JDK-8201133 : Security check failure for main jar downlaod with jnlp.versionEnabled and Deployment Rule Set feature
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u161
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: other
  • CPU: x86
  • Submitted: 2018-04-04
  • Updated: 2018-10-16
  • Resolved: 2018-04-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8u181Fixed
Description
FULL PRODUCT VERSION :
build 1.8.0_161

ADDITIONAL OS VERSION INFORMATION :
Windows 10

A DESCRIPTION OF THE PROBLEM :
When using the  <property name="jnlp.versionEnabled" value="true"/> in a JNLP file with the following naming convention <JAR file name>__V<version number>.jar for binaries, application fails to launch for security reason if JAR files are autosigned.
@see https://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/avoidingUnnecessaryUpdateChecks.html
 
This is always true unless using a specific deployment rule. Indeed, a way for enterprises to continue using JavaWebStart legacy business applications in their environment is to use the Deployment Rule Set feature.
@see https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html

Unfortunately the version-based download protocol passes through the security check implemented with this Deployment Rule Set feature.
 


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
A  formal DeploymentRuleSet.jar file must be set and properly signed with a valid certificate from a trusted authority

JAR files referenced in the JNLP sample must be signed with a non valid certificate but defined in the ruleSet.xml 

Disable temporary files in general JAVA settings

The JAR files repository must not support the classical version-based download protocol like when using a JnlpDownloadServlet  
@see https://docs.oracle.com/javase/8/docs/technotes/guides/javaws/developersguide/downloadservletguide.html

Instead add <property name="jnlp.versionEnabled" value="true"/> in JNLP file and use the following naming convention <JAR file name>__V<version number>.jar with files in the repository 



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application should launch normally


ACTUAL -
Application is bloqued by a java security dialog

Note : 
When sniffing TCP request one can see a 6 times try request with URL  http://<site>/<main_jar_href>.jar&version-id=<version_value> for the main jar download
following by http://<site>/<main_jar_href>__V<version_value>.jar

The first 6 times failure looks normal when download protocol with query parameter &version-id is not handled by the repository server (tomcat jetty etc...)

But the last request with version naming convention in the URL should have been called instead when using <property name="jnlp.versionEnabled" value="true"/> 
Strangely, this is what happened for all other JAR download request but the main one. It starts trying download with URL like <JAR file name>__V<version number>.jar, then try with the casual &version-id query parameter one.

Unfortunately it passes through the security check implemented with this Deployment Rule Set feature.

It behaves normally when a valid certificate is used because a specific RuleSet is not required.



REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
If temporary file is enable in JAVA settings the failure occurs only once, then application can be launched normally. It sounds logical since there is no need to perform update check with up-to-date files stored in cache.

Another workaround is to use a JnlpDownloadServlet like to deal with the classical version-based dowload protocol.
Comments
CPU18_07-critical-request - Justification : broken feature, customer and sustaining request - Risk Analysis : Low. - Testing (done/to-be-done) : Tested by manually running above testcase - Back ports (done/to-be-done) : none - FX Impact : N/A - Fix For Release : 8u181
18-04-2018
There is not really a testcase listed here, but one shouldn't be hard to create. The problem occurs when the initial download of the main jar is done from the code looking to get the checksum of the code signing certificates for the main jar, in order to compare against a DRS rule with a certificate hash. The code using "jnlp.packEnabled" should be symmetrical to the code using "jnlp.versionEnabled". In all other cases it is, but in constructing a CodeRef, the packEnabled flag is passed in, and the versionEnabled is not. Then in CodeRef.getResource(), the state of pack200 flag is used to determine if the download should use pack200, but nothing is done related to versionEnabled, and only a non-version enabled download is attempted. It should be relatively strait forward to fix this.
10-04-2018
Application fails to launch due to security reasons if using <property name="jnlp.versionEnabled" value="true"/> in a JNLP file and the JAR files are autosigned. This seems to be overcome by enterprise while using DRS feature. However, the version-based download protocol passes through the security check implemented with this DRS feature restrict this scenario.
05-04-2018