United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6670678 Java Web Start must support a more flexible security model
JDK-6670678 : Java Web Start must support a more flexible security model

Details
Type:
Bug
Submit Date:
2008-03-04
Status:
Closed
Updated Date:
2010-09-17
Project Name:
JDK
Resolved Date:
2008-06-27
Component:
deploy
OS:
generic
Sub-Component:
webstart
CPU:
generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u10
Fixed Versions:
6u10 (b26)

Related Reports
Backport:
Relates:
Relates:

Sub Tasks

Description
With the fix for 6670470 to allow JNLP-launched applets to refer to extensions on other hosts (among other things), it is absolutely essential that the same functionality be supported for Java Web Start applications. Otherwise we will have a major discrepancy in functionality between these two deployment technologies, which are supposed to be essentially identical from the user's point of view.

Note that 6518285 was filed on this very similar issue over a year ago. Since that bug specifically targets spec changes, this bug will focus on changing the implementation without changing the specification to allow fallback behavior to a more relaxed security model.

If LaunchDownload.checkJNLPSecurity() throws an exception, then we will degrade to the same behavior as is currently used for JNLP-launched applets: in particular, do not add permissions for the class being loaded based on the contents of the JNLP file. Instead, consider only the origin of the code and its trust status. This will involve adding code to the JNLPClassLoader which is similar to that currently in the Plugin2ClassLoader.

                                    

Comments
EVALUATION

fix will be in LaunchDownload.checkJNLPSecurity.
                                     
2008-05-20



Hardware and Software, Engineered to Work Together