6 Replies Latest reply on Sep 19, 2012 1:39 PM by NickBannister

    GUI files - using japplet.setGUI() security risk


      In Javascript when you use the .setGui() function to change the gui file used it seems to look in the configured location for the client files and this in turn gives a java security warning.

      Warning is about signed and unsigned code.

      I have the client files under IIS in the typical jVue folder.
      GUI file is named: CCReadOnly.gui
      If I remove all .gui files from C:\inetpub\wwwroot\jVue the message does not appear. When I first open a document this is fine. Then if I load another document using .setFile() we have this problem because it looks in the CODEBASE location.
      So this is why we put a copy of the .gui files from C:\Oracle\AutoVue\bin\Profiles into C:\inetpub\wwwroot\jVue so it can download and use the .gui file. This then gives the security issue.

      We close the first document first then call setGui() then load the next document.



      How do we make the applet use the .gui files in the /Profiles directory?
        • 1. Re: GUI files - using japplet.setGUI() security risk
          Your code is fine Nick.
          Just make sure you have full name of gui file including extension.
          So place CCReadOnly.gui in bin\Profiles folder and call this:


          Also it is very important to have correct sintax in your gui file.
          Check that there are no empty lines or wrongly defined tokens.
          • 2. Re: GUI files - using japplet.setGUI() security risk
            I checked and I do have .gui, it was missing from this thread because i manually typed it sorry.
            I still get the security warning unless I put .setGUI('file://CCReadOnly.gui') which is OK as a workaround but sounds like it shouldn't be needed.
            If i don't do this then in the java console with debugging turned on I can see the applet trying to get it from the codebase URL were the jvue.jar is downloaded from.

            • 3. Re: GUI files - using japplet.setGUI() security risk
              The way it works: it first tries to load .gui file as a resource (it's done for loading it from .jar, but the resource lookup also includes codebase).
              Only then it tries to load the file from server's bin\Profiles directory.
              So if you delete it from your codebase and leave it only in Profiles you should be fine.
              Again: double check the sintax.
              If you don't succeed, attach it here I'll have a look at it.
              • 4. Re: GUI files - using japplet.setGUI() security risk
                In my system, I only use the gui file on the /Profile folder. It appears to behave better than placing it as a resource for me. But if I have some time, I will move it there so I can package properly the whole solution, with no need to touch the server every time i change the gui file.

                As for the signed / unsigned code warning, I had such an issue around that time of development, but it was not due to the gui file. It may be not your issue, but since it happened to me around the same time and with the same result, I'll detail it in case it is this thing. I had my applet extend jvue, and then packed as a jar to call from a jsp file in another project - we develop the applet and the environment separately -. That packed jar contained signed code (jvue.jar) and unsigned code (my code), and raised the alert. The solution was to use a signer plugin during the package process. I use maven, so in the pom.xml I added:

                +     <build>+
                +          <plugins>+
                +               <plugin>+
                +                    <groupId>org.apache.maven.plugins</groupId>+
                +                    <artifactId>maven-jarsigner-plugin</artifactId>+
                +                    <version>1.2</version>+
                +                    <executions>+
                +                         <execution>+
                +                              <id>sign</id>+
                +                              <goals>+
                +                                   <goal>sign</goal>+
                +                              </goals>+
                +                         </execution>+
                +                         <execution>+
                +                              <id>verify</id>+
                +                              <goals>+
                +                                   <goal>verify</goal>+
                +                              </goals>+
                +                         </execution>+
                +                    </executions>+
                +                    <configuration>+
                +                         <keystore>${project.build.outputDirectory}\.keystore</keystore>+
                +                         <alias>name</alias>+
                +                         <storepass>pass1</storepass>+
                +                         <keypass>pass2</keypass>+
                +                    </configuration>+
                +               </plugin>               +
                +          </plugins>+
                +     </build>+

                Once this newly packed jar was put in the deploy project, the browser asked for a certificate (my own one) and never again gave any problem.
                • 5. Re: GUI files - using japplet.setGUI() security risk
                  All comments helped. It was the syntax in the gui file itself.
                  All help very much appreciated.
                  • 6. Re: GUI files - using japplet.setGUI() security risk

                    The original posting to this issue helped me out greatly. How ever I have a similar situation if you can please help.

                    This time i want to be able to call my custom action but pass back data (a basic string value) but this time is is nothing to do with markups.
                    How do i add to the document properties rather than the markup properties so when i invoke my custom action i can then see the property on the dms servlet side so i can use it to do things.
                    I cannot see any function on the vuebean to set a property or on the applet object.

                    My use case scenario is using HotSpots, I have a hotspot key/value that i want to pass back to a custom action in order for me to do something with it.

                    Any help on this would be greatly appreciated!