Icedtea-web bugs

Michael Pritt michael.pritt at westringtechnologies.com
Tue Apr 23 01:06:36 UTC 2019 

Please forgive for sending this out again, but we have not have had a satisfactory resolution, and we felt that perhaps the issue is being lost.  We have been using java's web start for many years.  Recently we have decided to migrate to Java 11 from Java 8 and use IcedTea-web.  No program changes have been made with the exception of what was needed to migrate to Java 11.  It verifies and downloads the jars properly, but when the application runs we get security exceptions.  We are using icedtea-web 1.8 and more specifically installed icedtea-web using the msi installer.

It seems to be a bug when java's web start works, but icedtea-web does not work.  We wonder if there aren't some security changes that have been made from java 8 to java 11 that aren't being adequately handled by icedtea-web.  All our jars are signed correctly.  It looks like that the right permissions are not being set for the internal java classes dealing with security and JNLP.  The security denials are coming when the standard packages like jgss are being loaded and initialized...standard packages like jdk.crypto.cryptoki, java.xml.crypto, jdk.security.jgss, java.smartcardio, etc.

Some of the ouput
Denying permission: ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.util")
Denying permission: ("java.security.SecurityPermission" "putProviderProperty.XMLDSig")
Denying permission: ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.util")
Denying permission: ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.util")
Denying permission: ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.util")
Denying permission: ("java.lang.RuntimePermission" "loadLibrary.sunmscapi")
Denying permission: ("java.util.PropertyPermission" "sun.security.jgss.native" "read")

Our jnlp file has always specified all permissions and when we sign our libraries (i.e. our jars) they are marked as trusted and requesting all permissions.  Like I said this has been working with java's web start for years.  When we forcefully modify icetea-web's config (i.e. create a java.policy file) and specify that the url is to have all permissions it works (of course that is as it should, but we shouldn't have to do that).

Our second issue is that the desktop shortcut on windows is not created correctly.  The target executable is wrong (path), and the icon is not recognized as specified in the jnlp file.

For both issues we've tested through the browser and by command line and neither work.

If you are already familiar with these issues, and they have resolutions then great perhaps we need to wait for the latest, otherwise please provide us the best way to log a bug and hopefully a resolution can be found.

Thanks,

Mike Pritt



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20190423/478b1548/attachment.html>

More information about the distro-pkg-dev mailing list