JDK-6534675 : CacheEntry doesn't scan manifest entries unless file extension is ".jar"
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2007-03-15
  • Updated: 2010-05-11
  • Resolved: 2008-11-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u12Resolved
Related Reports
Duplicate :  
JDK-6519657 - Certificates of signed JAR files without file ending ".jar" are ignored
Description
I have a web application (hudson.war --- see http://hudson.dev.java.net/). Since a .war file is really just a .jar file, my hudson.war contains enough stuff (like Main-Class in META-INF/MANIFEST.MF) to make it launchable as a jar by running "java -jar hudson.war". This is desirable to make this web application easily installable. This war file is signed, too.

When I tried to run this hudson.war from JNLP, I got an error from Java web start claiming that this war file is not signed. Since it needs unlimited access to the system, it fails to launch my program.

After downloading the web start source code and tracing the code, I found that com.sun.deploy.cache.CacheEntry is not reading the manifest file of my war file at all. In fact, this class works differently between jar files and non-jar files. hudson.war was considered as a non-jar resource, and hence it fails the test in line 652, so the manifest entry is simply ignored.

Later, after all the files are downloaded, com.sun.javaws.LaunchDownload checks all the JARDesc instances of the JNLP file. Since my JNLP file reads as follows, the system picks up CacheEntry and tries to pick up code signers and certificates. But the CacheEntry didn't read my manifest, so it returns nothing, and hence the processing with the UI saying "resource not signed":

  <resources>
    <j2se version="1.5+"/>
    <jar href="https://hudson.dev.java.net/files/documents/2402/52759/hudson.war"/>
  </resources>

The essence of the problem is that there's no consistent handling as to "what is a jar file". Either the caller of the CacheEntry class should supply that information (whoever requesting to download hudson.war should know that it's doing so because this is a JARDesc), or the CacheEntry should be modified to scan manifest later when it turns out that a particular resource is used as a jar file.
I should also point out that generally speaking relying on the extension to decide the content type is not a good idea.

For example, in JAX-WS, we expose the web service endpoints on a servlet container, and clients need a dedicated java program to talk to it. So we are talking about perhaps responding to requests like "http://foobar/myWebService/?jar" to return a jar file that contains what the client needs. (?jar goes nicely with the industry convention of ?wsdl, ?xsd etc that it already implements.)

This bug makes it impossible for me to use that resource directly in JNLP descriptor.
Comments
EVALUATION I tried with 6u10 and cannot reproduce the bug. I believe this is fixed by 6519657 in 6u2
19-11-2008
EVALUATION we need to either treat all files listed as resources as jar files, or at least also special case .war files and war mime types also.
07-10-2008
EVALUATION I believe this is a duplicated of 6494365, and is fixed in 6u1 and JDK 7. need to confirm with submitter that 6u1 fixes this problem.
15-03-2007