JNLP with unsigend resources is no longer loaded with SunJDK 7U45

Bernd Eckenfels bernd-2013 at eckenfels.net
Wed Oct 16 03:01:05 UTC 2013


Hello,

sadly I noticed another regression with the Oracle JDK 7U45: it will  
refuse to load an JNLP Application if the JAR files contain unsigned  
resources.

I must admit I dont know what we have those in the JAR files and I will  
remove them (META-INF/maven/* stuff mostly) but I wonder why this was not  
announced.

Even when I reduce the security slider as far as possible I am never asked  
if it is ok and I want to proceed.

I know it is not the best list to discuss this here, but since I wanted to  
write something about the new code base properties anyway, I thought I  
might begin with complain :)


Gruss
Bernd


java.lang.SecurityException: com.sun.deploy.net.JARSigningException:  
Unsignierter Eintrag gefunden in Ressource: http://localhost:10000/s....jar
	at com.sun.deploy.cache.CacheEntry.getJarFile(Unknown Source)
	at com.sun.javaws.security.SigningInfo.check(Unknown Source)
	at  
com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown  
Source)
	at  
com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown  
Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: com.sun.deploy.net.JARSigningException: Unsignierter Eintrag  
gefunden in Ressource:  
http://localhost:10000/seeburger/app/com.seeburger.gui-framework.gui-framework.jar
	... 14 more




<jnlp spec="6.0" codebase="http://localhost:10000/s..">
   <information>..</information>
   <security>
     <all-permissions/>
   </security>
   <update check="always" policy="always"/>
   <resources>
     <java version="1.6+" href="http://java.sun.com/products/autodl/j2se"  
java-vm-args="-Xms64m -Xmx256m -XX:NewRatio=3"/>
     <jar href="com..jar" main="true"/>
     <property name="protocol" value="http"/>
     <property name="javax.xml.parsers.DocumentBuilderFactory"  
value="com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl"/>
     <property name="sun.java2d.d3d" value="false"/>
     <jar href="antlr-2.7.7.jar"/>
...
jnlp file truncated after 10K



More information about the security-dev mailing list