Modify

Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#16204 closed enhancement (fixed)

Sandbox mode

Reported by: Don-vip Owned by: team
Priority: normal Milestone: 18.04
Component: Core Webstart Version:
Keywords: icedtea web security Cc:

Description

Thanks to our best friends at Oracle (joke: see #16047, this) and Red Hat (for real, see here), I'm playing with IcedTea-Web on Windows.

It works perfectly with full permissions, but IcedTea-Web allows users to launch a WebStart application in "sandbox" mode (a lot of things are denied) or in custom mode (user can choose what is allowed by the security manager, and what is not).

Currently JOSM crashes during startup in sandbox mode:

The 'Permissions' attribute of this application is 'all-permissions'. You have chosen the Sandbox run option, which overrides the Permissions manifest attribute, or the applet has already been automatically sandboxed.
java.lang.ExceptionInInitializerError
        at org.openstreetmap.josm.tools.ListenerList.create(ListenerList.java:242)
        at org.openstreetmap.josm.data.Preferences.<init>(Preferences.java:112)
        at org.openstreetmap.josm.Main.<clinit>(Main.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:940)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:291)
        at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
        at java.util.logging.Handler.checkPermission(Handler.java:310)
        at java.util.logging.Handler.setLevel(Handler.java:265)
        at org.openstreetmap.josm.tools.Logging$RememberWarningHandler.<init>(Logging.java:407)
        at org.openstreetmap.josm.tools.Logging.<clinit>(Logging.java:51)
        ... 9 more

Exception in thread "JOSM (development version)" java.lang.RuntimeException: java.lang.ExceptionInInitializerError
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:963)
Caused by: java.lang.ExceptionInInitializerError
        at org.openstreetmap.josm.tools.ListenerList.create(ListenerList.java:242)
        at org.openstreetmap.josm.data.Preferences.<init>(Preferences.java:112)
        at org.openstreetmap.josm.Main.<clinit>(Main.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
        at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:940)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:291)
        at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
        at java.util.logging.Handler.checkPermission(Handler.java:310)
        at java.util.logging.Handler.setLevel(Handler.java:265)
        at org.openstreetmap.josm.tools.Logging$RememberWarningHandler.<init>(Logging.java:407)
        at org.openstreetmap.josm.tools.Logging.<clinit>(Logging.java:51)
        ... 9 more

So I'm curious to see what we can actually do in this mode by adding some robustness.

Attachments (1)

security_warning.png (11.3 KB) - added by Klumbumbus 5 months ago.

Download all attachments as: .zip

Change History (18)

comment:1 Changed 5 months ago by Don-vip

In 13647/josm:

see #16204 - Allow to start and close JOSM in WebStart sandbox mode (where every external access is denied). This was very useful to reproduce some very tricky bugs that occured in real life but were almost impossible to diagnose.

comment:2 Changed 5 months ago by Don-vip

In 13648/josm:

see #16204 - allow to load embedded images by disabling ImageIO cache in case of SecurityException

comment:3 Changed 5 months ago by Don-vip

Resolution: fixed
Status: newclosed

In 13649/josm:

fix #16204 - allow to create a new layer, draw, drag, open a few windows. Nothing more to hope in sandbox mode. At least JOSM is now more robust than ever.

comment:4 Changed 5 months ago by Don-vip

In 13650/josm:

see #16204 - fix unit test, checkstyle

comment:5 Changed 5 months ago by Klumbumbus

I think this is related to this ticket.

I now get an Java (JOSM is set to english, but the warning is in german) security warning when selecting a way with an wikidata item e.g. osmwww:way/389125372 (wikipedia plugin must be installed).

Meanwhile in the console:

2018-04-20 18:50:08.862 SEVERE: Unable to get system property: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
2018-04-20 18:50:08.863 SEVERE: Unable to get system env: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.ProgramFiles(x86)")
2018-04-20 18:50:08.863 SEVERE: Unable to get system property: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
2018-04-20 18:50:20.114 INFO: GET https://www.wikidata.org/w/api.php?action=wbgetentities&props=labels|descriptions&ids=Q802856&format=xml (Wikipedia) -> 200 (309 B)

The decision is remembered until JOSM restart.

I never saw such a warning before and this warning might irritate the users, especially as there are no further deeper information.


URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2018-04-19 23:04:48 +0200 (Thu, 19 Apr 2018)
Build-Date:2018-04-20 01:31:54
Revision:13650
Relative:URL: ^/trunk

Identification: JOSM/1.5 (13650 en) Windows 10 64-Bit
OS Build number: Windows 10 Pro 1709 (16299)
Memory Usage: 1691 MB / 3641 MB (1442 MB allocated, but free)
Java version: 1.8.0_171-b11, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
Screen: \Display0 1680x1050
Maximum Screen Size: 1680x1050
VM arguments: [-Djava.security.manager, -Djava.security.policy=file:<java.home>\lib\security\javaws.policy, -DtrustProxy=true, -Djnlpx.home=<java.home>\bin, -Djnlpx.origFilenameArg=C:\Program Files (x86)\josm-latest-mehr-RAM.jnlp, -Djnlpx.remove=false, -Djava.util.Arrays.useLegacyMergeSort=true, -Djnlpx.heapsize=1024m,4096m, -Djnlpx.splashport=60885, -Djnlpx.jvm=<java.home>\bin\javaw.exe]
Dataset consistency test: No problems found

