United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6850598 [REGRESSION] Bug #6533653 is back in Java 6u14
JDK-6850598 : [REGRESSION] Bug #6533653 is back in Java 6u14

Details
Type:
Bug
Submit Date:
2009-06-12
Status:
Closed
Updated Date:
2011-02-16
Project Name:
JDK
Resolved Date:
2010-01-13
Component:
deploy
OS:
windows_xp
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u10,6u14
Fixed Versions:
6u18 (b05)

Related Reports
Backport:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_14"
Java(TM) SE Runtime Environment (build 1.6.0_14-b08)
Java HotSpot(TM) Client VM (build 14.0-b16, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 5.2.3790]

I confirm I'm using Windows XP x64 Edition, but I reproduced the problem with JRE 1.6.0_u14 32-bit version, starting the Java Web Start 32-bit client on a JNLP downloaded with a 32-bit browser (Firefox 2).

Anyway, I just checked that the same problem occurs even if I use the Java Web Start client of the 64-bit 1.6.0_u14 JRE release. 

A DESCRIPTION OF THE PROBLEM :
When you try to launch an application through JNLP and the JNLP files requests an eager download of a JAR which does not contain anything (just META-INF with the signing information), Java Web Start fails and the application is not started.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Please see steps to repro of bug #6533653

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should start. The empty JAR is signed and should not give any problem to the Java Web Start client.

This DID work with Java 6_u13, 6_u12, 6_u10, 6_u5...
ACTUAL -
The application is not started and an error dialog is shown by the Java Web Start Client.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
In the Java console I read:
#### Java Web Start Error:
#### Un'applicazione non firmata ha richiesto l'accesso illimitato al sistema
Risorsa non firmata: http://sun2.ost.lan:8080/cardinis-ost/applet/conf.jar
(translated: an unsigned application has requested unlimited access to the system. Unsigned resource: http://sun2.ost.lan:8080/cardinis-ost/applet/conf.jar)

Please note that conf.jar is actually signed!

In the details of the error dialog shown by Java Web Start client I read:

JNLPException[category: Errore di protezione : Exception: null : LaunchDesc:
<jnlp spec="1.5+" codebase="http://<server>:8080/path/to/codebase" version="1.0">
  <information>
    <title>App Name</title>
    <vendor>Vendor Name</vendor>
    <homepage href="Vendor home page"/>
    <description kind="short">App Description</description>
    <icon href="http://<server>:8080/path/to/icon.gif" kind="default"/>
  </information>
  <security>
    <all-permissions/>
  </security>
  <update check="always" policy="always"/>
  <resources>
    <java href="http://java.sun.com/products/autodl/j2se" version="1.6.0_14"/>
    <!-- CUT other JARs defined -->
    <jar href="http://<server>:8080/cardinis-ost/applet/conf.jar" download="eager" main="false"/>
    <property name="swing.defaultlaf" value="javax.swing.plaf.metal.MetalLookAndFeel"/>
    <!-- CUT other JARs defined -->
  </resources>
  <applet-desc name="App Name" main-class="com.package.AppletMainClass" width="400" height="200">
    <!-- CUT params definition -->
  </applet-desc>
</jnlp> ]
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Remove the empty JAR from the JAR list declared in the JNLP file.

Release Regression From : 6u13
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

I don't understand why you need a empty jar file in your codebase, and it is even signed? Anyway, please provide a testcase as we can do further investigate, but have a empty signed jar file in codebase doesn't make sense to me.
                                     
2009-10-13
EVALUATION

Basically we can't get code signing information from cache because there is no entry insidie this jar file. The fix is trying to use canBeSkipped flag in SigningInfo class for empty jar file, and don't validate this jar file in LaunchDownload class.
                                     
2009-10-20
EVALUATION

We will skip the empty jar file signing check, fixed in 6u18b05.
                                     
2009-10-29



Hardware and Software, Engineered to Work Together