JDK-7023399 : Signed applets with jnlp all-permissions do not work
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u24
  • Priority: P3
  • Status: Closed
  • Resolution: Cannot Reproduce
  • OS: windows_7
  • CPU: x86
  • Submitted: 2011-03-01
  • Updated: 2012-10-01
  • Resolved: 2012-08-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7u40Resolved
Description
FULL PRODUCT VERSION :
1.6.0_24


ADDITIONAL OS VERSION INFORMATION :
Windows version 6.1.7601

A DESCRIPTION OF THE PROBLEM :
After update 24, signed applets do not work any more. Problem is with permissions. FireFox gives very uninformative  jnlp parse exception (like if applets were not signed), and IE 9 reports Security exception when applet is trying to open JFileChooser or get user.dir system property.

granting all permissions with no restrictions in user's .java.policy helps, but not if you restrict it by 'signedBy' or 'codebase'. It is impossible to tell clients they have to grant all permissions to all applets.



REGRESSION.  Last worked in version 6


REPRODUCIBILITY :
This bug can be reproduced always.

SUPPORT :
YES
Comments
EVALUATION http://www.pixware.fr/_download/APPLET_BUG.tar.gz http://www.pixware.fr/_download/APPLET_BUG/index.html both links are broken now. If it's liveconnect call (js) to signed applet code, the call will be treated as running via sandbox too, because js code is unsigned. Developers should be careful to not expose APIs in their applets which would accidentally confer additional privileges on untrusted JavaScript code by using AccessController.doPrivileged indiscriminately. Developers who must grant elevated privileges to JavaScript code are encouraged to serve their applets over verifiable HTTPS connections, and perform checks to ensure that the document base of the web page hosting the applet is the same as the expected origin of the applet's code. Security Model of JavaScript-to-Java Calls: http://jdk6.java.net/plugin2/liveconnect/#SECURITY_MODEL http://docs.oracle.com/javase/tutorial/deployment/applet/security.html#jsNote
2012-08-24
EVALUATION Clearly not all signed applets are not working as they work for most of the users. We need more details before we can evaluate this problem - full trace log, link to the application or at least JNLP file, etc.
2011-05-16