United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6519657 Certificates of signed JAR files without file ending ".jar" are ignored
JDK-6519657 : Certificates of signed JAR files without file ending ".jar" are ignored

Details
Type:
Bug
Submit Date:
2007-01-31
Status:
Closed
Updated Date:
2011-05-17
Project Name:
JDK
Resolved Date:
2011-05-17
Component:
deploy
OS:
linux,generic
Sub-Component:
plugin
CPU:
x86,generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
6
Fixed Versions:

Related Reports
Backport:
Duplicate:

Sub Tasks

Description
FULL PRODUCT VERSION :
1.6.0 (any build)

ADDITIONAL OS VERSION INFORMATION :
(any tested WinXP and Linux)

A DESCRIPTION OF THE PROBLEM :
The 1.6 plugin seems to ignore signed JAR files that don't contain ".jar" in their file name during the verification process of the JAR file certificates while the classloader manages to load any class from these archives. This behaviour is very confusing because both the 1.6 JDK tools and the previous plugin versions accept such files while there is no restriction made in the documentation/release notes of the 1.6 plugin.

This was working in both the 1.4 and 1.5 plugins.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Create a (J)Applet class that needs a signed context (e.g. by calling
'System.getProperty("user.home")' from inside the "init()" method)
(2) Compile it, put the class file(s) into a jar file and sign this jar file
(3) Create a HTML file containing an "applet" tag with this jar file in the "archive" path
(4) Open this file in the plugin/browser


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
 - a security warning dialog pops up and asks for permisson
 - the applet succeeds to perform a restricted action after granting this permisson
ACTUAL -
 - no security dialog shows up
 - the applet fails to do its task

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception reported: "AccessControlException: Permission denied: ..." due to a missing signed applet context.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Applet source code:
----------------------------------
import javax.swing.JApplet;

public class SecurityTest extends JApplet {

	public void init() {
		System.getProperty("user.home");
	}
}

HTML source code:
-----------------------------------
<html><body>
<applet code="MyClass.class" archive="myJar" width="200" height="50"/>
</body></html>
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Don't use any JAR file in the "archive" path that doesn't end on ".jar".

                                    

Comments
EVALUATION

I believe all the applet JAR download code will first go thru PluginURLJarFileCallback, where it will set the request property for jar mime type.  So when we later download it from Cache.writeFileToDisk, we can check the request property and see if the request is a jar file, if so, then assume it to be a jar file.  This way we will treat all JAR download as JAR file, and we don't need to check it's filename to tell whether it's a JAR.
                                     
2007-03-07



Hardware and Software, Engineered to Work Together