JDK-6595618 : Intermittent problems with signed applet certificate verification
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 5.0u16,6u2,6u4,7
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,windows_xp
  • CPU: generic,x86
  • Submitted: 2007-08-21
  • Updated: 2012-08-06
  • Resolved: 2010-07-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other JDK 6 JDK 7
5.0u18-revFixed 5.0u19Fixed 6u10Fixed 7 betaFixed
Related Reports
Duplicate :  
JDK-6782121 - crash in deploy.dll after calling com.sun.deploy.security.WIExplorerCertStore.loadCertificates()
Duplicate :  
JDK-6611565 - AccessControlException when executing signed applets
Duplicate :  
JDK-6800020 - Java applet receives "java.security.AccessControlException: access denied" w/ 1.6.0_04
Description
It seems that with the current 6u5 (Consumer JRE) and 7 builds, intermittent problems with signed applets are occurring. The symptom is that the applet occasionally acts as though it is unsigned, failing in operations like querying system properties or connecting to a server which it should be allowed to. It is hard to isolate exactly when this problem was introduced, but it seems to be present in 6u5 and 7 and not in what used to be 6u3 b02.

Attached are two stack traces from the Iris application (http://swinglabs.org/iris/). One shows that the (signed) JNLPAppletLauncher, which is used to launch one of the demo's two applets (the Editor applet), is unable to fetch a system property. The other shows that the other signed applet on the page, the Toolbox applet, is unable to connect to Flickr.

These problems don't occur all of the time and seem to be present either mostly or completely on the Firefox browser.

It's unclear whether there might be a new race condition in certificate checking somehow related to the presence of the two signed applets on the page, or something similar.

Removing the Sun certificate from the accepted certificates list seems to fix the problem for the first launch after the removal (when the security dialogs are displayed), but the problem seems to occur afterward.
Comments
EVALUATION There is a race condition may happened here, maybe it is introduced during our new thread model in 6u5, I will add synchnozied block to workaround race condition.
04-10-2007