Merge pull request #553 from AdoptOpenJDK/extractInnerClasses

Extract inner classes

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/CertWarningPane.java

@@ -44,7 +44,7 @@
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.DialogResult;
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.YesNoSandbox;
 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.security.AccessType;
 import net.sourceforge.jnlp.security.CertVerifier;
 import net.sourceforge.jnlp.security.CertificateUtils;

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/SecurityDialog.java

@@ -43,7 +43,7 @@
 import net.adoptopenjdk.icedteaweb.ui.swing.SwingUtils;
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.DialogResult;
 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.security.AccessType;
 import net.sourceforge.jnlp.security.CertVerifier;
 

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/SecurityDialogs.java

@@ -47,7 +47,7 @@
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.YesNoSandbox;
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.YesNoSandboxLimited;
 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
 import net.sourceforge.jnlp.security.AccessType;
 import net.sourceforge.jnlp.security.CertVerifier;

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/TemporaryPermissionsButton.java

@@ -43,7 +43,7 @@
 import net.adoptopenjdk.icedteaweb.logging.LoggerFactory;
 import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.config.PathsAndFiles;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import sun.security.provider.PolicyParser;
 
 import javax.swing.AbstractButton;

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java

@@ -49,7 +49,7 @@
 import net.adoptopenjdk.icedteaweb.ui.swing.dialogresults.YesNoSandbox;
 import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.LaunchException;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.security.CertVerifier;
 import net.sourceforge.jnlp.util.UrlUtils;
 

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/apptrustwarningpanel/AppTrustWarningDialog.java

@@ -38,7 +38,7 @@
 
 import net.adoptopenjdk.icedteaweb.client.parts.dialogs.security.SecurityDialog;
 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 
 /**
  * A panel that confirms that the user is OK with unsigned code running.

core/src/main/java/net/adoptopenjdk/icedteaweb/client/parts/dialogs/security/apptrustwarningpanel/PartiallySignedAppTrustWarningPanel.java

@@ -41,7 +41,7 @@
 import net.adoptopenjdk.icedteaweb.client.parts.dialogs.security.TemporaryPermissionsButton;
 import net.adoptopenjdk.icedteaweb.client.parts.dialogs.security.remember.ExecuteAppletAction;
 import net.sourceforge.jnlp.JNLPFile;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.security.SecurityUtil;
 import net.adoptopenjdk.icedteaweb.client.parts.dialogs.security.appletextendedsecurity.UnsignedAppletActionEntry;
 import net.adoptopenjdk.icedteaweb.client.parts.dialogs.security.appletextendedsecurity.UnsignedAppletTrustConfirmation;

core/src/main/java/net/adoptopenjdk/icedteaweb/manifest/ManifestAttributesChecker.java

@@ -51,7 +51,7 @@
 import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.LaunchException;
 import net.sourceforge.jnlp.config.ConfigurationConstants;
-import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SecurityDelegate;
+import net.sourceforge.jnlp.runtime.classloader.SecurityDelegate;
 import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.SigningState;
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
 import net.sourceforge.jnlp.util.ClasspathMatcher.ClasspathMatchers;

core/src/main/java/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java

@@ -19,6 +19,7 @@
 import net.adoptopenjdk.icedteaweb.logging.Logger;
 import net.adoptopenjdk.icedteaweb.logging.LoggerFactory;
 import net.adoptopenjdk.icedteaweb.ui.swing.SwingUtils;
+import net.sourceforge.jnlp.runtime.classloader.CodeBaseClassLoader;
 import net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader;
 import net.sourceforge.jnlp.security.AccessType;
 import net.sourceforge.jnlp.services.ServiceUtil;
@@ -233,8 +234,8 @@ protected ApplicationInstance getApplication(Thread thread, Class<?> stack[], in
     private JNLPClassLoader getJnlpClassLoader(ClassLoader cl) {
         // Since we want to deal with JNLPClassLoader, extract it if this
         // is a codebase loader
-        if (cl instanceof JNLPClassLoader.CodeBaseClassLoader) {
-            cl = ((JNLPClassLoader.CodeBaseClassLoader) cl).getParentJNLPClassLoader();
+        if (cl instanceof CodeBaseClassLoader) {
+            cl = ((CodeBaseClassLoader) cl).getParentJNLPClassLoader();
         }
 
         if (cl instanceof JNLPClassLoader) {

core/src/main/java/net/sourceforge/jnlp/runtime/classloader/CodeBaseClassLoader.java

