-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
9
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
java version "9-ea"
Java(TM) SE Runtime Environment (build 9-ea+127)
Java HotSpot(TM) Server VM (build 9-ea+127, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
The property deployment.javaws.secure.properties as specified in the user-level or system-level deployment.properties file allows a local administrator to specify VM properties that are trusted. Except when it doesn't work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create, sign and deploy a small web start application which accesses a system property considered insecure by default. Only sign the JAR file, not the JNLP file.
2. If there is a local DeploymentRuleSet.jar, remove or rename it so that it is not taken into account
3. Add the deployment site to the exception site list (Java Control Panel->Web Settings->Exception site list) to all the application to run
4. Add the line
deployment.javaws.secure.properties=my.secure.property
to the user-level or system-level deployment.properties file as detailed in
https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html
4. Launch the web start application
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should print "badaboom"
ACTUAL -
The application displays some debug text and prints "null"
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Insecure property: (my.secure.property, badaboom) specified in unsigned jnlp file will not be set.
Missing Permissions manifest attribute in main jar: http://www.example.com/webstart/test.jar
null
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
test.jnlp
=======
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="6.0+" codebase="http://www.example.com/webstart" href="test.jnlp">
<information>
<title>Test app</title>
<vendor>Anon</vendor>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<update check="always" policy="always" />
<resources>
<j2se version="1.6+"/>
<jar href="test.jar" main="true"/>
<property name="my.secure.property" value="badaboom"/>
</resources>
<application-desc main-class="Toto"/>
</jnlp>
Toto.java
========
public class Toto {
public static void main(String... argv) throws Exception {
System.out.println(System.getProperty("my.secure.property"));
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Sign the JNLP file
java version "9-ea"
Java(TM) SE Runtime Environment (build 9-ea+127)
Java HotSpot(TM) Server VM (build 9-ea+127, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
The property deployment.javaws.secure.properties as specified in the user-level or system-level deployment.properties file allows a local administrator to specify VM properties that are trusted. Except when it doesn't work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create, sign and deploy a small web start application which accesses a system property considered insecure by default. Only sign the JAR file, not the JNLP file.
2. If there is a local DeploymentRuleSet.jar, remove or rename it so that it is not taken into account
3. Add the deployment site to the exception site list (Java Control Panel->Web Settings->Exception site list) to all the application to run
4. Add the line
deployment.javaws.secure.properties=my.secure.property
to the user-level or system-level deployment.properties file as detailed in
https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html
4. Launch the web start application
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should print "badaboom"
ACTUAL -
The application displays some debug text and prints "null"
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Insecure property: (my.secure.property, badaboom) specified in unsigned jnlp file will not be set.
Missing Permissions manifest attribute in main jar: http://www.example.com/webstart/test.jar
null
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
test.jnlp
=======
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="6.0+" codebase="http://www.example.com/webstart" href="test.jnlp">
<information>
<title>Test app</title>
<vendor>Anon</vendor>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<update check="always" policy="always" />
<resources>
<j2se version="1.6+"/>
<jar href="test.jar" main="true"/>
<property name="my.secure.property" value="badaboom"/>
</resources>
<application-desc main-class="Toto"/>
</jnlp>
Toto.java
========
public class Toto {
public static void main(String... argv) throws Exception {
System.out.println(System.getProperty("my.secure.property"));
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Sign the JNLP file
- duplicates
-
-
- Closed
-