P2
An unsigned Java Web Start application is blocked, if the app is started via the browser,
even if a DRS rule is configured,
The behaviour is strictly reproducible.
(0) Setup
-------------
The following application was used:
http://digitalimagecorp.de/software/entscheidungsfinder/entscheidungsfinder.jnlp
Firefox browsers (35.0 and 37.0.2) were being used.
32-bit Java SE 7 Update 80 was installed.
32-bit Java SE 8 Update 45 was installed additionally.
The deployment rule set looks like follows:
% more ruleset.xml
<ruleset version="1.0+">
<rule>
<id location="*.digitalimagecorp.de" />
<action permission="run" version="1.7*" />
</rule>
</ruleset>
(1) no DRS file
---------------------
Using no DRS file gives the following expected behaviour:
application is blocked - all fine
see file 'no-drs-001.png'
(2) signed DRS
----------------------
Using Oracle's code signing certificate to sign the DRS file, starts up the application
in the expected way - all fine
see file 'drs-signed-002.png'
(3) self-signed DRS
----------------------------
Using a self-signed DRS file, yields the following expected message:
all fine
see file 'drs-self-signed-003.png'
(4) self-certificate added to cacerts
--------------------------------------------------
Adding the self-certificate into the JRE's cacerts file, shows the 'application blocked' dialogue.
This is unexpected behaviour.
The Java Deployment cache was cleared before.
see file 'drs-self-signed-004.png'
It appears as if the security checks have higher priority than the DRS rules, if the DRS file is self-signed.
This is not the case, if the DRS file is signed by an official code-signing certificate.
(5) start via command line
-------------------------------------
Starting the Java Web Start application via command-line works fine.
javaws http://digitalimagecorp.de/software/entscheidungsfinder/entscheidungsfinder.jnlp
see file 'drs-self-signed-command-005.png'
even if a DRS rule is configured,
The behaviour is strictly reproducible.
(0) Setup
-------------
The following application was used:
http://digitalimagecorp.de/software/entscheidungsfinder/entscheidungsfinder.jnlp
Firefox browsers (35.0 and 37.0.2) were being used.
32-bit Java SE 7 Update 80 was installed.
32-bit Java SE 8 Update 45 was installed additionally.
The deployment rule set looks like follows:
% more ruleset.xml
<ruleset version="1.0+">
<rule>
<id location="*.digitalimagecorp.de" />
<action permission="run" version="1.7*" />
</rule>
</ruleset>
(1) no DRS file
---------------------
Using no DRS file gives the following expected behaviour:
application is blocked - all fine
see file 'no-drs-001.png'
(2) signed DRS
----------------------
Using Oracle's code signing certificate to sign the DRS file, starts up the application
in the expected way - all fine
see file 'drs-signed-002.png'
(3) self-signed DRS
----------------------------
Using a self-signed DRS file, yields the following expected message:
all fine
see file 'drs-self-signed-003.png'
(4) self-certificate added to cacerts
--------------------------------------------------
Adding the self-certificate into the JRE's cacerts file, shows the 'application blocked' dialogue.
This is unexpected behaviour.
The Java Deployment cache was cleared before.
see file 'drs-self-signed-004.png'
It appears as if the security checks have higher priority than the DRS rules, if the DRS file is self-signed.
This is not the case, if the DRS file is signed by an official code-signing certificate.
(5) start via command line
-------------------------------------
Starting the Java Web Start application via command-line works fine.
javaws http://digitalimagecorp.de/software/entscheidungsfinder/entscheidungsfinder.jnlp
see file 'drs-self-signed-command-005.png'
