-
Bug
-
Resolution: Not an Issue
-
P3
-
7u21, 7u25
-
linux
FULL PRODUCT VERSION :
jdk1.7.0_25, also tested with 7u21 (the same behavior)
ADDITIONAL OS VERSION INFORMATION :
Debian 6.0.7, kernel 2.6.32-5-amd64; however, due to the nature of observed behavior, other platforms are likely to be affected
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 21 (amd64)
A DESCRIPTION OF THE PROBLEM :
Since 7u21, the setting deployment.security.askgrantdialog.notinca=false is ignored, the user is asked to grant permission to self-signed (or signed, but untrusted) applet and after multi-click he/she can elevate such applet. (The Security level on the Security tab is set to High - default.)
Also, since 7u21, in Java control panel, the setting neither " Enable granting elevated access to self-signed apps " (as appears in 7u17) nor " Allow user to grant permissions to content from an untrusted authority " (7u7) is present (hope both checkboxes are only different wording between versions for the same setting - notinca).
Although in com.sun.deploy.security.TrustDecider the setting ...notinca is still honored, maybe changes to security logic introduced in 7u21 pushed test for this setting to some dead branch.
Before 7u21, with notinca=false, the user cannot elevate signed_but_unverifiable applet.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Leave setting on Security tab set to High (default) and set deployment.security.askgrantdialog.notinca to false (or do it using Java control panel 7u17 or earlier).
2) Register JRE 7u21 or 25 in browser.
3) Open page with applet, that is signed but the signature is not trusted.
4) Java asks for granting permission to applet from " UNKNOWN " . (yellow triangle) You can click " I accept... " and then " Run " and the applet launches elevated.
5) Register JRE 7u17 in browser.
6) Repeat step 3.
7) Java issues " red stop " dialog with CertificateException: Your security configuration will not allow granting permission to self signed certificates.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Versions after 7u17 should honor setting deployment.security.askgrantdialog.notinca the same way as in versions up to 7u17.
ACTUAL -
see step 4 in the steps above
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
In Java control panel, on Security tab, set Security level to Very high. However, this setting also blocks running unsigned applets in sandbox.
jdk1.7.0_25, also tested with 7u21 (the same behavior)
ADDITIONAL OS VERSION INFORMATION :
Debian 6.0.7, kernel 2.6.32-5-amd64; however, due to the nature of observed behavior, other platforms are likely to be affected
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 21 (amd64)
A DESCRIPTION OF THE PROBLEM :
Since 7u21, the setting deployment.security.askgrantdialog.notinca=false is ignored, the user is asked to grant permission to self-signed (or signed, but untrusted) applet and after multi-click he/she can elevate such applet. (The Security level on the Security tab is set to High - default.)
Also, since 7u21, in Java control panel, the setting neither " Enable granting elevated access to self-signed apps " (as appears in 7u17) nor " Allow user to grant permissions to content from an untrusted authority " (7u7) is present (hope both checkboxes are only different wording between versions for the same setting - notinca).
Although in com.sun.deploy.security.TrustDecider the setting ...notinca is still honored, maybe changes to security logic introduced in 7u21 pushed test for this setting to some dead branch.
Before 7u21, with notinca=false, the user cannot elevate signed_but_unverifiable applet.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Leave setting on Security tab set to High (default) and set deployment.security.askgrantdialog.notinca to false (or do it using Java control panel 7u17 or earlier).
2) Register JRE 7u21 or 25 in browser.
3) Open page with applet, that is signed but the signature is not trusted.
4) Java asks for granting permission to applet from " UNKNOWN " . (yellow triangle) You can click " I accept... " and then " Run " and the applet launches elevated.
5) Register JRE 7u17 in browser.
6) Repeat step 3.
7) Java issues " red stop " dialog with CertificateException: Your security configuration will not allow granting permission to self signed certificates.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Versions after 7u17 should honor setting deployment.security.askgrantdialog.notinca the same way as in versions up to 7u17.
ACTUAL -
see step 4 in the steps above
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
In Java control panel, on Security tab, set Security level to Very high. However, this setting also blocks running unsigned applets in sandbox.