The packager generates a jnlp file with: <jfx:details> <jfx:certificate-path> ... </jfx:certificate-path> </jfx:details> in this case, the certificate is pre-verified (while the jars are downloaded) using a CodeSource that has this certificate but a location based on the jnlp file. The code in TrustDecider.checkMainJarManifest() assumes the CodeSource refers to a jar, and tries to open that jar to see if it has the main class, and if so if it has a permission manifest attribute. When the exception is caught from : new JarFile(ResourceProvider.get().getCachedResourceFilePath(cs.getLocation(), ver), false); a SecurityException is thrown, and the app is blocked for not having a permissions attribute. We need to recognize this situation and not block
|