JDK-6653241 : Make signed JNLP files easier to use and implement in javaws and in new plugin.
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2008-01-21
  • Updated: 2010-11-09
  • Resolved: 2010-11-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7Resolved
Related Reports
Duplicate :  
JDK-6972165 - Relax the jnlp specification of a signed jnlp file.
Description
1.) Signed jnlp files are difficult to use because of the requirement that every field in the staged jnlp file exactly match every byte in the jnlp file in the signed jar.  This prevents using JnlpServlet with (for example) $$codebase.
There should either be some wildcard specification so the jnlp file in the signed jar could express exactly what fields it requires to match, or some other change of rules such as requiring only that the jnlp file used match the fields that exist in the jnlp file in the jar.
2.) The specification says:
    " The signed copy must be named: JNLP-INF/APPLICATION.JNLP. The APPLICATION.JNLP filename should be generated in upper case, but should be recognized in any case.  "
the current code checks for any possible capitalization of JNLP-INF, which is not what the spec says

Making signed jnlp files easier to use would strengthen the security of signed content, preventing these signed jars from being used in (possible malicious) ways not envisioned by their developers and signers.