JDK-8055179 : Security Dialog for unsigned jnlp still different in jnlp Application case.
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u20,9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-08-15
  • Updated: 2015-06-03
  • Resolved: 2014-09-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u40 b06Fixed 9Fixed
Description
According to comments in JDK-8014361, non-signed jnlp with insecure properties will not show warning prompt in attachment. And according to Andy, "greed upon changes were implemented under different bugs".
But I still can reproduce this issue.
Steps to reproduce:
1. Import self signed ca self.valid.cert to have a valid trusted cert
Open JCP -> Security -> Manage Certificates - Singer CA,import http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/vmargs/lib/self.valid.cert
2. Load  non-signed jnlp with JAR properly signed:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/vmargsjarsign/jnlp/testsignedvmWrong.jnlp
The property in jnlp are not correct.
3. If a security warning with title "Security Warning" shows up and in more info dialog it says "Although the application has a digital signature, the application's associated file (JNLP) does not have one......", then this issue is reproduced. See attached jarsign.png

Note:
1. If all jar and jnlp are signed, app still failed with jre9-b26 and 8u20-b25 due to: 
java.lang.NullPointerException
 	at com.sun.javaws.JnlpxArgs.execProgram(Unknown Source)
 	at com.sun.javaws.Launcher.relaunch(Unknown Source)
 	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
 	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
 	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
 	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
 	at com.sun.javaws.Launcher.launch(Unknown Source)
 	at com.sun.javaws.Main.launchApp(Unknown Source)
 	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
 	at com.sun.javaws.Main.access$000(Unknown Source)
 	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
all signed test app: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/vmargs/jnlp/testsignedvmWrong.jnlp
But if run above all signed jnlp with 8u5-13, a fatal error dialog will show up instead of NPE. See attachment 8u5-wrong-property.png
Comments
note - this only applies to jnlp applications since plugin calls to TrustDecider.isAllPermissionsGranted() always pass "false" as value of jnlpFlag arg.
15-08-2014
There were two behavioral changes agreed upon as part of 8014361: 1.) Insecure properties set in a jnlp requesting all-permissions will no longer be set unless jnlp is signed or DRS run rule is in effect 2.) The Security dialog should no longer reflect anything different when the jnlp file is unsigned. The first above was implemented The second was never implemented, and is now this bug. We need to remove the "jnlpFlag" arg from TrustDecider.isAllPermissionsGranted() and all of it's pass-downs.
15-08-2014
Affected tests: vmargsTest::testsignedvmWrong vmargsTest::testsignedvmUnSupported
15-08-2014