Details
-
Bug
-
Resolution: Fixed
-
P3
-
7u51
-
windows_7
Description
FULL PRODUCT VERSION :
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Windows 7 Enterprise SP1
EXTRA RELEVANT SYSTEM CONFIGURATION :
JRE 7u51
A DESCRIPTION OF THE PROBLEM :
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#app_name
states:
Application-Name Attribute
The Application-Name attribute is used in security prompts to provide a title for your signed RIA. Use of this attribute is recommended to help users make the decision to trust and run the RIA. The value can be any valid string, for example:
Application-Name: Hello World
If the Application-Name attribute is not present in the JAR file manifest, a warning is written to the Java Console and the value for the Main-Class attribute is used. If neither attribute is present in the manifest, no title is shown in the security prompts. Titles are not shown for unsigned RIAs.
---------------------------------------------------------------------------
And
http://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html#information
states
title element: The name of the application.
-------------------------------------------------------------------
However, if a signed copy or application template for the JNLP is present in the JAR for the JNLP used to deploy the JAR, that value overrides any value specified by the manifest attribute.
At a minimum, the documentation should be fixed to reflect the fact the RIA title can come from an additional source -- especially since a signed JNLP supercedes the Application-Name in the manifest.
But more strictly -- shouldn't it be flagged as a potential security issue if the JNLP information title tag (signed or not) does not agree with the Application-Name manifest attribute?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Create a signed jar with an Application-Name manifest entry
- Deploy it with a JNLP for which there is a signed copy or template in the JAR (https://blogs.oracle.com/thejavatutorials/entry/signing_jar_files_with_a or Section 5.4.1 of the JNLP spec), and set the information title tag to something different than the Application-Name.
- Load the applet in a web page and note that the RIA security prompt displays the JNLP value, not the manifest value.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
One of:
1) JNLP title is ignored in favor of Application-Name manifest attribute,
2) Documentation is updated,
3) No name is displayed because there is a conflict,
4) A security alert is noted of the conflict
ACTUAL -
If JNLP is signed, its title is accepted, otherwise the signed Application-Name manifest attribute is accepted.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
No workaround.
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Windows 7 Enterprise SP1
EXTRA RELEVANT SYSTEM CONFIGURATION :
JRE 7u51
A DESCRIPTION OF THE PROBLEM :
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#app_name
states:
Application-Name Attribute
The Application-Name attribute is used in security prompts to provide a title for your signed RIA. Use of this attribute is recommended to help users make the decision to trust and run the RIA. The value can be any valid string, for example:
Application-Name: Hello World
If the Application-Name attribute is not present in the JAR file manifest, a warning is written to the Java Console and the value for the Main-Class attribute is used. If neither attribute is present in the manifest, no title is shown in the security prompts. Titles are not shown for unsigned RIAs.
---------------------------------------------------------------------------
And
http://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html#information
states
title element: The name of the application.
-------------------------------------------------------------------
However, if a signed copy or application template for the JNLP is present in the JAR for the JNLP used to deploy the JAR, that value overrides any value specified by the manifest attribute.
At a minimum, the documentation should be fixed to reflect the fact the RIA title can come from an additional source -- especially since a signed JNLP supercedes the Application-Name in the manifest.
But more strictly -- shouldn't it be flagged as a potential security issue if the JNLP information title tag (signed or not) does not agree with the Application-Name manifest attribute?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Create a signed jar with an Application-Name manifest entry
- Deploy it with a JNLP for which there is a signed copy or template in the JAR (https://blogs.oracle.com/thejavatutorials/entry/signing_jar_files_with_a or Section 5.4.1 of the JNLP spec), and set the information title tag to something different than the Application-Name.
- Load the applet in a web page and note that the RIA security prompt displays the JNLP value, not the manifest value.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
One of:
1) JNLP title is ignored in favor of Application-Name manifest attribute,
2) Documentation is updated,
3) No name is displayed because there is a conflict,
4) A security alert is noted of the conflict
ACTUAL -
If JNLP is signed, its title is accepted, otherwise the signed Application-Name manifest attribute is accepted.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
No workaround.