United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6940136 Webstart Shows Wrong Exception when the same jnlp has a signed and a none signed jar
JDK-6940136 : Webstart Shows Wrong Exception when the same jnlp has a signed and a none signed jar

Details
Type:
Bug
Submit Date:
2010-04-01
Status:
Closed
Updated Date:
2012-09-14
Project Name:
JDK
Resolved Date:
2010-04-14
Component:
deploy
OS:
solaris_8,windows_xp
Sub-Component:
webstart
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
6u19
Fixed Versions:
6u20 (b01)

Related Reports
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) 64-Bit Server VM (build 16.2-b04, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]

A DESCRIPTION OF THE PROBLEM :
when i have this jnlp file:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+"
      codebase="http://localhost:8080"
      href="test.jnlp">
   <information>
      <title>Servoy Client - servoy_client</title>
      <vendor>Servoy</vendor>
      <homepage href="http://www.servoy.com/"/>
      <description>Database client</description>
      <icon href="/lib/images/servoy_client_icon.gif" />
      <icon kind="splash" href="/lib/splashclient.gif" width="64" height="64"/>
   </information>
   <resources>
      <j2se version="1.5+" />
      <j2se version="1.6+" />
      <jar href="main.jar" download="eager" version="1"/>
      <jar href="utility.jar" download="eager" version="3"/>
   </resources>
   <application-desc main-class="com.first.jar.Main">
	</application-desc>
	<security>
   	<all-permissions/>
	</security>
</jnlp>


where 2 jars are referenced and only the main.jar is signed but the utility.jar is not, i will not get a nice security warning dialog, but a exception dialog:

java.lang.NullPointerException
	at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
	at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
	at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
	at com.sun.javaws.security.SigningInfo.check(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
just use the jnlp file above and create 2 jars one is signed the other not

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A nice security dialog.
ACTUAL -
a Application Exception dialog

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.NullPointerException
	at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
	at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
	at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
	at com.sun.javaws.security.SigningInfo.check(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
sign all the jars

SUPPORT :
YES

Release Regression From : 6u10
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
EVALUATION

I have investigated this, and the behavior seems as expected.
1.) If a jnlp file contains the <security>all-permissions</security> tag, all jars in it must be signed.
This is the same behavior in javaws 1.1 all the way to the present and is as specified in the JNLP specification.
2.) If you do this, you should get one of two possible error dialogs (depending if the code is in the same package).  It sounds like in this case we have a bug which generates this NPE exception instead, and that is shown in the Error Dialog instead of the proper error.
                                     
2010-04-01
EVALUATION

A null point check will be added, and user will get 
"Found unsigned entry in resources" error message and dialog box.
                                     
2010-04-01



Hardware and Software, Engineered to Work Together