-
Bug
-
Resolution: Won't Fix
-
P4
-
None
-
6
-
generic
-
generic
Tested_Java_Release : "1.5.0-beta2/1.5.0-beta
build/bundles : 1.5.0-beta2-b37/1.5.0-beta-b32c/latest PIT bundles
Tested_Java_Location :
/net/koori/onestop/jdk/1.5.0/latest/bundles
/net/sqesvr-nfs/global/nfs/deployment3/tiger/PIT_builds
Tested_Machine_Name : dnm-011/jitender
Tested O/S : winxp/win2k
Problem Description :
At any point of time if the contents of signed jar file got changed by any means then it's supposed to throw security Exception. But the behavior has a kind of dependeny on deployment.javapi.cache.enabled as sometimes it is not throwing any exception though it supposed to. Contents of jar files were altered
- using "jar -uvf"
- deleting some contents after opening it inside the text editor
Following steps are going to explain the scenarios tried in detail:
Steps to reproduce:
Created a jar file with two applet classes RSAApplet.class and RSAApplet2.class
RSAApplet - tries to create directory on the client machine
RSAApplet2 - Calling System.getProperty to get user_home and OS information
Sign the jar file(thawte certficate been used in this case)
Scenario I - Modifying the signed jar file inside the text editor:
1) try to load the both the applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/security/RSAApplet2.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/security/RSAApplet.html
Security pop-up will be there,grant permissions(Yes) applets will be loaded fine
check plugin trace,it should be without any exceptions
2) Open the jar file in any of the text editor (testthawte.jar) and delete something say entry RSAApplet2.classPK(end of jar file) from the jar file
3) Remove <dep_user_home>/cache directory
4) Disable cache by setting deployment.javapi.cache.enabled equal to "false" inside the <dep_user_home>/deployment.properties
Or
Java Contro Panel > Settings(General tab) > View applets
"Details Cache" window will popup. uncheck the "Enable Caching in Java Plug-in" checkbox(click OK on each window)
5) Try to load the applets
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet2.html
Exception will be thrown :
java.lang.ClassNotFoundException: RSAApplet2.class
java.lang.ClassNotFoundException: RSAApplet.class
6) turn the cache on by setting deployment.javapi.cache.enabled to true or by checking the option "Enable Caching in Java Plug-in on Details Cache" window
7) Try to load the same applet again,this time they will work fine
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet2.html
This behaviour is borrowed as it is from the normal jar file(not signed).
But since this is a signed jar file so security exception should be thrown if by any means contents of jar file got changed no matter how small the change is
Scenario II - Modifying the class file inside the signed jar using jar -uvf :
in this case changes has been done to RSAApplet2.java and
testthawte.jar hs been updated using
jar -uvf testthawte.jar RSAApplet2.class
1) make sure that cache is enabled and <dep_user_home>/cache is empty
Try to load the following applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet2.html
- java.lang.SecurityException: SHA1 digest error for RSAApplet2.class will get thrown while loading both the applets
2) disable the cache and make sure that <dep_user_home>/cache is empty
Try to load the following applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet.html
- Will get loaded fine without throwing any security exception
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet2.html
- java.lang.SecurityException: SHA1 digest error for RSAApplet2.class will get thrown
build/bundles : 1.5.0-beta2-b37/1.5.0-beta-b32c/latest PIT bundles
Tested_Java_Location :
/net/koori/onestop/jdk/1.5.0/latest/bundles
/net/sqesvr-nfs/global/nfs/deployment3/tiger/PIT_builds
Tested_Machine_Name : dnm-011/jitender
Tested O/S : winxp/win2k
Problem Description :
At any point of time if the contents of signed jar file got changed by any means then it's supposed to throw security Exception. But the behavior has a kind of dependeny on deployment.javapi.cache.enabled as sometimes it is not throwing any exception though it supposed to. Contents of jar files were altered
- using "jar -uvf"
- deleting some contents after opening it inside the text editor
Following steps are going to explain the scenarios tried in detail:
Steps to reproduce:
Created a jar file with two applet classes RSAApplet.class and RSAApplet2.class
RSAApplet - tries to create directory on the client machine
RSAApplet2 - Calling System.getProperty to get user_home and OS information
Sign the jar file(thawte certficate been used in this case)
Scenario I - Modifying the signed jar file inside the text editor:
1) try to load the both the applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/security/RSAApplet2.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/security/RSAApplet.html
Security pop-up will be there,grant permissions(Yes) applets will be loaded fine
check plugin trace,it should be without any exceptions
2) Open the jar file in any of the text editor (testthawte.jar) and delete something say entry RSAApplet2.classPK(end of jar file) from the jar file
3) Remove <dep_user_home>/cache directory
4) Disable cache by setting deployment.javapi.cache.enabled equal to "false" inside the <dep_user_home>/deployment.properties
Or
Java Contro Panel > Settings(General tab) > View applets
"Details Cache" window will popup. uncheck the "Enable Caching in Java Plug-in" checkbox(click OK on each window)
5) Try to load the applets
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet2.html
Exception will be thrown :
java.lang.ClassNotFoundException: RSAApplet2.class
java.lang.ClassNotFoundException: RSAApplet.class
6) turn the cache on by setting deployment.javapi.cache.enabled to true or by checking the option "Enable Caching in Java Plug-in on Details Cache" window
7) Try to load the same applet again,this time they will work fine
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted/RSAApplet2.html
This behaviour is borrowed as it is from the normal jar file(not signed).
But since this is a signed jar file so security exception should be thrown if by any means contents of jar file got changed no matter how small the change is
Scenario II - Modifying the class file inside the signed jar using jar -uvf :
in this case changes has been done to RSAApplet2.java and
testthawte.jar hs been updated using
jar -uvf testthawte.jar RSAApplet2.class
1) make sure that cache is enabled and <dep_user_home>/cache is empty
Try to load the following applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet.html
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet2.html
- java.lang.SecurityException: SHA1 digest error for RSAApplet2.class will get thrown while loading both the applets
2) disable the cache and make sure that <dep_user_home>/cache is empty
Try to load the following applets one by one
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet.html
- Will get loaded fine without throwing any security exception
http://sqeweb.sfbay.sun.com/deployment2/jitu/plug-bug/corrupted1/RSAApplet2.html
- java.lang.SecurityException: SHA1 digest error for RSAApplet2.class will get thrown