JDK-6725426 : Changes in java6 update 7 breaks webstart with osgi
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6,6u7
  • Priority: P2
  • Status: Closed
  • Resolution: Won't Fix
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-07-14
  • Updated: 2011-02-16
  • Resolved: 2008-07-24
Description
FULL PRODUCT VERSION :
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06)
Java HotSpot(TM) Client VM (build 10.0-b23, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
all tested platforms:
windows xp
windows vista
windows 2000
gentoo linux with 2.6.20 kernel

A DESCRIPTION OF THE PROBLEM :
Changes in update 7 broke our webstart application which is lauched by org.eclipse.equinox.launcher.WebStartMain (using org.eclipse.equinox.launcher_1.0.1.R33x_v20080118.jar and similar from eclipse 3.4)
we tracked down that error to a change in com.sun.deploy.cache.CachedJarFile which returns the cache location of jar files via the getName() method.
update 7 delivers an empty string instead of the full jar name url.
this leads to a nullpointerexception:

 !SESSION Thu Jul 10 11:42:00 CEST 2008 -----------------------------------------
!ENTRY org.eclipse.equinox.launcher 4 0 2008-07-10 11:42:00.680
!MESSAGE Exception launching the Eclipse Platform:
!STACK
java.lang.NullPointerException
	at org.eclipse.equinox.launcher.Main.readFrameworkExtensions(Main.java:669)
	at org.eclipse.equinox.launcher.Main.addBaseJars(Main.java:720)
	at org.eclipse.equinox.launcher.Main.getDevPath(Main.java:642)
	at org.eclipse.equinox.launcher.Main.getBootPath(Main.java:827)
	at org.eclipse.equinox.launcher.Main.basicRun(Main.java:431)
	at org.eclipse.equinox.launcher.WebStartMain.basicRun(WebStartMain.java:78)
	at org.eclipse.equinox.launcher.Main.run(Main.java:1173)
	at org.eclipse.equinox.launcher.WebStartMain.main(WebStartMain.java:56)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.javaws.Launcher.executeApplication(Unknown Source)
	at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
	at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
	at com.sun.javaws.Launcher.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

we will forward this bug to the eclipse development team


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
start a osgi base webstart application on java6 update 7

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
com.sun.deploy.cache.CachedJarFile#getName() should deliver the full name of the respective cached jar file
ACTUAL -
com.sun.deploy.cache.CachedJarFile#getName() returns an empty string

ERROR MESSAGES/STACK TRACES THAT OCCUR :
!SESSION Thu Jul 10 11:42:00 CEST 2008 -----------------------------------------
!ENTRY org.eclipse.equinox.launcher 4 0 2008-07-10 11:42:00.680
!MESSAGE Exception launching the Eclipse Platform:
!STACK
java.lang.NullPointerException
	at org.eclipse.equinox.launcher.Main.readFrameworkExtensions(Main.java:669)
	at org.eclipse.equinox.launcher.Main.addBaseJars(Main.java:720)
	at org.eclipse.equinox.launcher.Main.getDevPath(Main.java:642)
	at org.eclipse.equinox.launcher.Main.getBootPath(Main.java:827)
	at org.eclipse.equinox.launcher.Main.basicRun(Main.java:431)
	at org.eclipse.equinox.launcher.WebStartMain.basicRun(WebStartMain.java:78)
	at org.eclipse.equinox.launcher.Main.run(Main.java:1173)
	at org.eclipse.equinox.launcher.WebStartMain.main(WebStartMain.java:56)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.javaws.Launcher.executeApplication(Unknown Source)
	at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
	at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
	at com.sun.javaws.Launcher.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
use a java6 version prior to update 7

Release Regression From : 6u6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Lehman Brothers are also facing this issue.
It seems that binary compatiblity may have been broken
between 1.6.0_06 and 1.6.0_07.

Lehman has an application that is built with Eclipse and OSGI and Java Webstart,
and after upgrading to 1.6.0_07, their application no longer runs.
It seems that the application can't be started, because the location of the
plugin-jars in the webstart cache can't be retrieved in Update 7.

In former versions this code snippet returned the location:

URLConnection connection = connection = url.openConnection();
  if (connection instanceof JarURLConnection) {                                 

        return "file:" + ((JarURLConnection)connection).getJarFile().getName(); 
}
}

The returned JarFile is an instance of com.sun.deploy.cache.CachedJarFile,
#getName() returned the location of the cached file.
In Update 7 the returned String is empty.

Apparnetly, we may have broken binary compatibility by fixing this Sun Alert:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1

I was under the impression that minor updates _XX shouldn't break Binary 
compatibility? Please comment on this and evaluate this bug.

More on this can be viewed here on the Eclips site:  https://bugs.eclipse.org/bugs/show_bug.cgi?id=240500
Comments
EVALUATION The whole point of making this change is to avoid exposing the deployment cache location due to a potential security vulnerability: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1 Making the Java platform secure is a top priority, and we simply cannot ignore this security issue and expose tens of millions of end users to security attacks. The fix of this security vulnerability must block the application to discover the location of a cached jar inside the deployment cache. We understand that this may cause some issues in some applications, but making the Java platform secure is much more important in this case. If an application relies on the location of a cached jar by any means, the application should be updated to assume no knowledge of the deployment cache.
07-08-2008
EVALUATION They should not depend on the cached JAR location (com.sun.deploy.cache.CachedJarFile.getName). The deployment cache is a private interface, and is subject to change anytime. Starting in 6u7, CachedJarFile.getName will always return "". This is due to a security fix: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1 They can use the other JarFile APIs to get to the cached JAR content. But we will no longer expose the cached JAR actual file path.
24-07-2008
WORK AROUND They can access the cached JAR contents via JAR APIs, like getInputStream, getEntry, getJarEntry, etc.
24-07-2008