JDK-8037417 : javaws fails to launch app with empty href in jnlp file if Application-Library-Allowable-Codebase is used
  • Type: Bug
  • Component: deploy
  • Affected Version: 8u11
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-03-14
  • Updated: 2015-07-15
  • Resolved: 2014-09-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u79Resolved 8u31Fixed 9Fixed
Description
If CA signed app has Application-Library-Allowable-Codebase attribute in its manifest and JNLP file has an empty href element then launching this app using javaws fails with Application Blocked Exception.


Comments
Impact: High, app fails to start Likelihood: Low , affects only CA signed Javaws apps that use "Application-Library-Allowable-Codebase" while having an empty "href" attribute in the JNLP file Workaround:Low, specify a non empty value for "href" attribute in JNLP file. ILW =HLL =>Proirity P4
17-03-2014

If CA signed jar has a manifest with Application-Library-Allowable-Codebase attribute. e.g. "Application-Library-Allowable-Codebase: http://dan http://localhost" then launching app using javaws (javaws http://localhost:8080/Tests/TestApp/ImgApplet2.jnlp ) results in application blocked exception. The problem is that validation of allowable codebase fails if href attribute in jnlp is empty. The debug showed that the problem appears since AppInfo.mainJNLP URL is set in this case to file:/c:/tag9872907981234for.jnlp and this fails matching codebase pattern http://dan http://dan http://localhost) specified in the manifest. It happens in LaunchDesc.getJNLPSrcForAppInfo() which calls AppInfo.getJNLPFromUnknownSource(); if href is null. These changes were added as a part of JDK-8025754. private URL getJNLPSrcForAppInfo() { // first try _home URL best = getRealLocation(); if (best == null) { // Must be a local JNLP file and we don't know where it came from // case where file is downloaded external to Java best = AppInfo.getJNLPFromUnknownSource(); } return best; }
14-03-2014