JDK-8046211 - why won't fix?

[Richard Kettelerij]

Hi,

I'm tracking issue JDK-8046211 and noticed today it was resolved as "won't
fix" without any comment. I'm curious as to why it was closed?

Our situation: We have a Java applet consisting of 4 jar files and a JNLP
file. These files are served over HTTPS from a public webserver (no
authentication required). The applet contains an up-to-date manifest with
all the entries required since the new Java security baseline. The
applet/JNLP file is accessed from a web application using Javascript
(deployJava.js). All interaction with the applet is through Javascript.
The web application itself runs on a different server and is protected
using client certificates (2-way SSL) and basic authentication.

Now until Java 7u55 everything worked fine. When loading the applet only
one popup was displayed asking the user to trust the applet (which is
properly signed) and that was all.

However since 7u55 (also 7u60) things have changed: the applet loads fine
but as soon as we call a method on the applet (though LiveConnect) the Java
VM displays a popup asking the user to select a client certificate and
thereafter asks the user to authenticate using BasicAuth.

Important note: the user doesn't actually has to select a valid certificate
or enter any credentials. If the user cancels any of the dialogs the applet
continues to function properly. Logging shows the applet is using the same
cookie as the browser so authentication against the server isn't actually
taking place. Basically the Java VM is prompting for authentication dialogs
for no good reason because the user is already authenticated with a browser
cookie.

Prior to 7u55 we didn't experience this issue (we have users with 7u40,
7u45 and 7u51). Altogether it appears we encountered JDK-8046211, which has
the characteristics of a regression issue. If you guys need any logging or
additional information I'd be happy to help.

Regards,
Richard