Name: nt126004 Date: 01/18/2002
FULL PRODUCT VERSION :
java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition(build 1.3.1-root-010902-18:51)
Java HotSpot(TM) Client VM (build 1.3.1, mixed mode)
FULL OPERATING SYSTEM VERSION :
all OSs, originally encountered on OSX
A DESCRIPTION OF THE PROBLEM :
I have a JNLP file that specifies two JAR files:
A.jar download eager, contains main() program
B.jar download lazy
Application starts fine loading only A.jar -- as intended.
A.jar is signed.
At some point, application decides to access a class
that is contained in B.jar. B.jar is NOT signed.
At this point, Web Start pops up a dialog talking about
"application cannot be started" (which is obviously not
correct because the app has been running for a while).
But worse, the dialog only offers the option "abort",
which quits the app -- certainly without giving the app
an opportunity to clean up.
Yes, I know that B.jar should be signed too (my
mistake) but shouldn't it instead do something more
"constructive". Class.forName() could return null, for
example, or throw a SecurityException.
The essence of the jnlp file is:
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.3" initial-heap-size="64m"/>
<jar href="lib/pepper.jar" main="true" download="eager"/>
<jar href="lib/log4j.jar"/>
<package name="com.r_objects.mm.CACSD_V1_0.*"
part="com.r_objects.mm.CACSD_V1_0" recursive="true"/>
<jar href="lib/com.r_objects.mm.CACSD_V1_0.jar"
part="com.r_objects.mm.CACSD_V1_0" download="lazy"/>
where pepper.jar contains the main() and is signed.
com.r_objects.mm.CACSD_V1_0.jar is not signed.
This bug can be reproduced always.
CUSTOMER WORKAROUND :
sign all files.
(Review ID: 137812)
======================================================================
|
Java