JDK-8136687 : DRS1.3: App is not blocked when rule set version is 1.0 and with jnlp-checksum element in ruleset.xml
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • Submitted: 2015-09-17
  • Updated: 2015-09-21
  • Resolved: 2015-09-21
Related Reports
Relates :  
JDK-8135115 - DRS1.3: App is not blocked when there is a invalid attribute in jnlp-checksum
Description
When verify fix of JDK-8135115, I found that "ruleset version=1.0"+"jnlp-checksum" issue is still there.

Steps to reproduce:
1. Import self ca cert to JCP -> Security -> Manage Certificates -> Singer CA.
    http://kgb.us.oracle.com:8080/DRS13Manual/lib/self.valid.cert
2. Set up DeploymentRuleSet.jar:
    http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum-Version-kgb/DeploymentRuleSet.jar
    It sets rule set version to 1.0 while with jnlp-checksum element in ruleset.xml
    For rule set content, see http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum-Version-kgb/ruleset.xml
3. Open browser and load http://kgb.us.oracle.com:8080/DRS13Manual/html/testApps.html
4. Launch casinged jnlp by clicking on the link testCertsignedAllpermissionJNLPNoHref.jnlp from a browser
5. If a valid security warning dialog shows up, then this issue is reproduced.
Expected behavior:
An application blocked dialog saying "Exception parsing Deployment Rule Set file" should show up.
Comments
The assertion that the expected behavior is that app would block when using jnlp_checksum when drs version set to "1.0" is not supported by any internal documentation or the requirements of this feature, so I am closing this. A previous feature, the addition of the "force" attribute in 1.1, specifically had a requirement that in an implementation supporting drs 1.1, if a drs file specified both version="1.0" and "force" attribute that we would throw an error, however this is not a normal behavior. There is no such requirement for this feature (or any other addition since 1.0). closing as not a bug.
21-09-2015
Affected tests: RULE JawsLocalSecurityPolicyTest::testJnlpChecksum_Negative_RuleSetVersion any any
17-09-2015