-
Bug
-
Resolution: Not an Issue
-
P3
-
6u20
-
x86
-
windows_xp
Beginning with Java SE 6 Update 19 a concept of gradual security options
for using with mixed signed and unsigned code was introduced into Java SE.
The documentation can be found in
http://java.sun.com/javase/6/docs/technotes/guides/jweb/mixed_code.html
In chapter "Mixed Code Protection Options for Users" 4 different
options are described in order to manage stringency of the security
options.
deployment.security.mixcode=ENABLE | HIDE_RUN | HIDE_CANCEL | DISABLE
The option "deployment.security.mixcode=DISABLE" is supposed to
"completely disable the software from checking for mixing trusted
and untrusted code, leaving the user to run potentially unsafe code
with no warning and without the additional protections.".
This does not appear to work for Java Web Start applications.
The security dialog is left unchanged, when using property
"deployment.security.mixcode=DISABLE" in the file
"deployment.properties".
The security dialog looks like:
----------------------------------------------------------------
Warning - Security
! The application's digital signature cannot be verified.
Do you want to run the application ?
Run Cancel
! Part of the application is missing a digital signature.
Only run, if you trust the origin of the application.
----------------------
More information...
! The application will be run without the security restrictions
normally provided by Java.
! Although the application has a digital signature, the application's
associated file(JNLP) does not have one. A digital signature
ensures that the file is from the vendor and that it has not
been altered.
i Caution: "GCS" asserts that the application is "safe". You should
only run this application if you trust "GCS" to make that assertion.
i The digital signature was generated with a trusted certificate.
----------------------------------------------------------------
for using with mixed signed and unsigned code was introduced into Java SE.
The documentation can be found in
http://java.sun.com/javase/6/docs/technotes/guides/jweb/mixed_code.html
In chapter "Mixed Code Protection Options for Users" 4 different
options are described in order to manage stringency of the security
options.
deployment.security.mixcode=ENABLE | HIDE_RUN | HIDE_CANCEL | DISABLE
The option "deployment.security.mixcode=DISABLE" is supposed to
"completely disable the software from checking for mixing trusted
and untrusted code, leaving the user to run potentially unsafe code
with no warning and without the additional protections.".
This does not appear to work for Java Web Start applications.
The security dialog is left unchanged, when using property
"deployment.security.mixcode=DISABLE" in the file
"deployment.properties".
The security dialog looks like:
----------------------------------------------------------------
Warning - Security
! The application's digital signature cannot be verified.
Do you want to run the application ?
Run Cancel
! Part of the application is missing a digital signature.
Only run, if you trust the origin of the application.
----------------------
More information...
! The application will be run without the security restrictions
normally provided by Java.
! Although the application has a digital signature, the application's
associated file(JNLP) does not have one. A digital signature
ensures that the file is from the vendor and that it has not
been altered.
i Caution: "GCS" asserts that the application is "safe". You should
only run this application if you trust "GCS" to make that assertion.
i The digital signature was generated with a trusted certificate.
----------------------------------------------------------------