JDK-4625826 : unexpected exit when lazy-loading unsigned jar file
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 1.0.1
  • Priority: P5
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2002-01-18
  • Updated: 2002-10-15
  • Resolved: 2002-10-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.2 mantisFixed
Description

Name: nt126004			Date: 01/18/2002


FULL PRODUCT VERSION :
java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition(build 1.3.1-root-010902-18:51)
Java HotSpot(TM) Client VM (build 1.3.1, mixed mode)


FULL OPERATING SYSTEM VERSION :
all OSs, originally encountered on OSX



A DESCRIPTION OF THE PROBLEM :
I have a JNLP file that specifies two JAR files:
    A.jar download eager, contains main() program
    B.jar download lazy

Application starts fine loading only A.jar -- as intended.
A.jar is signed.
At some point, application decides to access a class
that is contained in B.jar. B.jar is NOT signed.

At this point, Web Start pops up a dialog talking about
"application cannot be started" (which is obviously not
correct because the app has been running for a while).
But worse, the dialog only offers the option "abort",
which quits the app -- certainly without giving the app
an opportunity to clean up.

Yes, I know that B.jar should be signed too (my
mistake) but shouldn't it instead do something more
"constructive". Class.forName() could return null, for
example, or throw a SecurityException.

The essence of the jnlp file is:

   <security>
     <all-permissions/>
   </security>
   <resources>
     <j2se version="1.3" initial-heap-size="64m"/>
     <jar href="lib/pepper.jar" main="true" download="eager"/>
     <jar href="lib/log4j.jar"/>
     <package name="com.r_objects.mm.CACSD_V1_0.*" 
part="com.r_objects.mm.CACSD_V1_0" recursive="true"/>
     <jar href="lib/com.r_objects.mm.CACSD_V1_0.jar" 
part="com.r_objects.mm.CACSD_V1_0" download="lazy"/>

where pepper.jar contains the main() and is signed.
com.r_objects.mm.CACSD_V1_0.jar is not signed.

This bug can be reproduced always.

CUSTOMER WORKAROUND :
sign all files.
(Review ID: 137812) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: mantis FIXED IN: mantis INTEGRATED IN: mantis mantis-b04
31-08-2004
EVALUATION It is a bug that the error message is misleading. The Application should exit at this point, since it it trying to run with all-permissions after loading an unsigned jar file. Fix the error message ###@###.### 2002-01-25
25-01-2002