From e3806ac97871e7f4cea5f800c3319b61a2fb8e8c Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Fri, 12 Apr 2013 15:32:24 +0200 Subject: Added help for extended applets security and settings --- .../sourceforge/jnlp/resources/Messages.properties | 144 +++++++++++++++++++++ 1 file changed, 144 insertions(+) (limited to 'netx/net/sourceforge/jnlp/resources/Messages.properties') diff --git a/netx/net/sourceforge/jnlp/resources/Messages.properties b/netx/net/sourceforge/jnlp/resources/Messages.properties index 38d6334..b31da59 100644 --- a/netx/net/sourceforge/jnlp/resources/Messages.properties +++ b/netx/net/sourceforge/jnlp/resources/Messages.properties @@ -570,3 +570,147 @@ APPEXTSECguiPanelShowOnlyPermanentA=Show only allowed permanent records APPEXTSECguiPanelShowOnlyPermanentN=Show only forbidden permanent records APPEXTSECguiPanelShowOnlyTemporalY=Show previously allowed applets records APPEXTSECguiPanelShowOnlyTemporalN=Show previously denied applets records +APPEXTSEChelpHomeDialogue=Dialogue +APPEXTSEChelp= \ +

Help for Extended applet security - itw-settings, files and structures, dialogue

\ +

\ +Extended Applet Security refers to security features for unsigned applets. Traditionally, only signed applets required user confirmation and unsigned applets ran automatically. This is represented by the 'low security' setting. Unsigned applets must be allowed or disallowed individually on 'high security' (the default), and additionally do not run at all on 'very high security'. In theory, unsigned applets can safely run automatically. In practice, however, any vulnerability in the Java security sandbox will prevent this from being true. \ +

\ +

\ +To do so it uses the Security Level main settings switch rules in the tables of Custom definitions and Global definitions
\ +You can read much more about development of (and help us to improve!) this feature at dedicated IcedTea-Web page \ +

\ +

Security Level

\ +

\ +Its a main switch for "extended applet security". Its value is commonly stored in usrs_home/.icedtea/deployment.properties, but can be enforced via global settings in /etc/.java/deployment/deployment.properties or JAVA_HOME/lib/deployment.properties under the key deployment.security.level
\ +

Disable running of all Java applets - stored as DENY_ALL - No applet will be run
\ +

\ +No applet will be allowed to run. However the Java virtual machine will always be executed (and an error screen with reason appear instead of applets). To disable Java completely you can uninstall IcedTea-Web or disable it in your browser (if supported). The tables with records are of course ignored. \ +

\ +

Very High Security - stored as DENY_UNSIGNED - No unsigned applets will be run
\ +

\ +No applet unsigned will be allowed to run (and an error screen with reason will appear instead of such applets). The tables with records are of course again ignored. \ +

\ +

High Security - stored as ASK_UNSIGNED - User will be prompted for each unsigned applet
\ +

\ +All unsigned applets will be tested against the tables below if they should be allowed or forbidden to run. If they are not matched in the table then the user is prompted and the decision is stored in tables below. If the user denies the applet, an error screen with reason appears and the applet does not run. If the user allows applets to run, the user can choose to save this decision and whether to allow just one applet or a whole group of applets (see Dialogue paragraph below). \ +
This is default behavior. \ +

\ +

Low Security - stored as ALLOW_UNSIGNED - All, even unsigned, applets will be run
\ +

\ +All applets even unsigned will be allowed to run. User will not be warned and the tables with records are of course again ignored. \ +

\ +You need to press ok or apply button to make the changes take effect. \ +

\ + \ + \ +

Table with recorded actions

\ +

Custom x Global table

\ +After each action in High Security dialogue the record is added to, or updated in, the table or configuration file. Commonly in users file - home/.icedtea/.appletTrustSettings - "Custom definition" panel.
\ +But superuser can specify default behavior in /etc/.java/deployment/ .appletTrustSettings - "Global definition" panel.
\ +

"Syntax"

\ +

Action - Desired behavior when applet is matched
\ +

\ +
Always trust this applet - This unsigned applet will always be run in High Security Security Level. It is stored as A in .appletTrustSettings
\ +
Never trust this applet - This unsigned applet will never be run in High Security Security Level. It is stored as N in .appletTrustSettings
\ +
Visited and allowed - When the user is asked about this applet again, a note that this applet was already trusted in past will be displayed. It is stored as y in .appletTrustSettings
\ +
Visited and denied - When user will be asked about this applet again, he will see information that this applet was already denied in past. It is stored as n in .appletTrustSettings
\ +

\ +

Date - date of last action on this item (read only item)
\ +

Document base - is the page from which the applet was requested. It is actually a regular expression to match a specific URL. See about regular expressions and their usage lower
\ +

Code base - is the URL where an applets code came from. It is actually a regular expression to match a specific URL. See about regular expressions and their usage lower
\ +

Archives - coma separated list of archives with applet's code. Can be empty if source code are just classes or group of applets is allowed
\ +
\ +When you change a value in the table, its effect is immediate. \ +

Controls of tables

\ +

Delete - deletes items as specified in combo box on side
\ +

\ +
selected - removes all selected items. Key Del does the same. Default behavior. Multiple selections allowed. Selection can be inverted by button even more on side
\ +
all allowed (A) - removes all permanently trusted records
\ +
all forbidden (N) - removes all permanently forbidden records
\ +
all approved (y) - removes all previously (temporarily) trusted records
\ +
all rejected (n) - removes all previously (temporarily) denied records
\ +
all - will clear the table
\ +
\ +Ask me before action - switch to ask before each deletion (in bulk) or not to ask. Asking dialogue can be pretty long, so if you do not see the buttons, just press Esc \ +

