Competition Thought

Started by bobjob, December 09, 2015, 13:27:14

Previous topic - Next topic

bobjob

Not that many people are getting involved in LWJGL java game comps any time soon.

But I was wondering, now that applets are dead, is it possible to setup a java app that can load an LWJGL application with security restrictions. I was thinking this even as a general Java-gaming.org app for showcase/competition purposes. Just a basic application that takes the arguments of another main class and includes LWJGL in its class path (or other standardised java packages), but with general security restrictions (except on LWJGL packages) to prevent harm to testers.

I understand JNLP's are an option, but accepting security certificates is still a bit of a concern. On the current version of MACOSX, unrecognised certificates get rejected automatically.

I figure it became a general java-gaming standard to game testing with security, it might take off.

I was just wondering if this would even be possible.  Before I look to heavily in to Java security, just wondered if this might lead to a dead end?

FortressBuilder

You can set the security manager of another application to prevent it from using certain functionality. With the -Djava.security.manager and -Djava.security.policy command line options any Java application can be run with any security manager you want. Every time the application tries to do something potentially dangerous (write to/execute a file, load native code, open network connections etc) it first checks whether the security manager allows this and throws an exception if not. In theory this should give you full control over what the application is allowed to do or not.

Different permissions can be granted to different code bases, so you can for example allow LWJGL code to do something other code isn't allowed to do.

http://docs.oracle.com/javase/8/docs/technotes/guides/security/

spasi

LWJGL and security restrictions don't make sense. Once you permit LWJGL to load native code and call JNI methods, security goes out of the window. A malicious programmer could use LibFFI to call any system API and do real harm.

bobjob

I guess its a bad idea. Its just unfortunate that you have to risk harm to test even the most basic java prototypes. Mobile apps at least come with warnings.