@@ -0,0 +1,155 @@
+package net.sourceforge.jnlp.runtime.classloader;
+
+import net.sourceforge.jnlp.NullJnlpFileException;
+
+import java.io.IOException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.Vector;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * ...
+ */ /*
+ * Helper class to expose protected URLClassLoader methods.
+ * Classes loaded from the codebase are absolutely NOT signed, by definition!
+ * If the CodeBaseClassLoader is used to load any classes in JNLPClassLoader,
+ * then you *MUST* check if the JNLPClassLoader is set to FULL signing. If so,
+ * then it must be set instead to PARTIAL, and the user prompted if it is okay
+ * to proceed. If the JNLPClassLoader is already PARTIAL or NONE signing, then
+ * nothing must be done. This is required so that we can support partial signing
+ * of applets but also ensure that using codebase loading in conjunction with
+ * signed JARs still results in the user having to confirm that this is
+ * acceptable.
+ */
+public class CodeBaseClassLoader extends URLClassLoader {
+
+    JNLPClassLoader parentJNLPClassLoader;
+
+    /**
+     * Classes that are not found, so that findClass can skip them next time
+     */
+    ConcurrentHashMap<String, URL[]> notFoundResources = new ConcurrentHashMap<>();
+
+    CodeBaseClassLoader(URL[] urls, JNLPClassLoader cl) {
+        super(urls, cl);
+        parentJNLPClassLoader = cl;
+    }
+
+    @Override
+    public void addURL(URL url) {
+        super.addURL(url);
+    }
+
+    /*
+     * Use with care! Check the class-level Javadoc before calling this.
+     */
+    Class<?> findClassNonRecursive(final String name) throws ClassNotFoundException {
+        // If we have searched this path before, don't try again
+        if (Arrays.equals(super.getURLs(), notFoundResources.get(name))) {
+            throw new ClassNotFoundException(name);
+        }
+
+        try {
+            return AccessController.doPrivileged(
+                    (PrivilegedExceptionAction<Class<?>>) () -> {
+                        Class<?> c = CodeBaseClassLoader.super.findClass(name);
+                        parentJNLPClassLoader.checkPartialSigningWithUser();
+                        return c;
+                    }, parentJNLPClassLoader.getAccessControlContextForClassLoading());
+        } catch (PrivilegedActionException pae) {
+            notFoundResources.put(name, super.getURLs());
+            throw new ClassNotFoundException("Could not find class " + name, pae);
+        } catch (NullJnlpFileException njf) {
+            notFoundResources.put(name, super.getURLs());
+            throw new ClassNotFoundException("Could not find class " + name, njf);
+        }
+    }
+
+    /*
+     * Use with care! Check the class-level Javadoc before calling this.
+     */
+    @Override
+    public Class<?> findClass(String name) throws ClassNotFoundException {
+        // Calls JNLPClassLoader#findClass which may call into this.findClassNonRecursive
+        Class<?> c = getParentJNLPClassLoader().findClass(name);
+        parentJNLPClassLoader.checkPartialSigningWithUser();
+        return c;
+    }
+
+    /**
+     * Returns the output of super.findLoadedClass().
+     * <p>
+     * The method is renamed because ClassLoader.findLoadedClass() is final
+     *
+     * @param name The name of the class to find
+     * @return Output of ClassLoader.findLoadedClass() which is the class if
+     * found, null otherwise
+     * @see ClassLoader#findLoadedClass(String)
+     */
+    Class<?> findLoadedClassFromParent(String name) {
+        return findLoadedClass(name);
+    }
+
+    /**
+     * Returns JNLPClassLoader that encompasses this loader
+     *
+     * @return parent JNLPClassLoader
+     */
+    public JNLPClassLoader getParentJNLPClassLoader() {
+        return parentJNLPClassLoader;
+    }
+
+    @Override
+    public Enumeration<URL> findResources(String name) throws IOException {
+
+        // If we have searched this path before, don't try again
+        if (Arrays.equals(super.getURLs(), notFoundResources.get(name))) {
+            return (new Vector<URL>(0)).elements();
+        }
+
+        if (!name.startsWith("META-INF")) {
+            Enumeration<URL> urls = super.findResources(name);
+
+            if (!urls.hasMoreElements()) {
+                notFoundResources.put(name, super.getURLs());
+            }
+
+            return urls;
+        }
+
+        return (new Vector<URL>(0)).elements();
+    }
+
+    @Override
+    public URL findResource(String name) {
+
+        // If we have searched this path before, don't try again
+        if (Arrays.equals(super.getURLs(), notFoundResources.get(name))) {
+            return null;
+        }
+
+        URL url = null;
+        if (!name.startsWith("META-INF")) {
+            try {
+                final String fName = name;
+                url = AccessController.doPrivileged(
+                        (PrivilegedExceptionAction<URL>) () -> CodeBaseClassLoader.super.findResource(fName), parentJNLPClassLoader.getAccessControlContextForClassLoading());
+            } catch (PrivilegedActionException ignored) {
+            }
+
+            if (url == null) {
+                notFoundResources.put(name, super.getURLs());
+            }
+
+            return url;
+        }
+
+        return null;
+    }
+}