JDK-6944548 : Restore no-codebase feature from 6u18 removed in 6u20
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6u20,6u21
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,solaris_8
  • CPU: generic,x86
  • Submitted: 2010-04-16
  • Updated: 2011-05-26
  • Resolved: 2011-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b126Fixed
Related Reports
Duplicate :  
JDK-6959987 - JNLP applications should get launched only if proper/valid codebase is specified inside the JNLP
Relates :  
JDK-7012272 - typo in Deployment toolkit javascript function launchWebStartApplication
Relates :  
JDK-6972165 - Relax the jnlp specification of a signed jnlp file.
Relates :  
JDK-7005789 - Umbrella: Common Deployment code update for supporting Fx applications
Description
FULL PRODUCT VERSION :
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]

A DESCRIPTION OF THE PROBLEM :
Now that 6u20 mandates a codebase url in the jnlps it is now for us impossible anymore to create a webstart application that will not give you a warning dialog about security issues...

This because webstart complains about jnlp files that are not signed. But how can customers of us now deploy our product on there machines? We have to generate the right codebase into the jnlp's but if we do that then how can we sign it?

Please drop the restriction that jnlp files need to be signed, because thats just impossible to do. Please if you see any other way tell me, but i have no more idea's how to get our application installed without the need for a warning dialog.

A information dialog where users can press on install (like the extension installation information dialog) thats fine. But we just cant have that users get a dialog: The applications digital signature cannot be verified. Do you want to run this application? With a big Warning icon.

First of all every jar in the jnlp file is signed, the signature is trusted and can be verified. So that title is very very misleading.. If you then press on More Information then yes you see that the jnlp file is not signed. But users have no idea what that is so they still think it is not safe, but it it perfectly valid.



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
That we get a Information dialog telling use that they are going to install the Servoy application, not a warning dialog with a message that the digital signature cannot be verified.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
I dont see any workaround anymore.
its just impossible for us to use our product in a webstart without getting a security dialog.

SUPPORT :
YES

Release Regression From : 6u19
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
EVALUATION Re-implement the no-codebase feature. the deployJava.js API/implementation is the same, but with a new plugin implementation on how to launch javaws. We will modify the plugin to detect for jnlp params in the object/embed tag. if both launchjnlp and docbase params is found, the plugin will create a temp file on the system, with contents: docbase=<from docbase param> jnlphref=<from launchjnlp param> And then simply invoke "javaws -nocodebase c:\pathtotempfile". javaws native launcher will simply pass this to the java code. Our webstart Java code will then read in the temp file and re-construct the JNLP url, and have webstart to fetch the JNLP. This way, the user specified args will not get into any command line arguments for process creation. Also, this is basically the same as what browser do to invoke a jnlp href link too. (browser download jnlp to a temp location (e.g c:\sometempath) , and invoke javaws c:\sometemppath). The temp file will be deleted by the java code after.
12-01-2011
SUGGESTED FIX http://closedjdk.sfbay.sun.com/jdk7/deploy/deploy/rev/82238a50d841
12-01-2011
EVALUATION Perhaps we can relax identity check for the signed jnlp files? I.e. if we have signed JNLP file then we can require it to be partially identical to original JNLP file used to load this signed jar. If codebase in the original JNLP and signed JNLP are different - this is acceptable difference. To prevent redistribution we may only allow this if codebase in the embedded JNLP file is empty.
18-05-2010
EVALUATION two complaints in this bug: 1. removal of no-codebase feature in 6u20. this is due to a security bug fix. more time is needed to find out a good way to implement it, and re-introduce it in a future release. 2. improve wording of the our security dialog for signed applications. this is a rfe.
18-05-2010