-
Enhancement
-
Resolution: Duplicate
-
P3
-
6
-
generic
-
generic
1.) Signed jnlp files are difficult to use because of the requirement that every field in the staged jnlp file exactly match every byte in the jnlp file in the signed jar. This prevents using JnlpServlet with (for example) $$codebase.
There should either be some wildcard specification so the jnlp file in the signed jar could express exactly what fields it requires to match, or some other change of rules such as requiring only that the jnlp file used match the fields that exist in the jnlp file in the jar.
2.) The specification says:
" The signed copy must be named: JNLP-INF/APPLICATION.JNLP. The APPLICATION.JNLP filename should be generated in upper case, but should be recognized in any case. "
the current code checks for any possible capitalization of JNLP-INF, which is not what the spec says
Making signed jnlp files easier to use would strengthen the security of signed content, preventing these signed jars from being used in (possible malicious) ways not envisioned by their developers and signers.
There should either be some wildcard specification so the jnlp file in the signed jar could express exactly what fields it requires to match, or some other change of rules such as requiring only that the jnlp file used match the fields that exist in the jnlp file in the jar.
2.) The specification says:
" The signed copy must be named: JNLP-INF/APPLICATION.JNLP. The APPLICATION.JNLP filename should be generated in upper case, but should be recognized in any case. "
the current code checks for any possible capitalization of JNLP-INF, which is not what the spec says
Making signed jnlp files easier to use would strengthen the security of signed content, preventing these signed jars from being used in (possible malicious) ways not envisioned by their developers and signers.
- duplicates
-
-
- Closed
-