(and it does not mention the MEDIUM level any more...)
Ok. So I'm testing with 7 here, btw. So anyways, I just configured two lines for testing within /Library/Management/deployment.properties
swy joined the channel
deployment.security.level=MEDIUm
er
deployment.security.level=MEDIUM
deployment.security.level.locked=true
Technically you don't need a value for the locked line
You should be able to just write the name with .locked and that's it
I never trust that though :p
Anyways.
Once I added those lines and re-opened Java 7 prefs, yes, security is now locked to medium
foigus
My issue was specifically that Java complained it couldn't find the deployment.properties when I set deployment.system.config.mandatory=true in deployment.config
frogor
So /Library/Management/deployment.properties is being honored.
foigus: Where did it complain?
rmanly
foigus thanks I was clicked away :)
foigus
WHen trying to launch a java applet, the javatester.org version check
pdimitrov joined the channel
Pretty much "I know finding deployment.properties is mandatory, can't find it, you can't have Java"
frogor
Hmm. Let me test javatester.org. Because the plugins run under a sandbox, no? So maybe it's filesystem issues?
Can't access outside certain paths?
I've just been testing with the Java prefs itself.
The deployment.system.config.mandatory property is a boolean. If set to true, the deployment.properties file that is pointed to by the deployment.system.config property must be found and successfully loaded, otherwise, nothing is allowed to run. If the property is set to false, an attempt is made to find and load the deployment. properties file that is pointed to by the deployment.system.config property. If successful, the file is used, otherwise,
the file is ignored. The default for the deployment.system.config.mandatory property is false.
frogor
13:13:34.163380 open [ 1] (R_____) /Library/Management/deployment.properties
See the brackets?
It *did* attempt to open the path
Golby has quit
foigus
around the "1"?
pdimitrov has quit
frogor
This time the process name was: com.apple.Webkit.15254 (last bit is the pid)
Yeah, the [ 1], if I'm looking at other lines here, appears to be an error result
In that it attempted to open that path but either the perms weren't right or the sandbox doesn't allow it
Whatcha wanna bet the security db is coming into play?
Now, there's an additional setting though
Let me try something..
pdimitrov joined the channel
s73v3r joined the channel
hahahaha
Worked
It's totally a sandbox issue
foigus
curious
frogor
So here's what I did that allowed it to read the file and not provide that dialog (got the applet to run)
macmule has quit
chrfr joined the channel
foigus
What if you set it to a file server or http URL?
frogor
Safari -> Preferences -> Internet plug-ins -> Manage Website Settings ... -> Java -> javatester.org is listed previously because I allowed Java to run on it
foigus
run in unsafe mode?
frogor
Click on the 'Allow' and select 'Run in Unsafe Mode'
Yup
foigus
I thought you mentioned at a point that the idea was that the deployment.properties could be centrally located
frogor
As soon as I did that, Java was no longer sandboxed and it had full filesystem access
badlittlerobots has quit
And could pull the /Library/Management/... path
eholtam
just for that site though?
frogor
Just for that site, correct.
If I visit another site, it'll now be the same issue.
And that's a -Safari- security model, has nothing to do with Java at this point.
rmanly
so in toher words… "Working as intended"
frogor
Until I approve a plugin, for a specific site, to have access outside the sandbox, there are going to be locations that are not accessible by the plugin
eholtam
Attempting Chrome/Firefox would not result in the original issue?
frogor
It sounds like /Library/Application Support paths -are- allowed within the sandbox.
eholtam: Chrome/Firefox may have similar variations on a theme.
No idea though.
pdimitrov has quit
Not sure how they handle plugin sandboxing on Safari.
er
eholtam
so path of least resistance is play in the sandbox
frogor
OS X
eholtam
thanks for the lesson, frogor. That was fun to watch.
foigus
Yes--that was interesting
ctdawe has quit
eholtam
he was in the _zone_
frogor
So if you want to be able to access a system-wide path location for the locked down Java configuration for Safari, at least, it needs to be in /Library/Application Support due to sandbox restrictions.
bruienne
Nick_ZWG: in case you were interested, that Blogo app is 50% off right now
Nick_ZWG
bruienne: Oh awesome
I'll take a look
bruienne
I like it enough at that price
frogor
I'll ping rtrouton on Twitter to go over this bit of channel log and turn it into another Java post (one of many in a series) :p
bruienne
Days of our Java
frogor
We have a deal. I do the research, he does the writeup ;)
Ah. And it looks like you -could- do 'for all websites', because there's a dropdown on Safari for 'When visiting other websites' - you could just pop that over to 'Run in Unsafe Mode'
But if that is all just to have the deployment.properties outside of /Library/Application Support ... that's a bit much.
foigus
I thought I looked and "other webistes' didn't have that option
frogor
I'm looking at Safari 7 on 10.9
10.10 might be diff
Not sure which you're looking at
foigus
oh, hm...Allow with a !
Where is the toggle for unsafe mode?
I don't see a control
Safari 7 + 10.9
frogor
So when looking at: Safari -> Preferences -> Internet plug-ins -> Manage Website Settings ... -> Java
Have java selected on the left, on the right should be at the bottom: When visiting other websites
swy has quit
foigus
Is unsafe mode just chosen due to the architecture of the plugin?
frogor
Do you see / get the dropdown menu there at the bottom right?
By default it should say: When visiting other websites: Ask
foigus
Yeah, I can set it to "allow" or "allow always"
But Safari appears to know that "Allow" == "set to run in unsafe mode"
frogor
Underneath my choice (with Java 7) for "Allow Always" is a divider line and one more option to "Run in Unsafe Mode"
ctdawe joined the channel
eholtam
I see that here, too
frogor
And then my "Allow Always" gains a warning triangle
eholtam
what frogor sees
pdimitrov joined the channel
rmanly
i have block and unsafe as well
foigus
oh
duuuuh
frogor
So you have to select "Run in Unsafe Mode" -first-
foigus
I'm already in unsafe mode
frogor
Then Select "Allow Always"
It's a menu that's a toggle.
It's dumb.
foigus
My prompts reflect that my choice is to _not_ run in unsafe mode
Yeah, I was already practicing unsafe java
rmanly
how naughty of you
eholtam
go get tested
foigus
(at least, for that one Microsoft support website)
frogor
Unsafe mode takes a plugin out of the sandbox and allows filesystem access. Which unfortunately in some of our configurations I knew about / used because we had a Java-based file uploader.
swy joined the channel
bleh :p
foigus
Yep--that's what the Microsoft one was
It's either that or IE
eholtam
to the wayback machine!
frogor
Yeah. For us it's a horrible web-based CMS / web publishing tool called Teamsites
I don't even know what the company is.
eholtam
part of Sharepoint?
frogor
Nah, different.
I know what you're talking about though.
eholtam
sorry
hah
frogor
I'm ok that it faded into obscurity / never took off - it's a horrible product.
