FULL PRODUCT VERSION :
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode, sharing)


ADDITIONAL OS VERSION INFORMATION :
Windows Vista


EXTRA RELEVANT SYSTEM CONFIGURATION :
Microsoft Windows [Version 6.0.6001]


A DESCRIPTION OF THE PROBLEM :
The "javax.swing.defaultlf" property is not working and causing security warnings under Java 1.6.0u10 and later when the JNLP file is verified.

As I understand this property, it should control the default l&f of Swing (I have not been able to find any documentation on this though).

This property is part of the list of "safe" properties that can be set in a JNLP file (as pr. Java 1.6).

Using only "safe" properties has recently gotten more important as Java 1.6.0u10 and later now posts a alert to the user warning she/he that the JNLP file cannot be verified if the JNLP file has not been signed and uses one of the non-"safe" properties (e.g. "swing.defaultlaf" to set the default look&feel).

My guess is that the problem is that the "javax.swing.defaultlf" property *really* should have been "swing.defaultlaf".


I have downloaded the Java, C, C++ code for Java 1.6 and searched for uses of the "javax.swing.defaultlf" property but can only find two instances:

In com."sun/deploy/config/Config.java":

// note - should be same list as in native: secure.c
    private static final String DefaultSecureProperties [] = {
            "sun.java2d.noddraw",
            "javax.swing.defaultlf",
            "javaws.cfg.jauthenticator",
            "swing.useSystemFontSettings",
            "swing.metalTheme",
            "http.agent",
            "http.keepAlive",
            "sun.awt.noerasebackground",
            "sun.java2d.opengl",
            "sun.java2d.d3d",
            "java.awt.syncLWRequests",
            "java.awt.Window.locationByPlatform",
            "sun.awt.erasebackgroundonresize",
            "swing.noxp",
            "swing.boldMetal",
            "awt.useSystemAAFontSettings",
            "sun.java2d.dpiaware",
     };

And in "deploy/src/javaws/share/native/secure.c"

/*
 * SecurePropertyKeys is a list of keys that can be set in a jnlp file using
 * <property name="key" value="value" /> and we will pass on to the java
 * invocation as -Dkey=value
 */
static char *SecurePropertyKeys[] =
{
    "sun.java2d.noddraw",
    "javax.swing.defaultlf",
    "javaws.cfg.jauthenticator",
    "swing.useSystemFontSettings",
    "swing.metalTheme",
    "http.agent",
    "http.keepAlive",
    "sun.awt.noerasebackground",
    "sun.java2d.opengl",
    "sun.java2d.d3d",
    "java.awt.syncLWRequests",
    "java.awt.Window.locationByPlatform",
    "sun.awt.erasebackgroundonresize",
    "swing.noxp",
    "swing.boldMetal",
    "awt.useSystemAAFontSettings",
    "sun.java2d.dpiaware",
};

After looking at the code I suspect that the references to "javax.swing.defaultlf" is a misspelling. Is should really have been "swing.defaultlaf"

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
a) Create a signed Java Web Start application that uses the "javax.swing.defaultlf" property to set the default look&feel through a <property ...> element.

b) Start the Java Web Start application

c) Note that Java Web Start warns about a security problem related to the JNLP file.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No security warning related to the JNLP file
ACTUAL -
Security warning related to the JNLP file

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 6u7
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.