United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6629341 Plugin2: Backward Compatibility issue after secure properites check is introduced
JDK-6629341 : Plugin2: Backward Compatibility issue after secure properites check is introduced

Details
Type:
Bug
Submit Date:
2007-11-13
Status:
Closed
Updated Date:
2011-01-26
Project Name:
JDK
Resolved Date:
2008-01-30
Component:
deploy
OS:
generic,windows
Sub-Component:
plugin
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u10
Fixed Versions:
6u10 (b11)

Related Reports
Duplicate:
Relates:

Sub Tasks

Description
This CR is filed to track the potential backward compatibility issue in Plugin2 after secure properties check feather is implemented.

In the new plugin2, any insecure system properties and java arguments in deployment.properties required applets to be signed. This is true on both vista and non-vista platforms. On vista platform, deployment.properties file is in a low integrity location. So it is untrusted by default. On non-vista platform, this creates incompatibility issue with classic java plugin. In the old plugin, unsigned applets can still run.

We may have to rethink the current implementation if the compatibility impact is significant.

                                    

Comments
EVALUATION

It has been decided to not allow insecure system properties to be specified via deployment.properties at all, due to what would be necessary inconsistencies between platforms, in particular Windows Vista and everything else. This has been addressed in a different fashion under 6643379. Closing this as a duplicate of that one for tracking purposes.
                                     
2007-12-19
EVALUATION

User shemnon on the java.net forums has pointed out that the abovementioned solution does not work; it breaks the ability to debug applets by specifying command-line arguments like -Xdebug -Xrunjdwp from the Java Control Panel. Reopening this bug. We will have to solve it by treating the command-line arguments from deployment.properties as trusted.
                                     
2008-01-02
SUGGESTED FIX

http://sa.sfbay.sun.com/projects/deployment_data/6u10/6629341.1
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_10/6629341/
                                     
2008-01-03
EVALUATION

A user on the java.net forums indicated that debugging of applets
doesn't work with the new Java Plug-In. Normally users specify -Xdebug
-Xrunjdwp:... via the Java Control Panel to enable debugging of
applets. It is likely that in the build they were testing they were
receiving ClassNotFoundExceptions due to the specification of the
insecure -Xrunjdwp command-line argument. In build 10 the fix for
6643379 inadvertently further broke this functionality, since the
insecure -Xrunjdwp command-line argument would be filtered out.

To solve this problem, the JVMParameters class was refactored to
contain two sets of arguments: trusted and untrusted. Trusted
arguments come from deployment.properties and are specified via the
Java Control Panel. Even insecure JVM arguments may be specified here
without affecting the "secure" status of the target JVM. Any arguments
specified via the java_arguments HTML parameter go into the untrusted
set and have the same semantics as before. Introduced a separator
argument ("--") used to indicate to the JP2Launcher on Windows Vista
the boundary between the trusted and untrusted arguments.

Additionally, a check for the -Xdebug flag was added and the
browser-side heartbeat thread (which is only a last safety measure to
avoid browser hangs) disabled if it is present, to avoid having the
target JVM abruptly torn down if the debugger is stopped at a
breakpoint for a long period of time.

Tested with a new regression test as well as the regression tests for
6625351, 6640436, 6643379, and the unit test for the JVMParameters
class, both with and without the use of the JP2Launcher normally used
only on Windows Vista.
                                     
2008-01-03



Hardware and Software, Engineered to Work Together