160274 - Security : Codesigned Applet and LiveConnect problem

Status: RESOLVED INCOMPLETE

(Core Graveyard :: Java: OJI, defect)

Description

[Michael S. Toudal]

Codesigned Java applets cannot communicate through LiveConnect. Both features 
works as intended when tested 'one without the other' but the two features 
cannot be active at the same time.

If proper security are to work in Netscape on the Mac these to features are 
crucial for the finance sector, e-banking etc.

Source sent to bnesse@netscape.com and saari@netscape.com today 07-31-2002

Comment 1

[Brian Nesse (gone)]

Adjusting fields.

Comment 2

[saari (gone)]

As I understand it, this is a non-trivial problem. Basically the Apple Java
implementation needs to use our networking stack, or vice versa, in order to
make this work. Beard has discussed it with Apple engineers in the past, but it
wasn't a high priority at the time, and it was also a lot of work.

It is something we should work out, but I can't comment on a timeline for when
this will get fixed.

Comment 3

[Michael S. Toudal]

Attachment: Mac.zip contain the codesigned archive. Certificate is Thawte for Netscape6+

Comment 4

[Michael S. Toudal]

Attachment: Java source

Comment 5

[gordon]

The government sites this bug as one reason why we can't use Mozilla/Netscape to 
view their KH-7 and KH-9 satellite images.

http://edcsns17.cr.usgs.gov/EarthExplorer/

News story about the release of Cold War images is here:
http://www.msnbc.com/news/835138.asp

Comment 6

[Brian Smith]

This relates to the primary reason why Hushmail (www.hushmail.com) does not 
work with Mozilla and Netscape on the Macintosh.  The permissions granted to 
the signed Jar do not seem to get applied to Java methods called from 
JavaScript.

Comment 7

[H'ik]

This bug also makes it so that none of the Dutch (and probably other) online
banking sites, like postbank.nl, work with Gecko browsers on Mac OS X. (Camino,
Firefox, Seamonkey).

Which make many users stich with webkit, despite webkit being slower at rendering.

Comment 8

[Darin Fisher]

Sounds to me like this bug may need some loving.  Any takers?

Comment 9

[Johnny Stenback (:jst)]

Maybe Kyle can help.

Comment 10

[Kyle Yuan]

If this is a MacOS only bug, I can't - I don't have any Mac box :(

Comment 11

[Steven Michaud [:smichaud] (Retired)]

I'm posting because someone added my name to the CC list ... but in
fact I do have something to contribute :-)

As mentioned in comment #7, the Postbank.nl site (still) illustrates
the problem discussed here.  It uses a signed applet for
authentication.  But when you use Java 1.3.1 via the "Java
Applet.plugin", authentication fails with an error message something
like "the security module is no longer available" (I used
http://babelfish.altavista.com/ to translate from the Dutch).

https://www.p3.postbank.nl/sesam/SesamLoginServlet

However, authentication seems to work just fine when you use Java
1.3.1 via the MRJ Plugin Carbon, or Java 1.4.X via a combination of
the MRJ Plugin Carbon and the Java Embedding Plugin.  (As best I can
tell without actually having an account with Postbank.nl.  I've also
heard that people are using the Java Embedding Plugin to authenticate
to Postbank.nl.)

http://javaplugin.sourceforge.net/

(I'm the Java Embedding Plugin's author.  The version of the MRJ
Plugin Carbon that I used is one that I distribute with the Java
Embedding Plugin.  I've altered it to use the Java Embedding Plugin,
when present, to do Java 1.4.X.  I've also fixed up a lot of its bugs,
so that it now (as far as I can tell) fully supports LiveConnect --
whether via the Java Embedding Framework and Java 1.3.1 or via the
Java Embedding Plugin and Java 1.4.X.)

The MRJ Plugin Carbon doesn't "use our (i.e. Mozilla's) networking
stack" -- rather, it correctly sets up the necessary permissions for
the signed applet to use ordinary Java networking.  (Debug messages
visible in the Java Console show what permissions have been granted.)
So comment #2 appears to be incorrect.

Comment 12

[Steven Michaud [:smichaud] (Retired)]

(Following up comment #11)

Actually, this problem is very simple, and has nothing to do with
whether or not an applet is signed.  (I spaced it out when I was
writing my previous comment.)

The "Java Applet.plugin" doesn't support LiveConnect.  At all.  On any
version of Mac OS X.

In the absence of the MRJ Plugin Carbon, all browsers besides Safari
do Java (Java 1.3.1) via the "Java Applet.plugin" and (indirectly) the
Java Embedding Framework.  I've never been able to find a truly
comprehensive suite of LiveConnect tests.  But the following URLs
often get mentioned:

http://www.simonstl.com/dynhtml/update/code/chap6/lc1.html
http://www.simonstl.com/dynhtml/update/code/chap6/lc2.html
http://information.overlaid.com/stable/weasel/installation/java.html
http://www.mozilla.org/quality/browser/front-end/testcases/oji/liveconnecttest.html

"Java Applet.plugin" fails them all.

Banking sites often use applets (signed or unsigned) whose functions
are invoked from JavaScript.  Postbank.nl is one of these.  People who
want to use Mozilla-family browsers with these sites (or in general to
do any sort of LiveConnect) should use the "MRJ Plugin JEP" that comes
with the Java Embedding Plugin, either by itself (which gives you Java
1.3.1) or together with JavaEmbeddingPlugin.bundle (which gives you
Java 1.4.X).

http://javaplugin.sourceforge.net/

Both parts of this package (JavaEmbeddingPlugin.bundle and
MRJPlugin.plugin) are in beta, and no doubt still have bugs.  If/when
you find one, please use the project's Bugs tracker to report it.

En"joy" :-)  And thanks in advance!

Comment 13

[Bob Clary [:bc] (inactive)]

-> default assignee for old netscape assigned bugs.

Comment 14

[Benjamin Smedberg]

Mass-closing bugs in the "OJI" component: OJI plugin integration was replaced with npruntime long ago, and these bugs appear to be irrelevant now. If there is in fact a real bug that remains, please file it new in the "Core" product, component "Plug-ins".