JDK-8031579 : Spurious Missing Manifest Permissions Attribute Warning When Launching versioned Java Web Start app
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 7u55,8
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_vista
  • CPU: x86
  • Submitted: 2014-01-13
  • Updated: 2016-10-27
  • Resolved: 2014-01-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u55Fixed 8u20Fixed 9Fixed
Related Reports
Duplicate :  
JDK-8032922 - Incorrect warning that the application does not have a Permissions attribute
Duplicate :  
JDK-8168837 - "manifest does not contain the Permissions attribute" when versioning resources
Description
A Java Web Start application triggers a spurious missing manifest permissions warning, if jar versioning 
is used in the jnlp file.
So, two versions of the same application bejhave differently:
(1) no jar versioning is used in jnlp file: no yellow warning is shown in the security warning
(2) jar versioning is used in jnlp file: yellow warning about missing manifest permissions attribute is shown 
     in the security warning
The behaviour was verified using 32-bit Java SE 7 Update 51 (b13) on Windows Vista SP2.
Comments
As workaround can disable flag "Keep temporary files on my computer" in Java Control Panel
21-01-2014
SQE OK to take this fix into CPU14_02
17-01-2014
webrev: http://oklahoma.us.oracle.com/www/webrevs/aherrick/1.8.0_05/8031579/deploy/webrev/ curcible review: https://java.se.oracle.com/code/cru/CR-JDK8CPU-169
15-01-2014
real problem (beyond above and more serious) is that DeployManifestChecker.verify() does not work for versioned resources in javaws at all ! in plugin we call: verify() uses String jarVersion = (String) ToolkitStore.get().getAppContext().get( Config.APPCONTEXT_KEY_PREFIX + jarLocation); to get the version. This is set in plugin from JNLP2Manager: ToolkitStore.get().getAppContext().put( Config.APPCONTEXT_KEY_PREFIX + url.toString(), jardesc.getVersion()); but there is no corrisponding code in Java Web Start.
14-01-2014
Not quite sure why this works in the non-versioned case, but problem seen is that AppPolicy.grantUnrestrictedAccess() calls ld.getAppInfo() twice, once for the AppInfo used in ManifestChecker.verify(), then again in for the AppInfo used in the call to TrustDecider.isAllPermissionsGranted.
14-01-2014
in JDK 8, where the Permission attribute is required at all levels, this warning still shows for versioned jars. This indicates DeployManifestChecker.verifyMainJar() is correctly getting the permissions attribute. However, the mechanism to set the Permissions Attribute flag in the AppInfo structure in DeployManifestChecker.verify() is not working, or the same AppInfo is not being used when finally displaying the security dialog.
13-01-2014