[icedtea-web] RFC: PR822: Applets fail to load if jars have different signers

Danesh Dadachanji ddadacha at redhat.com
Thu Feb 2 09:30:14 PST 2012

On 26/01/12 02:55 PM, Deepak Bhole wrote:
> Hi,
> This patch fixes PR822:
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=822
> It makes it so that applets do not require all jars to have a single
> signer (which is not mandated by the spec). After the patch, sites like
> the one mentioned in the bug (https://bcee.snet.lu/) now work.


I believe your logic for the if-statement in JNLPClassLoader is 
incorrect. Specifically if this is an applet, it does not need to be 
checked for multiple jars having a common signer. It actually depends on 
whether or not the applet is being run from a JNLP file. If they are, 
then we definitely have to check for a common signer.

If the applet is run via 'javaws' using a JNLP file (using 
<applet-desc>) OR if the applet is run via the plugin using jnlp_href, 
the check should be run. If this applet has no common signer among its 
multiple jars, it should not be allowed to run. Note that running 
applets using javaws doesn't work ATM but we should still consider this 

Another way of putting it (for the if condition's sake) is that if this 
is an applet being run from the plugin AND NOT using jnlp_href (i.e. 
using applet/embedded tag instead), then the jars do NOT need to be 
checked for a common signer.

+            // Case when at least one jar has some signing
+            // For permissions to be given, we need:
+            // 1. Something is signed
+            // 2. This is an applet
This should be replaced with // 2. This is an applet being run by the 
plugin without jnlp_href
+            // 3. OR, if this is NOT an applet, all jars have the same 
The "this is NOT an applet" bit should be removed. I think this should 
also be changed to "OR all jars have at least one common signer" since, 
to me, "the same" implies there's just one.

+            if (js.anyJarsSigned() // signed
+                    && (getJNLPFile().isApplet() // and an applet
+                            || (!getJNLPFile().isApplet() // OR, NOT an 
+                                    && 
js.isFullySignedByASingleCert()))) { // AND fully signed by a single cert

Logic from above in code
             if (js.anyJarsSigned() // signed
                     && ((getJNLPFile() instanceof PluginBridge
                     		&& !((PluginBridge)getJNLPFile()).useJNLPHref()) 
// and an applet not using jnlp_href
                     	|| js.isFullySignedByASingleCert())) { // AND 
fully signed by a single cert

(hope this indenting gets through and isn't wrapped..)

The useJNLPHref() function is from my patch in review here:

I believe this logic handles all the weird applet cases where they use 
JNLPs. What do you think?


More information about the distro-pkg-dev mailing list