Plugins:
+ DirectUpload (34109)
+ HouseNumberTaggingTool (34109)
+ Mapillary (v1.5.10)
+ OpeningHoursEditor (34095)
+ apache-commons (34109)
+ apache-http (34109)
+ buildings_tools (34109)
+ editgpx (34109)
+ ejml (34126)
+ geotools (34125)
+ imagery-xml-bounds (34109)
+ imagery_offset_db (34109)
+ jogl (1.1.0)
+ jts (34038)
+ log4j (34038)
+ measurement (34109)
+ reltoolbox (34130)
+ reverter (34109)
+ tag2link (34109)
+ tageditor (34109)
+ tagging-preset-tester (34109)
+ terracer (34109)
+ turnlanes-tagging (263)
+ turnrestrictions (34129)
+ undelete (34109)
+ utilsplugin2 (34109)
+ wikipedia (34149)

Changed 5 months ago by Klumbumbus

Attachment: security_warning.png added

comment:6 Changed 5 months ago by Don-vip

Can you please give me the English translation of the security warning?

comment:7 Changed 5 months ago by Klumbumbus

Security warning

Application has requested a permission for the connection establishment to www.wikidata.org. Do you want to allow this action?

Name: JOSM (development version)

Directory: https://josm.openstreetmap.de

OK Cancel

comment:8 Changed 5 months ago by Don-vip

And it doesn't happen with josm-tested.jnlp?

comment:9 Changed 5 months ago by Don-vip

You can try the following:

.\javaws.exe https://josm.openstreetmap.de/download/josm-13646.jnlp

It launches the last snapshot before these commits.
We can see the following in console:

2018-04-20 20:42:45.780 AVERTISSEMENT: Could not fetch Wikidata label for Q802856
2018-04-20 20:42:45.780 AVERTISSEMENT: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read"). Cause : java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read"). Cause : java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
...
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "os.name" "read")
...
	at java.lang.System.getProperty(Unknown Source)
	at org.openstreetmap.josm.tools.PlatformHookWindows.getOSDescription(PlatformHookWindows.java:272)
	at org.openstreetmap.josm.data.Version.getAgentString(Version.java:189)
	at org.openstreetmap.josm.data.Version.getAgentString(Version.java:169)
	at org.openstreetmap.josm.data.Version.getFullAgentString(Version.java:200)
	at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:104)
	at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:87)
	at org.wikipedia.WikipediaApp.connect(WikipediaApp.java:88)
	at org.wikipedia.WikipediaApp.getLabelForWikidata(WikipediaApp.java:419)
	... 8 more

The plugin was already failing to access Wikidata because of the first security issues.

r13647 made JOSM more robust to these issues and now Wikipedia plugin really tries to connect to Wikidata and displays a new security issue.

I need to find out why these security issues are triggered.

Last edited 5 months ago by Don-vip (previous) (diff)

comment:10 Changed 5 months ago by Don-vip

Found it. It's the same issue that ticket:15722#comment:7:

if a SecurityManager is present, then the ForkJoinPool common pool uses a factory supplying threads that have no Permissions enabled.

The Wikipedia plugin does the following:

        ids.forEach(id ->
                labelCache.computeIfAbsent(id, x ->
                        CompletableFuture.supplyAsync(() -> WikipediaApp.getLabelForWikidata(x, Locale.getDefault())))
        );

And the javadoc of CompletableFuture.supplyAsync states:

Returns a new CompletableFuture that is asynchronously completed by a task running in the ForkJoinPool#commonPool()

comment:11 in reply to:  9 Changed 5 months ago by Klumbumbus

Replying to Don-vip:

The plugin was already failing to access Wikidata because of the first security issues.

Ah yes same for me and same console print as you posted with josm-tested.jnlp and wikipedia version 34109.

comment:12 Changed 5 months ago by Don-vip

Should be fixed in [o34159] + [o34160] can you please check in a few minutes?

comment:13 Changed 5 months ago by Klumbumbus

It works like a charm again :)

2018-04-20 21:40:53.377 INFORMATION: GET https://www.wikidata.org/w/api.php?action=wbgetentities&props=labels|descriptions&ids=Q802856&format=xml (Wikipedia) -> 200 (309 B)

comment:14 Changed 5 months ago by Don-vip

Ticket #15744 has been marked as a duplicate of this ticket.

comment:15 Changed 5 months ago by Don-vip

In 13656/josm:

see #16204 - make the missing icon detector script happy

comment:16 Changed 5 months ago by stoecker

You only need to add /* ICON */ beforce the texts, not change the code. The code supports exceptions. ☺️

comment:17 Changed 5 months ago by Don-vip

In 13658/josm:

see #16204 - make the missing icon detector script happy (for real)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.