JDK-8136475 : insecure jnlp property even if prefix with "jnlp"
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u51
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • OS: windows_8,windows_10
  • CPU: x86_64
  • Submitted: 2015-09-14
  • Updated: 2016-01-18
  • Resolved: 2016-01-18
Related Reports
Relates :  
JDK-8147555 - Document that % and " characters are not supported in keys and values of a property for Java Web Start
Description
J2SE Version (please include all output from java -version flag):
Java Web Start 11.51.2.16
JRE-Version verwenden 1.8.0_51-b16 Java HotSpot(TM) Client VM

Both 1.8.0_66-ea-b02 and 1.8.0_60-b27

Does this problem occur on J2SE 6ux or 7ux?  Yes / No (pick one)
Not tested.

Operating System Configuration Information (be specific):
* Windows 8.1
* Windows 10

Hardware Configuration Information (be specific):

Bug Description:
We receive the follow error in the console:
Insecure property: (jnlp.codebase, http://localhost:8080/url%20with-space/) specified in unsigned jnlp file will not be set.

As the result our program crash with NPE. If the value does not contain a %20 then it works. This is completely unexpected because the property is prefixed with "jnlp.". We do not have signed jnlp file but it should work with every value if the property name is prefixed with "jnlp.".

Steps to Reproduce (be specific):
The jnlp looks like:
<?xml version="1.0" encoding="utf-8"?>
<jnlp codebase="http://localhost:8080/url%20with-space/">
    <information>
        <title>App Title</title>
        <vendor>App Vendor</vendor>
    </information>
    <security>
        <all-permissions/>
    </security>
    <resources>
        <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="app.jar" main="true" download="eager"/>
        <property name="jnlp.codebase" value="http://localhost:8080/url%20with-space/"/>
    </resources>
    <application-desc main-class="AppMain">
        <argument>Cookie=JSESSIONID=1;SESSIONID=1</argument>
    </application-desc>
</jnlp>
Comments
Ingrid, I submitted new CR for documentation: JDK-8147555
18-01-2016
It is not the problem with URL of JNLP file. The reason why jnlp.codebase is rejected is because it contains '%' which is a special character. For security reasons, the following characters are specifically not allowed in property values: " and % Using either of these characters in key or value could lead to incorrect command line parsing. The workaround is to use space character directly in the value of the property. As another workaround, you can encode the value of the property, for example with base64, and then decode it in the application code.
18-01-2016
According to engineer, this is a desired behavior caused by a security fix, i.e.the character " and % are not allowed in JNLP property values, then this limit should be documented. Doesn't find it at https://docs.oracle.com/javase/8/docs/technotes/guides/javaws/developersguide/syntax.html
04-01-2016
fail with the latest 8u65 EA builds as well.
22-09-2015
Also know to fail with 8u60 and 8u66.
15-09-2015