JDK-6632928 : HTTPS with certificate authorization required causes unacceptable user experience
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u4
  • Priority: P2
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-11-21
  • Updated: 2010-04-26
  • Resolved: 2008-05-20
Related Reports
Duplicate :  
JDK-6672788 - REGRESSION: javawebstart can not handle high latency network
Description
J2SE Version (please include all output from java -version flag):
  java version "1.6.0_03-ea"
  Java(TM) SE Runtime Environment (build 1.6.0_03-ea-b02)
  Java HotSpot(TM) Client VM (build 1.6.0_03-ea-b02, mixed mode, sharing)

  (This is the old update 3...before it was pushed back to update 4.)

Does this problem occur on J2SE 1.4.x or 5.0.x ?  Yes / No (pick one)
 No

Operating System Configuration Information (be specific):
  Windows XP PRO SP2
  IE 7.0

Hardware Configuration Information (be specific):
  Sony VAIO laptop 2.8 Gz
  1.25 GB RAM

Bug Description:
  When setting up the webserver (that holds the jnlp and jar files) to force certificate
  authentication of SSL, webstart brings up the confirmation dialog way too many times.
  Maybe about once for every jar file.  In my test case it is between 20 and 30 times.
  However, after the download starts, all the rest seem to be cancelable with no adverse
  affects.

  This seems to only happen when an update is detected.

  There is also the possibility that the dialogs will be created in such a fashion that
  the certificate dialog is blocked by modality constraints and the only thing that can
  be done is cancel the download process.  (Since the download seems to waiting on the
  certificate dialog, yet the certificate dialog is inaccessible since it is "behind" 
  the download dialog.)

  This modal blocking seems a bit rare for me.  However, when this happened the next 
  jnlp access did not act as I expected.

  What I expected to happen after I canceled the download, was that when I clicked on 
  the jnlp link again, it would bring up 20-30 certificate dialogs and download the
  application.  What actually happened is that it just downloaded the application, with
  maybe one certificate dialog (not the 20-30 I expected).

  I have two certificates installed in my browser and when this confirmation dialog 
  comes up I need to choose a certificate.  Possibly if I had just one certificate 
  this would not have been so noticible.

  I think people using smart cards or something to hold their certificates are going to
  have problems with Java 6.0, since the card may hold several certificates and they 
  will need to type in a password.  I have sent several bugs on these types of issues
  before and getting frustrated.  It seems that the webstart team has no test case for
  this.  If our clients that use certificate authentication ever upgrade to Java 6, 
  this is going to be HUGE problem for us.

  Please, please, please address these issues and create a test case that uses smart 
  cards and multiple client certificates.
Comments
EVALUATION This bug is caused by issue reported in bug 6672788. Customer has reported back the this bug is fixed in 6u10b23, therefore I closed this bug as a duplicate, there are still some minor issue in bug 6672788, will address that in another bug.
20-05-2008