\ +

Show full regular expressions - Disable or Enable filtering of quotation marks \Q\E in code/document base columns. About regular expressions see more lower
\ +
\ +

Filtering in table(s)
\ +

\ +
Show only permanent records - Shows only permanently allowed (A) or denied (N) records. Default behavior
\ +
Show only temporarily decided records - Shows only once allowed (y) or denied (n) informative records.
\ +
Show only permanently allowed records - Shows only permanently allowed (A) records
\ +
Show only permanently denied records - Shows only permanently denied (N) records
\ +
Show only temporarily allowed records - Shows only once allowed (y) informative records.
\ +
Show only temporarily denied records - Shows only once denied (n) informative records.
\ +

\ +

Add new row - will add new, exemplary filled, row with current date and empty archives
\ +

Validate table - will test if table can save, load, and if each value is valid:
\ +

\ +
Action - is one of A,N,y,n
\ +
Date - is valid date
\ +
Code base and document base - are valid regular expressions or empty
\ +
Archives - coma separated list of archives or empty
\ +

\ +

Test url - In two dialogues (in two steps) will let you enter document base and codebase, and then try to match them against all records. All matching items are returned! Last values are remembered> \ +

Move row down/up
\ +

\ +Order of rows is important. First matched result is returned (permanent have priority). So you can prioritize your matches using these buttons.
\ +For example, if you \Qhttp://blogs.com/\E.* regular expression to allow all applets on http://blogs.com, then it must be AFTER your \Qhttp://blogs.com/evilJohn\E.* regular expression forbidding all applets from blog of hacker evilJohn. \ +

\ +

Dialogue

\ +If High Security is set, and a new unsigned applet is hit then the dialogue is shown asking you to allow it or deny it. You can also choose if you want to allow or deny this applet every-time (A or N) you encounter it or for just one run (y,n).
\ +You can also select to trust or deny (again temporarily or permanently) all the applets from same, exact, codebase. If you are visiting one page, which has various applets on various documents then this is a choice for you.
\ +If you decide not to allow remembering your decision, then just a temporary record is made. If you revisit a page, a small green or red label will inform you about your last decision.
\ +Once you select remember your decision, the dialog will never appear again. But you can edit your decision in itw-settings application table (packed with IcedTea-Web). If you change your decision to temporary one (n,y) or delete its row, the dialogue will appear again. Of course you can switch also from Always to Never or vice versa. \ +
\ +The dialogue always mentions the page on which an applet is displayed, and the URL from which it comes. There is also a hint, if you have ever visited this applet saying if you have allowed or rejected it in the past
\ +

\ +
Controls
\ +
\ +
Remember this option - If set, then dialogue will never be shown for this applet or page again. \ +
\ +
For applet - Exact applet will be allowed or denied \ +
For site - All applets from this place will be allowed or denied \ +
\ +
Proceed - Applets, as selected above will be allowed \ +
Cancel - Applets, as selected above will be forbidden \ +
\ +Be aware to "proceed" + "Remember this option" + "For site" on pages you do not know! It can make you vulnerable! \ +

\ +

Regular expressions

\ +IcedTea-Web extended applet security - uses a powerful matching engine to match exact (sets of) applets. Base stone is Quotation of URL \Q\E and wildchars llike .* or .? or more.
\ +This was designed to suits the need to block or allow exact pages. The best is to show some examples:
\ +N 12.12.2012 .* \Qhttp://blogs.com/evilJohn\E.*
\ +N 12.12.2012 \Qhttp://blogs.com/goodJohn/evilApplet.html\E.* \Qhttp://blogs.com/goodJohn/\E goodJohnsArchive.jar
\ +A 12.12.2012 \Qhttp://blogs.com/\E.* \Qhttp://blogs.com/\E.*
\ +N 12.12.2012 .* \Qhttp://adds.com\E.*
\ +Y 12.12.2012 .* \Qhttp://www.walter-fendt.de/ph14_jar/\E
\ +
\ +So this table, created 12.12.2012:
\ +

Forbid all stuff which have some code on http://blogs.com/evilJohn pages
\ +

Forbidding also one exact applet from http://blogs.com/goodJohn/ with archive goodJohnsArchive.jar
\ +

Allowing all (other) applets from http://blogs.com/ but only when displayed also on http://blogs.com/
\ +

Forbidding all applets with code saved on http://adds.com (except on http://blogs.com/ - to have forbidden http://adds.com also on http://blogs.com/, this (http://adds.com) record must be above blogs record)
\ +

And finally allowing all nice physical applets on walter-fendt's pages
\ +
\ +Note - the date saved in .appletTrustSettings has a not so nice format, but I left this for now...
\ +
\ +All information about full regular expression syntax can be found on http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html \ +

\ +

Conclusion

\ +

\ +Stay tuned to our homepage at http://icedtea.classpath.org/wiki/IcedTea-Web!
\ +If you encounter any bug, feel free to file it in our bugzilla ... According to http://icedtea.classpath.org/wiki/IcedTea-Web#Filing_bugs
\ +
\ +Safe browsing from your IcedTea-Web team... \ +

\ + \ -- cgit v1.2.3