JDK-6670678 : Java Web Start must support a more flexible security model
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u10
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-03-04
  • Updated: 2010-09-17
  • Resolved: 2008-06-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u10 b26Fixed 7Fixed
Related Reports
Relates :  
Relates :  
With the fix for 6670470 to allow JNLP-launched applets to refer to extensions on other hosts (among other things), it is absolutely essential that the same functionality be supported for Java Web Start applications. Otherwise we will have a major discrepancy in functionality between these two deployment technologies, which are supposed to be essentially identical from the user's point of view.

Note that 6518285 was filed on this very similar issue over a year ago. Since that bug specifically targets spec changes, this bug will focus on changing the implementation without changing the specification to allow fallback behavior to a more relaxed security model.

If LaunchDownload.checkJNLPSecurity() throws an exception, then we will degrade to the same behavior as is currently used for JNLP-launched applets: in particular, do not add permissions for the class being loaded based on the contents of the JNLP file. Instead, consider only the origin of the code and its trust status. This will involve adding code to the JNLPClassLoader which is similar to that currently in the Plugin2ClassLoader.

EVALUATION fix will be in LaunchDownload.checkJNLPSecurity.