Bug ID: JDK-6192555 JNLP "java-vm-args" should support bootclasspath

Type: Enhancement
Component: deploy
Sub-Component: webstart
Affected Version: 5.0

Priority: P4
Status: Closed
Resolution: Won't Fix
OS: windows_xp
CPU: x86

Submitted: 2004-11-09
Updated: 2010-04-02
Resolved: 2004-11-10

A DESCRIPTION OF THE REQUEST :
Signed JWS applications should allow a bootclasspath to be specified. This is allowed on non-JWS applications and since signed JWS application are considered to be as trusted as any non-JWS application, this option should be supported.

JUSTIFICATION :
The main justification for supporting bootclasspath is in order to allow JRE patches. There turn-around time between filing a JRE issue in BugParade and having it fixed is too risky for any business. Supporting bootclasspath in JWS applications will allow risk-mitigation. We know that at worst, we can patch the JRE outselves to get it out to our customers.

For example, right now I need to patch JPopupMenu because there is no other way to fix a problem in the code. I've tried subclassing and other creative methods for weeks and there is no other solution. Without JNLP supporting bootclasspath, I cannot deploy my patch to end-users.
###@###.### 2004-11-09 03:56:15 GMT

EVALUATION Java Web Start was not designed as a mechinism for delivering JRE patches. the description says: "Signed JWS applications should allow a bootclasspath to be specified." but that is really impossible. The proceedure to grant trust to code downloaded from the net is all done in java, and in the jre that that the code is run in. There is no way to know ahead of time, that code is properly signed, the signatures can be verified, and that the user will grant trust to the code based on that verification. Signed code downloaded by javawebstart is free to use Runtime.exec to launch java with any needed args, including modifying the bootclasspath or other non-secure vm-args. ###@###.### 2004-11-10 15:21:10 GMT

10-11-2004