Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8032927

JNLP Information Title Tag can override Application-Name manifest attribute

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 8u40
    • 7u51
    • docs
    • windows_7

      FULL PRODUCT VERSION :
      java version "1.7.0_51"
      Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Windows 7 Enterprise SP1

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      JRE 7u51

      A DESCRIPTION OF THE PROBLEM :
      http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#app_name

        states:

      Application-Name Attribute
      The Application-Name attribute is used in security prompts to provide a title for your signed RIA. Use of this attribute is recommended to help users make the decision to trust and run the RIA. The value can be any valid string, for example:

      Application-Name: Hello World
      If the Application-Name attribute is not present in the JAR file manifest, a warning is written to the Java Console and the value for the Main-Class attribute is used. If neither attribute is present in the manifest, no title is shown in the security prompts. Titles are not shown for unsigned RIAs.

      ---------------------------------------------------------------------------

      And

      http://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html#information

        states

      title element: The name of the application.

      -------------------------------------------------------------------

      However, if a signed copy or application template for the JNLP is present in the JAR for the JNLP used to deploy the JAR, that value overrides any value specified by the manifest attribute.

      At a minimum, the documentation should be fixed to reflect the fact the RIA title can come from an additional source -- especially since a signed JNLP supercedes the Application-Name in the manifest.

      But more strictly -- shouldn't it be flagged as a potential security issue if the JNLP information title tag (signed or not) does not agree with the Application-Name manifest attribute?

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      - Create a signed jar with an Application-Name manifest entry
      - Deploy it with a JNLP for which there is a signed copy or template in the JAR (https://blogs.oracle.com/thejavatutorials/entry/signing_jar_files_with_a or Section 5.4.1 of the JNLP spec), and set the information title tag to something different than the Application-Name.
      - Load the applet in a web page and note that the RIA security prompt displays the JNLP value, not the manifest value.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      One of:

      1) JNLP title is ignored in favor of Application-Name manifest attribute,
      2) Documentation is updated,
      3) No name is displayed because there is a conflict,
      4) A security alert is noted of the conflict
      ACTUAL -
      If JNLP is signed, its title is accepted, otherwise the signed Application-Name manifest attribute is accepted.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      No workaround.

            jgordon Joni Gordon (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: