JDK-6519657 : Certificates of signed JAR files without file ending ".jar" are ignored
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,linux
  • CPU: generic,x86
  • Submitted: 2007-01-31
  • Updated: 2011-05-17
  • Resolved: 2011-05-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u2Fixed 7 b16Fixed
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
1.6.0 (any build)

ADDITIONAL OS VERSION INFORMATION :
(any tested WinXP and Linux)

A DESCRIPTION OF THE PROBLEM :
The 1.6 plugin seems to ignore signed JAR files that don't contain ".jar" in their file name during the verification process of the JAR file certificates while the classloader manages to load any class from these archives. This behaviour is very confusing because both the 1.6 JDK tools and the previous plugin versions accept such files while there is no restriction made in the documentation/release notes of the 1.6 plugin.

This was working in both the 1.4 and 1.5 plugins.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Create a (J)Applet class that needs a signed context (e.g. by calling
'System.getProperty("user.home")' from inside the "init()" method)
(2) Compile it, put the class file(s) into a jar file and sign this jar file
(3) Create a HTML file containing an "applet" tag with this jar file in the "archive" path
(4) Open this file in the plugin/browser


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
 - a security warning dialog pops up and asks for permisson
 - the applet succeeds to perform a restricted action after granting this permisson
ACTUAL -
 - no security dialog shows up
 - the applet fails to do its task

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception reported: "AccessControlException: Permission denied: ..." due to a missing signed applet context.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Applet source code:
----------------------------------
import javax.swing.JApplet;

public class SecurityTest extends JApplet {

	public void init() {
		System.getProperty("user.home");
	}
}

HTML source code:
-----------------------------------
<html><body>
<applet code="MyClass.class" archive="myJar" width="200" height="50"/>
</body></html>
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Don't use any JAR file in the "archive" path that doesn't end on ".jar".

Comments
EVALUATION I believe all the applet JAR download code will first go thru PluginURLJarFileCallback, where it will set the request property for jar mime type. So when we later download it from Cache.writeFileToDisk, we can check the request property and see if the request is a jar file, if so, then assume it to be a jar file. This way we will treat all JAR download as JAR file, and we don't need to check it's filename to tell whether it's a JAR.
07-03-2007