JDK-6850601 : Problems with "javax.swing.defaultlf" property in Java 1.6.0u10 and later
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u10
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_vista
  • CPU: x86
  • Submitted: 2009-06-12
  • Updated: 2011-02-16
  • Resolved: 2009-08-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u18 b01Fixed 7Fixed
Description
FULL PRODUCT VERSION :
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode, sharing)


ADDITIONAL OS VERSION INFORMATION :
Windows Vista


EXTRA RELEVANT SYSTEM CONFIGURATION :
Microsoft Windows [Version 6.0.6001]


A DESCRIPTION OF THE PROBLEM :
The "javax.swing.defaultlf" property is not working and causing security warnings under Java 1.6.0u10 and later when the JNLP file is verified.

As I understand this property, it should control the default l&f of Swing (I have not been able to find any documentation on this though).

This property is part of the list of "safe" properties that can be set in a JNLP file (as pr. Java 1.6).

Using only "safe" properties has recently gotten more important as Java 1.6.0u10 and later now posts a alert to the user warning she/he that the JNLP file cannot be verified if the JNLP file has not been signed and uses one of the non-"safe" properties (e.g. "swing.defaultlaf" to set the default look&feel).

My guess is that the problem is that the "javax.swing.defaultlf" property *really* should have been "swing.defaultlaf".


I have downloaded the Java, C, C++ code for Java 1.6 and searched for uses of the "javax.swing.defaultlf" property but can only find two instances:

In com."sun/deploy/config/Config.java":

// note - should be same list as in native: secure.c
    private static final String DefaultSecureProperties [] = {
            "sun.java2d.noddraw",
            "javax.swing.defaultlf",
            "javaws.cfg.jauthenticator",
            "swing.useSystemFontSettings",
            "swing.metalTheme",
            "http.agent",
            "http.keepAlive",
            "sun.awt.noerasebackground",
            "sun.java2d.opengl",
            "sun.java2d.d3d",
            "java.awt.syncLWRequests",
            "java.awt.Window.locationByPlatform",
            "sun.awt.erasebackgroundonresize",
            "swing.noxp",
            "swing.boldMetal",
            "awt.useSystemAAFontSettings",
            "sun.java2d.dpiaware",
     };

And in "deploy/src/javaws/share/native/secure.c"

/*
 * SecurePropertyKeys is a list of keys that can be set in a jnlp file using
 * <property name="key" value="value" />  and we will pass on to the java
 * invocation as -Dkey=value
 */
static char *SecurePropertyKeys[] =
{
    "sun.java2d.noddraw",
    "javax.swing.defaultlf",
    "javaws.cfg.jauthenticator",
    "swing.useSystemFontSettings",
    "swing.metalTheme",
    "http.agent",
    "http.keepAlive",
    "sun.awt.noerasebackground",
    "sun.java2d.opengl",
    "sun.java2d.d3d",
    "java.awt.syncLWRequests",
    "java.awt.Window.locationByPlatform",
    "sun.awt.erasebackgroundonresize",
    "swing.noxp",
    "swing.boldMetal",
    "awt.useSystemAAFontSettings",
    "sun.java2d.dpiaware",
};

After looking at the code I suspect that the references to "javax.swing.defaultlf" is a misspelling. Is should really have been "swing.defaultlaf"

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
a) Create a signed Java Web Start application that uses the "javax.swing.defaultlf" property to set the default look&feel through a <property ...> element.

b) Start the Java Web Start application

c) Note that Java Web Start warns about a security problem related to the JNLP file.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No security warning related to the JNLP file
ACTUAL -
Security warning related to the JNLP file

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 6u7
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
EVALUATION This is certainly a mistake. The property to change the look & feel in Swing is swing.defaultlaf, the javax.swing.defaultlf property has no effect.
23-06-2009
EVALUATION When the property defined as secure is used: "javax.swing.defaultlf" is used, there is not any additional security warning, and it is reconized as secure, but as this report points out, this has no effect, since this property is not ever referenced by swing. when either "javax.swing.defaultlaf" or "swing.defaultlaf" are used, these are not listed as secure, and the additional warnings are displayed (if all-permissions are requested) or the property is ignored (in the sandbox case). Since the property actually used by swing is "swing.defaultlaf", we should add that to the list of secure properties in secure.c and Config.java. It remains to be tested if the metal look and feel can be set by this property, since the common deployment code may override the look and feel. If that is the case then this is moot, since neither will actually work, and the customer may be actually be seeing an instance of 6845294. we may then need to contact the reporter to verify this is his real problem.
12-06-2009