-
Bug
-
Resolution: Fixed
-
P3
-
6
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2148795 | 6u2 | Thomas Ng | P2 | Resolved | Fixed | b03 |
FULL PRODUCT VERSION :
1.6.0 (any build)
ADDITIONAL OS VERSION INFORMATION :
(any tested WinXP and Linux)
A DESCRIPTION OF THE PROBLEM :
The 1.6 plugin seems to ignore signed JAR files that don't contain ".jar" in their file name during the verification process of the JAR file certificates while the classloader manages to load any class from these archives. This behaviour is very confusing because both the 1.6 JDK tools and the previous plugin versions accept such files while there is no restriction made in the documentation/release notes of the 1.6 plugin.
This was working in both the 1.4 and 1.5 plugins.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Create a (J)Applet class that needs a signed context (e.g. by calling
'System.getProperty("user.home")' from inside the "init()" method)
(2) Compile it, put the class file(s) into a jar file and sign this jar file
(3) Create a HTML file containing an "applet" tag with this jar file in the "archive" path
(4) Open this file in the plugin/browser
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
- a security warning dialog pops up and asks for permisson
- the applet succeeds to perform a restricted action after granting this permisson
ACTUAL -
- no security dialog shows up
- the applet fails to do its task
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception reported: "AccessControlException: Permission denied: ..." due to a missing signed applet context.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Applet source code:
----------------------------------
import javax.swing.JApplet;
public class SecurityTest extends JApplet {
public void init() {
System.getProperty("user.home");
}
}
HTML source code:
-----------------------------------
<html><body>
<applet code="MyClass.class" archive="myJar" width="200" height="50"/>
</body></html>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use any JAR file in the "archive" path that doesn't end on ".jar".
1.6.0 (any build)
ADDITIONAL OS VERSION INFORMATION :
(any tested WinXP and Linux)
A DESCRIPTION OF THE PROBLEM :
The 1.6 plugin seems to ignore signed JAR files that don't contain ".jar" in their file name during the verification process of the JAR file certificates while the classloader manages to load any class from these archives. This behaviour is very confusing because both the 1.6 JDK tools and the previous plugin versions accept such files while there is no restriction made in the documentation/release notes of the 1.6 plugin.
This was working in both the 1.4 and 1.5 plugins.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Create a (J)Applet class that needs a signed context (e.g. by calling
'System.getProperty("user.home")' from inside the "init()" method)
(2) Compile it, put the class file(s) into a jar file and sign this jar file
(3) Create a HTML file containing an "applet" tag with this jar file in the "archive" path
(4) Open this file in the plugin/browser
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
- a security warning dialog pops up and asks for permisson
- the applet succeeds to perform a restricted action after granting this permisson
ACTUAL -
- no security dialog shows up
- the applet fails to do its task
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception reported: "AccessControlException: Permission denied: ..." due to a missing signed applet context.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Applet source code:
----------------------------------
import javax.swing.JApplet;
public class SecurityTest extends JApplet {
public void init() {
System.getProperty("user.home");
}
}
HTML source code:
-----------------------------------
<html><body>
<applet code="MyClass.class" archive="myJar" width="200" height="50"/>
</body></html>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use any JAR file in the "archive" path that doesn't end on ".jar".
- backported by
-
JDK-2148795 Certificates of signed JAR files without file ending ".jar" are ignored
-
- Resolved
-
- duplicates
-
-
- Closed
-