JDK-6940136 : Webstart Shows Wrong Exception when the same jnlp has a signed and a none signed jar
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u19
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: solaris_8,windows_xp
  • CPU: x86
  • Submitted: 2010-04-01
  • Updated: 2012-09-14
  • Resolved: 2010-04-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u20 b01Fixed
Related Reports
Relates :  
JDK-6805618 - Exception: signer information does not match signer information of other classes in the same package
Description
FULL PRODUCT VERSION :
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) 64-Bit Server VM (build 16.2-b04, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]

A DESCRIPTION OF THE PROBLEM :
when i have this jnlp file:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+"
      codebase="http://localhost:8080"
      href="test.jnlp">
   <information>
      <title>Servoy Client - servoy_client</title>
      <vendor>Servoy</vendor>
      <homepage href="http://www.servoy.com/"/>
      <description>Database client</description>
      <icon href="/lib/images/servoy_client_icon.gif" />
      <icon kind="splash" href="/lib/splashclient.gif" width="64" height="64"/>
   </information>
   <resources>
      <j2se version="1.5+" />
      <j2se version="1.6+" />
      <jar href="main.jar" download="eager" version="1"/>
      <jar href="utility.jar" download="eager" version="3"/>
   </resources>
   <application-desc main-class="com.first.jar.Main">
	</application-desc>
	<security>
   	<all-permissions/>
	</security>
</jnlp>


where 2 jars are referenced and only the main.jar is signed but the utility.jar is not, i will not get a nice security warning dialog, but a exception dialog:

java.lang.NullPointerException
	at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
	at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
	at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
	at com.sun.javaws.security.SigningInfo.check(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
just use the jnlp file above and create 2 jars one is signed the other not

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A nice security dialog.
ACTUAL -
a Application Exception dialog

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.NullPointerException
	at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
	at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
	at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
	at com.sun.javaws.security.SigningInfo.check(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
sign all the jars

SUPPORT :
YES

Release Regression From : 6u10
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
EVALUATION A null point check will be added, and user will get "Found unsigned entry in resources" error message and dialog box.
01-04-2010
EVALUATION I have investigated this, and the behavior seems as expected. 1.) If a jnlp file contains the <security>all-permissions</security> tag, all jars in it must be signed. This is the same behavior in javaws 1.1 all the way to the present and is as specified in the JNLP specification. 2.) If you do this, you should get one of two possible error dialogs (depending if the code is in the same package). It sounds like in this case we have a bug which generates this NPE exception instead, and that is shown in the Error Dialog instead of the proper error.
01-04-2010