JDK-8031579 : Spurious Missing Manifest Permissions Attribute Warning When Launching versioned Java Web Start app
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 7u55,8
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_vista
  • CPU: x86
  • Submitted: 2014-01-13
  • Updated: 2016-10-27
  • Resolved: 2014-01-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u55Fixed 8u20Fixed 9Fixed
Related Reports
Duplicate :  
Duplicate :  
A Java Web Start application triggers a spurious missing manifest permissions warning, if jar versioning 
is used in the jnlp file.
So, two versions of the same application bejhave differently:
(1) no jar versioning is used in jnlp file: no yellow warning is shown in the security warning
(2) jar versioning is used in jnlp file: yellow warning about missing manifest permissions attribute is shown 
     in the security warning
The behaviour was verified using 32-bit Java SE 7 Update 51 (b13) on Windows Vista SP2.

As workaround can disable flag "Keep temporary files on my computer" in Java Control Panel

SQE OK to take this fix into CPU14_02

webrev: http://oklahoma.us.oracle.com/www/webrevs/aherrick/1.8.0_05/8031579/deploy/webrev/ curcible review: https://java.se.oracle.com/code/cru/CR-JDK8CPU-169

real problem (beyond above and more serious) is that DeployManifestChecker.verify() does not work for versioned resources in javaws at all ! in plugin we call: verify() uses String jarVersion = (String) ToolkitStore.get().getAppContext().get( Config.APPCONTEXT_KEY_PREFIX + jarLocation); to get the version. This is set in plugin from JNLP2Manager: ToolkitStore.get().getAppContext().put( Config.APPCONTEXT_KEY_PREFIX + url.toString(), jardesc.getVersion()); but there is no corrisponding code in Java Web Start.

Not quite sure why this works in the non-versioned case, but problem seen is that AppPolicy.grantUnrestrictedAccess() calls ld.getAppInfo() twice, once for the AppInfo used in ManifestChecker.verify(), then again in for the AppInfo used in the call to TrustDecider.isAllPermissionsGranted.

in JDK 8, where the Permission attribute is required at all levels, this warning still shows for versioned jars. This indicates DeployManifestChecker.verifyMainJar() is correctly getting the permissions attribute. However, the mechanism to set the Permissions Attribute flag in the AppInfo structure in DeployManifestChecker.verify() is not working, or the same AppInfo is not being used when finally displaying the security dialog.