorily? (First step - pull u19 and downgrade everyone back to u18 if possible using autoupdate?)

Cas Smiley

If 6u20 == 6u18, that would fix it, without any effort.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #19 - Posted 2010-04-14 15:32:31 »

Except that u19 fixed a security issue - a gaping hole.
Imo they should have done a "patch" for now and then change the stuff in java 7.

but apparently the issue was more important than screwing devs over - which I dont disagree with ...

Online Orangy Tang

JGO Kernel


Medals: 51
Projects: 11


Monkey for a head


« Reply #20 - Posted 2010-04-14 15:55:36 »

Except that u19 fixed a security issue - a gaping hole.

Does it though? Because when I read the actual attack / proof of concept it seemed to be that javaws was being run without validating the command line arg, which allows an attacker to pass their own -J param and path, and so boot with an additional jar.

Oracle seem to have 'fixed' the wrong thing - they're trying to load the jar file and sandbox it after the fact with classloader hackery. But it strikes me that the proper root-cause fix would be to properly sanitise the command line before passing it to javaws so that rouge jar paths can't be introduced in the first place.

That, combined with the no-beta quick roll out, has all the hallmarks of a non-technical manager throwing a hissy fit and forcing through such a colossally broken and ill-thought-out fix.

Edit: for reference, this is the original exploit doc I believe: http://seclists.org/fulldisclosure/2010/Apr/119

[ TriangularPixels.com - Play Growth Spurt, Rescue Squad and Snowman Village ] [ Rebirth - game resource library ]
Offline DzzD
« Reply #21 - Posted 2010-04-14 16:04:44 »

Except that u19 fixed a security issue - a gaping hole.
Imo they should have done a "patch" for now and then change the stuff in java 7.

but apparently the issue was more important than screwing devs over - which I dont disagree with ...
sorry but cant understand what security hole they have fixed with the mixed-code restriction and scary popup, once you got a selfsigned library you can do whatever you want, so absolutly no need to prevent the user there will also be an unsigned code running with the selfsigned library: the selfsigned can already do what it want do to, so absolutly useless & understandable to have done such modification.

anyway they should have better validate (or at least validate...) this update before releasing, breaking existing applications is not really a way to go for web technologies.

Offline DzzD
« Reply #22 - Posted 2010-04-14 18:55:38 »

I have just update the Applet booter to enable signed/unsigned mixing with only one "standard" security popup (implemented a custom URLClassloader) this seems to work well....

the signed booter is here http://demo.dzzd.net/BootV2Signed/signedBoot.jar

with it you can use HTML code like this :

1  
2  
3  
4  
5  
6  
7  
8  
<applet
   archive = "signedBoot.jar"
   code   = "Boot"
   width   = "500"
   height   = "300">
   <PARAM NAME="BOOTCLASS" VALUE="jar.MyJarApplet">
   <PARAM NAME="BOOTJARS" VALUE="signedJar.jar;unsigned.jar">            
</applet>



it will give Applet all right or not depending on user response to security popup but the nice thing is that it wont show any secondary popup, it will also start imediatly and load jars asynchronously after boot applet start and then will launch the given sub-applet. if you dont requiere any special right than dont sign the booter and it will just run as fine.

more informations in this thread http://www.java-gaming.org/topics/3dzzd-applet-boot-v2-updated/22239/msg/184109/view/topicseen.html#msg184109


EDIT: anyone interrested in investigate a certificat ? 50$ each Smiley

Offline bobjob

JGO Knight


Medals: 10
Projects: 4


David Aaron Muhar


« Reply #23 - Posted 2010-04-15 12:39:13 »

i download update 20, anyone know if it fixes and issues?

edit: still getting the ugly mixed code popup, with older applets. Anyone know about the other issues yet?


My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 612
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #24 - Posted 2010-04-15 12:54:48 »

i download update 20, anyone know if it fixes and issues?

edit: still getting the ugly mixed code popup, with older applets. Anyone know about the other issues yet?

http://java.sun.com/javase/6/webnotes/6u20.html

At first glance, it looks even a tiny bit tighter on security, breaking more JNLP apps.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline DzzD
« Reply #25 - Posted 2010-04-15 13:06:44 »

update 20 is even worst than update19 ....

I got now three popups now ?! for some applets that was not showing any popup before, that's crazy...

the new popup is this applet requiere and ol java version....


Offline DzzD
« Reply #26 - Posted 2010-04-15 13:08:40 »

all applet are now showing a dialog even unsigned , now I am really thinking of going away from java, Oracle sucks...

Online Orangy Tang

JGO Kernel


Medals: 51
Projects: 11


Monkey for a head


« Reply #27 - Posted 2010-04-15 13:15:29 »

all applet are now showing a dialog even unsigned , now I am really thinking of going away from java, Oracle sucks...
Ouch, that's really, really bad. I can't imagine how on earth this got approved at Oracle.

[ TriangularPixels.com - Play Growth Spurt, Rescue Squad and Snowman Village ] [ Rebirth - game resource library ]
Offline DzzD
« Reply #28 - Posted 2010-04-15 13:18:29 »

It make me become completly made... absolutly crazy.... that's juste incredible every single Applet around the world will then show a popup  Huh how is it possible to be so stupid ?

they try to kill the java plugin ?

Offline DzzD
« Reply #29 - Posted 2010-04-15 13:37:53 »

java4k applet show popup, same on java.net and same on sun.com website, I just cannot find any website where there is not this popup


seems that Oracle just break in two updates all the efforts made by Sun last years to make the plugin appears more userfriendly, it is really impossible to rely on Java technologie expecially if Oracle is in the game, they always have produce poor quality tools and always focused on money

Pages: [1] 2 3
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (78 views)
2014-04-15 18:08:23

BurntPizza (70 views)
2014-04-15 03:46:01

UprightPath (81 views)
2014-04-14 17:39:50

UprightPath (66 views)
2014-04-14 17:35:47

Porlus (82 views)
2014-04-14 15:48:38

tom_mai78101 (106 views)
2014-04-10 04:04:31

BurntPizza (166 views)
2014-04-08 23:06:04

tom_mai78101 (262 views)
2014-04-05 13:34:39

trollwarrior1 (212 views)
2014-04-04 12:06:45

CJLetsGame (221 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!