Sandbox mode

[Don-vip]

Thanks to our best friends at Oracle (joke: see #16047, ​this) and Red Hat (for real, see ​here), I'm playing with IcedTea-Web on Windows.

It works perfectly with full permissions, but IcedTea-Web allows users to launch a WebStart application in "sandbox" mode (a lot of things are denied) or in custom mode (user can choose what is allowed by the security manager, and what is not).

Currently JOSM crashes during startup in sandbox mode:

The 'Permissions' attribute of this application is 'all-permissions'. You have chosen the Sandbox run option, which overrides the Permissions manifest attribute, or the applet has already been automatically sandboxed.
java.lang.ExceptionInInitializerError
        at org.openstreetmap.josm.tools.ListenerList.create(ListenerList.java:242)
        at org.openstreetmap.josm.data.Preferences.<init>(Preferences.java:112)
        at org.openstreetmap.josm.Main.<clinit>(Main.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:940)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:291)
        at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
        at java.util.logging.Handler.checkPermission(Handler.java:310)
        at java.util.logging.Handler.setLevel(Handler.java:265)
        at org.openstreetmap.josm.tools.Logging$RememberWarningHandler.<init>(Logging.java:407)
        at org.openstreetmap.josm.tools.Logging.<clinit>(Logging.java:51)
        ... 9 more

Exception in thread "JOSM (development version)" java.lang.RuntimeException: java.lang.ExceptionInInitializerError
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:963)
Caused by: java.lang.ExceptionInInitializerError
        at org.openstreetmap.josm.tools.ListenerList.create(ListenerList.java:242)
        at org.openstreetmap.josm.data.Preferences.<init>(Preferences.java:112)
        at org.openstreetmap.josm.Main.<clinit>(Main.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:940)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:291)
        at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
        at java.util.logging.Handler.checkPermission(Handler.java:310)
        at java.util.logging.Handler.setLevel(Handler.java:265)
        at org.openstreetmap.josm.tools.Logging$RememberWarningHandler.<init>(Logging.java:407)
        at org.openstreetmap.josm.tools.Logging.<clinit>(Logging.java:51)
        ... 9 more

So I'm curious to see what we can actually do in this mode by adding some robustness.

[Don-vip]

In 13647/josm:

see #16204 - Allow to start and close JOSM in WebStart sandbox mode (where every external access is denied). This was very useful to reproduce some very tricky bugs that occured in real life but were almost impossible to diagnose.

[Don-vip]

In 13648/josm:

see #16204 - allow to load embedded images by disabling ImageIO cache in case of SecurityException

[Don-vip]

In 13649/josm:

fix #16204 - allow to create a new layer, draw, drag, open a few windows. Nothing more to hope in sandbox mode. At least JOSM is now more robust than ever.

[Don-vip]

In 13650/josm:

see #16204 - fix unit test, checkstyle

[Klumbumbus]

I think this is related to this ticket.

I now get an Java (JOSM is set to english, but the warning is in german) security warning when selecting a way with an wikidata item e.g. ​osmwww:way/389125372 (wikipedia plugin must be installed).

Meanwhile in the console:

2018-04-20 18:50:08.862 SEVERE: Unable to get system property: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
2018-04-20 18:50:08.863 SEVERE: Unable to get system env: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.ProgramFiles(x86)")
2018-04-20 18:50:08.863 SEVERE: Unable to get system property: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
2018-04-20 18:50:20.114 INFO: GET https://www.wikidata.org/w/api.php?action=wbgetentities&props=labels|descriptions&ids=Q802856&format=xml (Wikipedia) -> 200 (309 B)

The decision is remembered until JOSM restart.

I never saw such a warning before and this warning might irritate the users, especially as there are no further deeper information.

URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2018-04-19 23:04:48 +0200 (Thu, 19 Apr 2018)
Build-Date:2018-04-20 01:31:54
Revision:13650
Relative:URL: ^/trunk

Identification: JOSM/1.5 (13650 en) Windows 10 64-Bit
OS Build number: Windows 10 Pro 1709 (16299)
Memory Usage: 1691 MB / 3641 MB (1442 MB allocated, but free)
Java version: 1.8.0_171-b11, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
Screen: \Display0 1680x1050
Maximum Screen Size: 1680x1050
VM arguments: [-Djava.security.manager, -Djava.security.policy=file:<java.home>\lib\security\javaws.policy, -DtrustProxy=true, -Djnlpx.home=<java.home>\bin, -Djnlpx.origFilenameArg=C:\Program Files (x86)\josm-latest-mehr-RAM.jnlp, -Djnlpx.remove=false, -Djava.util.Arrays.useLegacyMergeSort=true, -Djnlpx.heapsize=1024m,4096m, -Djnlpx.splashport=60885, -Djnlpx.jvm=<java.home>\bin\javaw.exe]
Dataset consistency test: No problems found

