-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
7
-
x86
-
windows_7
FULL PRODUCT VERSION :
java version "1.7.0"
Java(TM) SE Runtime Environment (build 1.7.0-b147)
Java HotSpot(TM) 64-Bit Server VM (build 21.0-b17, mixed mode)
--
ADDITIONAL OS VERSION INFORMATION :
Windows 7 Enterprise SP1 64
A DESCRIPTION OF THE PROBLEM :
First, this application and all its libraries are signed with the same certificate.
This might be related on the latest code with security checks in webstart and/or the cache system... or something related.
Application and its libraries pass webstart validation and the application can run if the cache was empty the first time (on installation).
If you update the jar files (in my case I just change their date to force a re-download) then webstart cries about "unsafe components" and security concerns.
It seems that webstart is more permissive if you use the html link to the jnlp file to start the application. The problem seems to be more present when using the created desktop shortcut on the desktop.
REGRESSION. Last worked in version 6u26
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Download the website I rared here : http://dl.dropbox.com/u/8898033/ORACLE/wwwroot.rar
This is a simple IIS website, with a jnlp file (don't forget the JNLP mime type in IIS).
You can use index.html file in the jte4\ directory. All the app files are in jte4\pc\, including the pc.jnlp file.
Using the browser, click on the PC icon that point to the pc.jnlp file.
The application will download and run. (You will get an error as a database is missing, but this is ok, we don't need to go farther).
Drag the main application jar files (pc.jar, pc.jar.pack.gz) to touch.exe so we update their timestamps.
Click the desktop icon for the application. Webstart will re-download the jar files and cry about security issues... but this is the same files as our first start.
If you don't use the desktop shortcut and use the browser again, this could work again.
Additional notes & screenshots in this word document : http://dl.dropbox.com/u/8898033/ORACLE/Notes.doc
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application Update (jar download, verification from webstart) and application start without problems / messages. Like in Java 6... or the fist time you try this under Java 7.
ACTUAL -
Inconsistent results with the update of a java webstart application files
(Security validation of the jar files and all that security that is now even more in our way...)
Regression since Java 6.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.SecurityException: sandboxed loader attempted to load trusted resource from http://martinm.jovaco.ca/jte4/pc/libs/bcprov.jar
at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Unknown Source)
at java.lang.Class.getMethod0(Unknown Source)
at java.lang.Class.getMethod(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced often.
---------- BEGIN SOURCE ----------
I will re-link the files here:
website / jar files :
http://dl.dropbox.com/u/8898033/ORACLE/wwwroot.rar
Additional notes and screenshots :
http://dl.dropbox.com/u/8898033/ORACLE/Notes.doc
Sorry to not have a smaller example, but maybe those specific jar files are part or the problem ? I got such inconsistent results that I don't even want to try to understand...
(Lets just say that I saw other security dialogs when I ran under java 7 and an old webstart cache).
If you need help reproducing the problem, don't hesitate to contact me by email.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Clearing the webstart cache, maybe not using the javaws created application desktop shortcut.
java version "1.7.0"
Java(TM) SE Runtime Environment (build 1.7.0-b147)
Java HotSpot(TM) 64-Bit Server VM (build 21.0-b17, mixed mode)
--
ADDITIONAL OS VERSION INFORMATION :
Windows 7 Enterprise SP1 64
A DESCRIPTION OF THE PROBLEM :
First, this application and all its libraries are signed with the same certificate.
This might be related on the latest code with security checks in webstart and/or the cache system... or something related.
Application and its libraries pass webstart validation and the application can run if the cache was empty the first time (on installation).
If you update the jar files (in my case I just change their date to force a re-download) then webstart cries about "unsafe components" and security concerns.
It seems that webstart is more permissive if you use the html link to the jnlp file to start the application. The problem seems to be more present when using the created desktop shortcut on the desktop.
REGRESSION. Last worked in version 6u26
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Download the website I rared here : http://dl.dropbox.com/u/8898033/ORACLE/wwwroot.rar
This is a simple IIS website, with a jnlp file (don't forget the JNLP mime type in IIS).
You can use index.html file in the jte4\ directory. All the app files are in jte4\pc\, including the pc.jnlp file.
Using the browser, click on the PC icon that point to the pc.jnlp file.
The application will download and run. (You will get an error as a database is missing, but this is ok, we don't need to go farther).
Drag the main application jar files (pc.jar, pc.jar.pack.gz) to touch.exe so we update their timestamps.
Click the desktop icon for the application. Webstart will re-download the jar files and cry about security issues... but this is the same files as our first start.
If you don't use the desktop shortcut and use the browser again, this could work again.
Additional notes & screenshots in this word document : http://dl.dropbox.com/u/8898033/ORACLE/Notes.doc
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application Update (jar download, verification from webstart) and application start without problems / messages. Like in Java 6... or the fist time you try this under Java 7.
ACTUAL -
Inconsistent results with the update of a java webstart application files
(Security validation of the jar files and all that security that is now even more in our way...)
Regression since Java 6.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.SecurityException: sandboxed loader attempted to load trusted resource from http://martinm.jovaco.ca/jte4/pc/libs/bcprov.jar
at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Unknown Source)
at java.lang.Class.getMethod0(Unknown Source)
at java.lang.Class.getMethod(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced often.
---------- BEGIN SOURCE ----------
I will re-link the files here:
website / jar files :
http://dl.dropbox.com/u/8898033/ORACLE/wwwroot.rar
Additional notes and screenshots :
http://dl.dropbox.com/u/8898033/ORACLE/Notes.doc
Sorry to not have a smaller example, but maybe those specific jar files are part or the problem ? I got such inconsistent results that I don't even want to try to understand...
(Lets just say that I saw other security dialogs when I ran under java 7 and an old webstart cache).
If you need help reproducing the problem, don't hesitate to contact me by email.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Clearing the webstart cache, maybe not using the javaws created application desktop shortcut.