How to provide backward compatibility with old java clients during UCF updates

This post was originally published on ECN.

If you are not familiar with apache httpd’s mod_rewrite and regexps, please do not read this post.

Problem

When EMC releases new UCF fixes, aimed to provide compatibility with corresponding JRE security fixes, they completely miss the fact, that customers are unable to perform JRE updates for all business users at the same time, and, so, IT personal should choose the lesser of two evils: either some users should suffer or all users should stay with vulnerable JRE, moreover, sometimes I can’t understand what EMC is doing (see also: Dumb UCF applet, Dumb UCF applet. Part II, UCF applet’s certificate expired… ORLY?)

Solution

At first we need to understand what files EMC changes from one point fix to another (it’s very simple for me because I download every new pointfix to check that EMC still not fixed 30 security issues ). Typically they change wdk/system/ucfinit.jar and wdk/fileselector/fileSelector.jar files, but ucfinit.jar contains checksums for some files in wdk/contentXfer directory, so, ucfinit.jar file in general is not interchangeable between point fixes. Major changes in webtop 6.7SP2 was (actually I double checked 1.7_45 and 1.7_25 versions I can certainly say that patch notes lie: for both versions it’s required to relax security settings to get working UCF):

  • P11 – JRE1.7_51 support
  • P07 – JRE1.7_45 support
  • P05 – JRE1.7_25 support
  • P02 – JRE1.7_21 support

that means that following filesets are consistent:

  • wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P11 for JRE1.7_51
  • wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P10 for JRE1.7_45
  • wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P06 for JRE1.7_25
  • wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P04 for JRE1.7_21

for filesets 2-4 I created following structure inside wdk directory:

JRE17_21  
├── contentXfer  
│  ├── All-MB.jar  
│  ├── ES1_MRE.exe  
│  ├── ExJNIAPI.dll  
│  ├── ExJNIAPIGateway.jar  
│  ├── jacob.dll  
│  ├── jacob.jar  
│  ├── libMacOSXForkerIO.jnilib  
│  ├── MacOSXForker.jar  
│  ├── mac_utilities.jar  
│  ├── ucf-ca-office-auto.jar  
│  ├── ucf-client-installer.zip  
│  └── UCFWin32JNI.dll  
├── fileselector  
│  └── fileSelector.jar  
└── system  
    └── ucfinit.jar  
  
JRE17_25  
├── contentXfer  
│  ├── All-MB.jar  
│  ├── ES1_MRE.exe  
│  ├── ExJNIAPI.dll  
│  ├── ExJNIAPIGateway.jar  
│  ├── jacob.dll  
│  ├── jacob.jar  
│  ├── libMacOSXForkerIO.jnilib  
│  ├── MacOSXForker.jar  
│  ├── mac_utilities.jar  
│  ├── ucf-ca-office-auto.jar  
│  ├── ucf-client-installer.zip  
│  └── UCFWin32JNI.dll  
├── fileselector  
│  └── fileSelector.jar  
└── system  
    └── ucfinit.jar  
  
JRE17_45  
├── contentXfer  
│  ├── All-MB.jar  
│  ├── ES1_MRE.exe  
│  ├── ExJNIAPI.dll  
│  ├── ExJNIAPIGateway.jar  
│  ├── jacob.dll  
│  ├── jacob.jar  
│  ├── libMacOSXForkerIO.jnilib  
│  ├── MacOSXForker.jar  
│  ├── mac_utilities.jar  
│  ├── ucf-ca-office-auto.jar  
│  ├── ucf-client-installer.zip  
│  └── UCFWin32JNI.dll  
├── fileselector  
│  └── fileSelector.jar  
└── system  
    └── ucfinit.jar

then I put urlrewritefilter-4.0.3.jar (http://tuckey.org/urlrewrite/) into WEB-INF/lib directory and added following lines to web.xml:

<filter>  
    <filter-name>UrlRewriteFilter</filter-name>  
    <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>  
    <init-param>  
        <param-name>modRewriteConf</param-name>  
        <param-value>true</param-value>  
    </init-param>  
</filter>  
  
<filter-mapping>  
    <filter-name>UrlRewriteFilter</filter-name>  
    <url-pattern>/*</url-pattern>  
    <dispatcher>REQUEST</dispatcher>  
    <dispatcher>FORWARD</dispatcher>  
</filter-mapping>

and finally put following .htaccess file into WEB-INF directory:

RewriteCond  %{HTTP_USER_AGENT}  Java/1\.7\.0_21  
RewriteRule  ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$  /wdk/JRE17_21/$2  [PT,L]  
      
RewriteCond  %{HTTP_USER_AGENT}  Java/1\.7\.0_25
RewriteRule  ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$  /wdk/JRE17_25/$2  [PT,L]
      
RewriteCond  %{HTTP_USER_AGENT}  Java/1\.7\.0_45
RewriteRule  ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$  /wdk/JRE17_45/$2  [PT,L]

And now I have webtop build that is compatible with four JRE security baselines, what about yours?!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s