Plugins:
+ DirectUpload (34109)
+ HouseNumberTaggingTool (34109)
+ Mapillary (v1.5.10)
+ OpeningHoursEditor (34095)
+ apache-commons (34109)
+ apache-http (34109)
+ buildings_tools (34109)
+ editgpx (34109)
+ ejml (34126)
+ geotools (34125)
+ imagery-xml-bounds (34109)
+ imagery_offset_db (34109)
+ jogl (1.1.0)
+ jts (34038)
+ log4j (34038)
+ measurement (34109)
+ reltoolbox (34130)
+ reverter (34109)
+ tag2link (34109)
+ tageditor (34109)
+ tagging-preset-tester (34109)
+ terracer (34109)
+ turnlanes-tagging (263)
+ turnrestrictions (34129)
+ undelete (34109)
+ utilsplugin2 (34109)
+ wikipedia (34149)

[Don-vip]

Can you please give me the English translation of the security warning?

[Klumbumbus]

Security warning

Application has requested a permission for the connection establishment to www.wikidata.org. Do you want to allow this action?

Name: JOSM (development version)

Directory: https://josm.openstreetmap.de

OK Cancel

[Don-vip]

And it doesn't happen with josm-tested.jnlp?

[Don-vip]

You can try the following:

.\javaws.exe https://josm.openstreetmap.de/download/josm-13646.jnlp

It launches the last snapshot before these commits.
We can see the following in console:

2018-04-20 20:42:45.780 AVERTISSEMENT: Could not fetch Wikidata label for Q802856
2018-04-20 20:42:45.780 AVERTISSEMENT: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read"). Cause : java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read"). Cause : java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
...
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
...
	at java.lang.System.getProperty(Unknown Source)
	at org.openstreetmap.josm.tools.PlatformHookWindows.getOSDescription(PlatformHookWindows.java:272)
	at org.openstreetmap.josm.data.Version.getAgentString(Version.java:189)
	at org.openstreetmap.josm.data.Version.getAgentString(Version.java:169)
	at org.openstreetmap.josm.data.Version.getFullAgentString(Version.java:200)
	at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:104)
	at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:87)
	at org.wikipedia.WikipediaApp.connect(WikipediaApp.java:88)
	at org.wikipedia.WikipediaApp.getLabelForWikidata(WikipediaApp.java:419)
	... 8 more

The plugin was already failing to access Wikidata because of the first security issues.

r13647 made JOSM more robust to these issues and now Wikipedia plugin really tries to connect to Wikidata and displays a new security issue.

I need to find out why these security issues are triggered.

[Don-vip]

Found it. It's the same issue that ticket:15722#comment:7:

if a SecurityManager is present, then the ForkJoinPool common pool uses a factory supplying threads that have no Permissions enabled.

The Wikipedia plugin does the following:

        ids.forEach(id ->
                labelCache.computeIfAbsent(id, x ->
                        CompletableFuture.supplyAsync(() -> WikipediaApp.getLabelForWikidata(x, Locale.getDefault())))
        );

And the javadoc of CompletableFuture.supplyAsync states:

Returns a new CompletableFuture that is asynchronously completed by a task running in the ForkJoinPool#commonPool()

[Klumbumbus]

Replying to Don-vip:

The plugin was already failing to access Wikidata because of the first security issues.

Ah yes same for me and same console print as you posted with josm-tested.jnlp and wikipedia version 34109.

[Don-vip]

Should be fixed in [o34159] + [o34160] can you please check in a few minutes?

[Klumbumbus]

It works like a charm again :)

2018-04-20 21:40:53.377 INFORMATION: GET https://www.wikidata.org/w/api.php?action=wbgetentities&props=labels|descriptions&ids=Q802856&format=xml (Wikipedia) -> 200 (309 B)

[Don-vip]

Ticket #15744 has been marked as a duplicate of this ticket.

[Don-vip]

In 13656/josm:

see #16204 - make the missing icon detector script happy

[stoecker]

You only need to add /* ICON */ beforce the texts, not change the code. The code supports exceptions. ☺️

[Don-vip]

In 13658/josm:

see #16204 - make the missing icon detector script happy (for real)