FULL PRODUCT VERSION : java version "1.6.0_13" Java(TM) SE Runtime Environment (build 1.6.0_13-b03) Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode, sharing) ADDITIONAL OS VERSION INFORMATION : Windows Vista EXTRA RELEVANT SYSTEM CONFIGURATION : Microsoft Windows [Version 6.0.6001] A DESCRIPTION OF THE PROBLEM : The "javax.swing.defaultlf" property is not working and causing security warnings under Java 1.6.0u10 and later when the JNLP file is verified. As I understand this property, it should control the default l&f of Swing (I have not been able to find any documentation on this though). This property is part of the list of "safe" properties that can be set in a JNLP file (as pr. Java 1.6). Using only "safe" properties has recently gotten more important as Java 1.6.0u10 and later now posts a alert to the user warning she/he that the JNLP file cannot be verified if the JNLP file has not been signed and uses one of the non-"safe" properties (e.g. "swing.defaultlaf" to set the default look&feel). My guess is that the problem is that the "javax.swing.defaultlf" property *really* should have been "swing.defaultlaf". I have downloaded the Java, C, C++ code for Java 1.6 and searched for uses of the "javax.swing.defaultlf" property but can only find two instances: In com."sun/deploy/config/Config.java": // note - should be same list as in native: secure.c private static final String DefaultSecureProperties [] = { "sun.java2d.noddraw", "javax.swing.defaultlf", "javaws.cfg.jauthenticator", "swing.useSystemFontSettings", "swing.metalTheme", "http.agent", "http.keepAlive", "sun.awt.noerasebackground", "sun.java2d.opengl", "sun.java2d.d3d", "java.awt.syncLWRequests", "java.awt.Window.locationByPlatform", "sun.awt.erasebackgroundonresize", "swing.noxp", "swing.boldMetal", "awt.useSystemAAFontSettings", "sun.java2d.dpiaware", }; And in "deploy/src/javaws/share/native/secure.c" /* * SecurePropertyKeys is a list of keys that can be set in a jnlp file using * <property name="key" value="value" /> and we will pass on to the java * invocation as -Dkey=value */ static char *SecurePropertyKeys[] = { "sun.java2d.noddraw", "javax.swing.defaultlf", "javaws.cfg.jauthenticator", "swing.useSystemFontSettings", "swing.metalTheme", "http.agent", "http.keepAlive", "sun.awt.noerasebackground", "sun.java2d.opengl", "sun.java2d.d3d", "java.awt.syncLWRequests", "java.awt.Window.locationByPlatform", "sun.awt.erasebackgroundonresize", "swing.noxp", "swing.boldMetal", "awt.useSystemAAFontSettings", "sun.java2d.dpiaware", }; After looking at the code I suspect that the references to "javax.swing.defaultlf" is a misspelling. Is should really have been "swing.defaultlaf" STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : a) Create a signed Java Web Start application that uses the "javax.swing.defaultlf" property to set the default look&feel through a <property ...> element. b) Start the Java Web Start application c) Note that Java Web Start warns about a security problem related to the JNLP file. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - No security warning related to the JNLP file ACTUAL - Security warning related to the JNLP file REPRODUCIBILITY : This bug can be reproduced always. Release Regression From : 6u7 The above release value was the last known release where this bug was not reproducible. Since then there has been a regression.
|