My customer develops an online banking application for a major german bank. Since upgrading to 1.4.2_10 (where the fix to bug 5098318 is included), their online application JAR file is no longer cached. This results in a massive delay for customers when they attempt to login, as the whole JAR file is downloaded every time a login takes place.
From speaking with Mala Bankal, he believes that the fix for bug id 5098318 to be the cause for this problem.
From the original bug, we have:
Thus, JCE framework would access caller codebase as well as
several other jars in order to determine the allowed crypto
strength. The accesses are through JarURLConnection and caching
is on *by default*. The current JarURLConnection impl does
not seem to allow its callers to purge or delete the cached
Will have to disable caching unless the current JarURLConnection
impl can be fixed/enhanced to support the file purging.
As the disablement of this cache is now causing problems, would it be possible to
fix the JarURLConnection implementation, so that the cipher code correctly obeys
the caching status as set by setUseCaches?