-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
7u51
-
windows_7
FULL PRODUCT VERSION :
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Mac OS X 10.8
A DESCRIPTION OF THE PROBLEM :
This error occurs when launching a signed JWS application from a secure web site.
In a JNLP file, if the <jnlp> tag does not include the (optional) "href" attribute, JWS displays the message "Application Blocked by Security Settings."
This message is displayed even when the security settings slider is set to Medium, and the Exception Site List contains the URL of the site from where the signed application is launched.
Please assume that all other security items are correct:
The jar is signed using a real certificate.
The Manifest contains the necessary items of Permissions, Codebase, Application-name, and Application-Library-Allowable-Codebase.
The permissions in the JNLP file match the signed jar.
This bug affects users who dynamically generate JNLP files, and no static JNLP files exist on the server.
REGRESSION. Last worked in version 7u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Prepare a signed application (jar) to be launched using JWS.
2. Prepare the JNLP file to launch the application.
3. In the <jnlp> tag of the JNLP file, DO NOT include href for the JNLP file.
4. The security can be either sandbox or all-permissions.
5. Confirm that all security information in the jar's Manifest is correct, and matches the JNLP file.
6. Launch the application in the standard manner with a link to the JNLP file. In my case, I am launching from a secure web site.
7. Click past the message to allow the web site.
8. At this point JWS displays the "Application Blocked" message.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should run normally.
ACTUAL -
JWS displays the "Application Blocked" message.
JWS prevents the application from running, regardless of the security settings in the Java Control Panel.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Application Blocked by Security Settings.
The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import javax.swing.JOptionPane;
public class WebStartTest {
public WebStartTest() {}
public static void main(String args[])
{
JOptionPane.showMessageDialog(null, "Boo", "", JOptionPane.INFORMATION_MESSAGE);
System.exit(0);
}
}
-------------------------------------------------------------------
Info for the Manifest:
Permissions: sandbox
Codebase: (URL of jar)
Application-Name: WebStartTest
Application-Library-Allowable-Codebase: (URL of jar)
--------------------------------------------------------------------
The JNLP file:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="6.0+" codebase="(URL of jar)">
<information>
<title>WebStartTest</title>
<vendor>Name</vendor>
<description>Foo Bar</description>
</information>
<security>
<sandbox/>
</security>
<update check="always" policy="always"/>
<resources>
<j2se version="1.6+"/>
<j2se version="1.7+"/>
<jar href="(name of jar)" download="eager" main="true"/>
</resources>
<application-desc main-class="WebStartTest">
</application-desc>
<update check="background"/>
</jnlp>
</xml>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Revert back to JRE 7u45.
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Mac OS X 10.8
A DESCRIPTION OF THE PROBLEM :
This error occurs when launching a signed JWS application from a secure web site.
In a JNLP file, if the <jnlp> tag does not include the (optional) "href" attribute, JWS displays the message "Application Blocked by Security Settings."
This message is displayed even when the security settings slider is set to Medium, and the Exception Site List contains the URL of the site from where the signed application is launched.
Please assume that all other security items are correct:
The jar is signed using a real certificate.
The Manifest contains the necessary items of Permissions, Codebase, Application-name, and Application-Library-Allowable-Codebase.
The permissions in the JNLP file match the signed jar.
This bug affects users who dynamically generate JNLP files, and no static JNLP files exist on the server.
REGRESSION. Last worked in version 7u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode, sharing)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Prepare a signed application (jar) to be launched using JWS.
2. Prepare the JNLP file to launch the application.
3. In the <jnlp> tag of the JNLP file, DO NOT include href for the JNLP file.
4. The security can be either sandbox or all-permissions.
5. Confirm that all security information in the jar's Manifest is correct, and matches the JNLP file.
6. Launch the application in the standard manner with a link to the JNLP file. In my case, I am launching from a secure web site.
7. Click past the message to allow the web site.
8. At this point JWS displays the "Application Blocked" message.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should run normally.
ACTUAL -
JWS displays the "Application Blocked" message.
JWS prevents the application from running, regardless of the security settings in the Java Control Panel.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Application Blocked by Security Settings.
The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import javax.swing.JOptionPane;
public class WebStartTest {
public WebStartTest() {}
public static void main(String args[])
{
JOptionPane.showMessageDialog(null, "Boo", "", JOptionPane.INFORMATION_MESSAGE);
System.exit(0);
}
}
-------------------------------------------------------------------
Info for the Manifest:
Permissions: sandbox
Codebase: (URL of jar)
Application-Name: WebStartTest
Application-Library-Allowable-Codebase: (URL of jar)
--------------------------------------------------------------------
The JNLP file:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="6.0+" codebase="(URL of jar)">
<information>
<title>WebStartTest</title>
<vendor>Name</vendor>
<description>Foo Bar</description>
</information>
<security>
<sandbox/>
</security>
<update check="always" policy="always"/>
<resources>
<j2se version="1.6+"/>
<j2se version="1.7+"/>
<jar href="(name of jar)" download="eager" main="true"/>
</resources>
<application-desc main-class="WebStartTest">
</application-desc>
<update check="background"/>
</jnlp>
</xml>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Revert back to JRE 7u45.