perfsonar development work

[Nina Jeliazkova <>]

Hello Michael,


Michael Bischoff написа:

Hello all,

  

Hi,


The first try to embed AA into Java Web start version of perfsonarUI is
facing the following problem.

As I learnt from Candido, the AA classes need to use xerces parser, and
for this purpose the java property "java.endorsed.dirs" has to be set to
point to xerces classes. This works fine when running locally (from
command line or development environment as Eclipse), but does not work if
the endorsed.dirs property is set in JNLP configuration, e.g. the line
<property name="java.endorsed.dirs" value="/jars/xalan"/>
    

..zip..

  

I am not sure if there is some other way to make the JWS use xerces
parser necessary for AA classes.

I don't see an workaround here, except abandoning JWS for perfsonarUI.
(There is also another reason for this).


Any ideas?


Best regards,
Nina



    

As described in
http://java.sun.com/developer/technicalArticles/WebServices/JWS_2/JWS_White_Paper.pdf
chapter 4: security. " The Java Web Start Sandbox
Unsigned JAR files launched by Java Web Start run in the sandbox, meaning
they cannot access local files or the
network. "

and:

"Providing for Functionality Beyond the Sandbox
Java Web Start supports signed JAR files so that your application can work
outside of the sandbox described
above.
Java Web Start verifies that the contents of the JAR file have not changed
since it was signed. If verification of a
digital signature fails, Java Web Start does not run the application.
When the user first runs an application as a signed JAR file, Java Web
Start opens a dialog box displaying the
application's origin based on the signer's certificate. The user can then
make an informed decision regarding
running the application."

I think a signed jar in combination with:
http://java.sun.com/j2se/1.5.0/docs/api/java/lang/System.html#setProperty(java.lang.String,%20java.lang.String)
should allow for setting the right parser.

  

PerfsonarUI starting with version 0.10 is already distributed as signed jar (signed jars actually, since ALL the jars has to be signed). There is no other option, since psUI has to communicate with different services over the network, which is forbidden when running in sandbox.

The problem with setProperty method is that the setProperty for "java.endorsed.dirs" is ignored when the application runs through JWS. The reason is that it is considered secirity risk.

The problem has already been discussed 3 years ago on opensaml list https://mail.internet2.edu/wws/arc/mace-opensaml-users/2004-02/msg00005.html with no particular solution reported on that list.

FYI, an excerpt from http://xml.apache.org/xalan-j/faq.html#faq-N100D6

JDK/JRE 1.4, and JDK/JRE 5.0 is packaged with an old version of Xalan-Java. The JDK/JRE will attempt to use this version instead of any on the classpath. Unfortunately, this causes problems when attempting to use a newer version of Xalan-Java.
You can always determine which version of Xalan-Java you are running by using the EnvironmentCheck class or by using the xalan:checkEnvironment extension function. It is highly recommended that you use this method to verify the version of Xalan-Java you are running, especially before opening a bug report.
To use a newer version of Xalan-Java and override the one packaged with the JDK:

• use the Endorsed Standards Override Mechanism. Place the xalan.jar, serializer.jar, xercesImpl.jar and xml-apis.jar in the <java-home>\lib\endorsed directory, where <java-home> is where the runtime software is installed.

The following methods do not work:

• Using the CLASSPATH environment variable or using -classpath to place the new classes in the classpath.
• Using the -jar option to explicitly execute the classes inside the new jar files.

If xalan-2.7.0.jar    xalan-serializer-2.7.0.jar xerces-xml-apis-2.8.0.jar    xercesImpl-2.8.0.jar  are placed under <java-home>/lib/endorsed directory, the endorsment mechanism works (even in JWS, you could try the latest perfsonarUI 0.11 http://perfsonar.acad.bg/psui_0_11/perfsonar.jnlp and get a dialog listing identity providers and one asking for user/password ) , but this means every JWS user has to be asked to download and place those jars in local lib/endorsed folder. This definitely is not inline with Webstart idea.

that aside looking into the dependences creating this problem might not be
a bad idea neither.

regards,

Michael.

Ps. what is the other reason for abandoning jws?
  

The other reason is the communication with current SASL CA server needs this keystore to be available as a fail on the user PC (according to
http://wiki.perfsonar.net/jra1-wiki/index.php/How_to_get_a_certificate_from_a_SASL_CA_server ).
With JWS setup, this is not possible, unless the user copies ClientSASLCA.jks  on his desktop (Windows) or default JWS directory (Unix).
I was told this is a temporary solution until more sophisticated SASL CA server comes into place, but it is not clear when this will happen.

To summarize, currently JWS is possible on the condition that user
1)copy xalan-2.7.0.jar    xalan-serializer-2.7.0.jar xerces-xml-apis-2.8.0.jar    xercesImpl-2.8.0.jar  are placed under <java-home>/lib/endorsed directory on his machine
2) copy ClientSASLCA.jks  on his desktop (Windows) or default JWS directory (Unix).

This is somewhat more than supposed one click installation/run implicit in JWS.

The latest problem I run into is that I run into error when trying to sign opensaml-2.0-TP2-jdk-1.5.jar.  Can anybody tell me the origin of this file?

  [signjar] Signing JAR: D:\src\perfsonarui\dist\PerfsonarUI-v0.11\bin\jars\axis
\opensaml-2.0-TP2-jdk-1.5.jar
  [signjar] jarsigner: unable to sign jar: java.util.zip.ZipException: duplicate
 entry: schema/cs-sstc-schema-assertion-01.xsd



Best regards,
Nina

-- 
---------------------------------
Dr. Nina Nikolova-Jeliazkova
Institute for Parallel Processing
Bulgarian Academy of Sciences
Acad. G. Bonchev St 25-A
1113 Sofia, Bulgaria
Tel: +359 886 802011
ICQ: 10705013
www: http://ambit.acad.bg/nina
---------------------------------
PGP Public Key
http://cert.acad.bg/pgp-keys/keys/nina-nikolova-0xEEABA669.asc
	8E99 8BAD D804 1A43 27B7  7F87 CF04 C7D1 EEAB A669
---------------------------------------------------------------