This discussion is archived
4 Replies Latest reply: Oct 29, 2012 9:22 AM by 922905 RSS

Problems with Java Webstart and security concept. Similar to 891457

922905 Newbie
Currently Being Moderated
We have a java swing application, that is startet by java webstart
A strange behaviour occurs at one installation sometimes and cannot be produced or reproduced
by certain actions.

The client (Mac mini) has Java 6.0 update 29. The server with a tomcat has Java 5.

Our java swing application is started several times simutaniously by webstart an runs without problems.
After some times (may be hours) a message appears. This is the translated message form German:
"Some parts of this program can be a security risk for this computer. Allow execution
of not save components?"

It looks like, that there is a break at security concept of java introduced with java 2.6 update 18,
which is described in the Oracle technical note about mixed and unsigned code.
(http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html)
All deployed and used jars we have are certificated with a valid self certificate.
We also do not use any manifest entries "Trusted-Only" oder "Trusted-Library".
So there is no "mixed or unsigned code" at this time. But we have some icons in
the application, which are loaded from jar by a Classloader. These parts in the code
we now have replaced, by using a context ClassLoader. If this will solve the problem, we do not know.

The user swears, that he quitted the message "Some parts of this program can be a security risk
for this computer, allow execution?" by "Allow". But an exception occured at this time with the
following stacktrace:

ERROR: Failed to recover corrupt cache entry
com.sun.deploy.cache.CacheEntry.recover(CacheEntry.java:1542)
com.sun.deploy.cache.CacheEntry.getSignerMap(CacheEntry.java:1086)
com.sun.deploy.cache.CachedJarFile.getSignerMap(CachedJarFile.java:325)
com.sun.deploy.cache.CachedJarFile.getCodeSource(CachedJarFile.java:691)
com.sun.deploy.cache.DeployCacheJarAccessImpl.getCodeSource(DeployCacheJarAccessImpl.java:65)
com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(CPCallbackHandler.java:455)
com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(DeployURLClassPath.java:852)
com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(DeployURLClassPath.java:952)
com.sun.deploy.security.DeployURLClassPath.getResource(DeployURLClassPath.java:234)
java.net.URLClassLoader$1.run(URLClassLoader.java:194)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:190)
com.sun.jnlp.JNLPClassLoader.findClass(JNLPClassLoader.java:345)
java.lang.ClassLoader.loadClass(ClassLoader.java:306)
java.lang.ClassLoader.loadClass(ClassLoader.java:247)
com.classwizard.cw.ClassMaker$MenuItemListener.actionPerformed(ClassMaker.java:39229)
javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2028)
javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2351)
javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
javax.swing.AbstractButton.doClick(AbstractButton.java:389)
javax.swing.AbstractButton.doClick(AbstractButton.java:337)
javax.swing.plaf.basic.BasicMenuItemUI$Actions.actionPerformed(BasicMenuItemUI.java:778)
javax.swing.SwingUtilities.notifyAction(SwingUtilities.java:1645)
javax.swing.JComponent.processKeyBinding(JComponent.java:2851)
javax.swing.JMenuBar.processBindingForKeyStrokeRecursive(JMenuBar.java:670)
javax.swing.JMenuBar.processBindingForKeyStrokeRecursive(JMenuBar.java:678)
javax.swing.JMenuBar.processBindingForKeyStrokeRecursive(JMenuBar.java:678)
javax.swing.JMenuBar.processKeyBinding(JMenuBar.java:649)
javax.swing.KeyboardManager.fireBinding(KeyboardManager.java:267)
javax.swing.KeyboardManager.fireKeyboardAction(KeyboardManager.java:254)
javax.swing.JComponent.processKeyBindingsForAllComponents(JComponent.java:2928)
javax.swing.JComponent.processKeyBindings(JComponent.java:2920)
javax.swing.JComponent.processKeyEvent(JComponent.java:2814)
java.awt.Component.processEvent(Component.java:6150)
java.awt.Container.processEvent(Container.java:2085)
java.awt.Component.dispatchEventImpl(Component.java:4735)
java.awt.Container.dispatchEventImpl(Container.java:2143)
java.awt.Component.dispatchEvent(Component.java:4565)
java.awt.KeyboardFocusManager.redispatchEvent(KeyboardFocusManager.java:1850)
java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(DefaultKeyboardFocusManager.java:712)
java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(DefaultKeyboardFocusManager.java:990)
java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(DefaultKeyboardFocusManager.java:855)
java.awt.DefaultKeyboardFocusManager.dispatchEvent(DefaultKeyboardFocusManager.java:676)
java.awt.Component.dispatchEventImpl(Component.java:4607)
java.awt.Container.dispatchEventImpl(Container.java:2143)
java.awt.Window.dispatchEventImpl(Window.java:2478)
java.awt.Component.dispatchEvent(Component.java:4565)
java.awt.EventQueue.dispatchEventImpl(EventQueue.java:679)
java.awt.EventQueue.access$000(EventQueue.java:85)
java.awt.EventQueue$1.run(EventQueue.java:638)
java.awt.EventQueue$1.run(EventQueue.java:636)
java.security.AccessController.doPrivileged(Native Method)
java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:98)
java.awt.EventQueue$2.run(EventQueue.java:652)
java.awt.EventQueue$2.run(EventQueue.java:650)
java.security.AccessController.doPrivileged(Native Method)
java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
java.awt.EventQueue.dispatchEvent(EventQueue.java:649)
java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:296)
java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:211)
java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:201)
java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:196)
java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:188)
java.awt.EventDispatchThread.run(EventDispatchThread.java:122)


It looks like the Classloader does not find a class form the jar, which was used before
without problems.

Now my questions:

1) Why is there a security risk after hours of work but not at the time when the application was
started? Is there a reload or security check of jars at undefined times without any reason?

2) If the user klicks "allow" I expect, that the application goes on.
But by the stacktrace it looks like the opposite, stop of the application an remove it from memory
so that classes are no longer found.

Can somebody help me with this problem?
  • 1. Re: Problems with Java Webstart and security concept. Similar to 891457
    817614 Explorer
    Currently Being Moderated
    Maybe you hit some bugs related to signing info caching in memory. This is fixed in 7u4 (JRE 7 update release 4). I think you could give 7u4 latest early access build a try to see if it is the same problem. The fixes is being evaluated for porting back to JRE 6.
    You can get the early access from: http://jdk7.java.net/download.html.
  • 2. Re: Problems with Java Webstart and security concept. Similar to 891457
    922905 Newbie
    Currently Being Moderated
    We now can say, that all changes made in our application did not solve the problem. After 2 weeks of work without any problem our customer now got the same messages again.
    We cannot use Java 7 because there is no release for mac snowleopard, only for lion. We now have a big problem, because we cannot ship our program any more because these
    unresolved problems make it unsafe.
    I was on the customers client with teamviewer, when he had the message about unsafe parts of the program on his monitor. I saw that he then pushed the button for continue the
    program. It was at this point, that exceptions occured about not found classes. The next time when this problem occurs, we will push button not allow. Perhaps the buttons are
    mixed up in the German version of the dialog?
  • 3. Re: Problems with Java Webstart and security concept. Similar to 891457
    817614 Explorer
    Currently Being Moderated
    919902 wrote:
    We cannot use Java 7 because there is no release for mac snowleopard, only for lion. We now have a big problem, because we cannot ship our program any more because these
    unresolved problems make it unsafe.
    Java 6 on OS X was release by Apple, we cannot help with fixing it. I guess the easier path is moving forwards.
    I was on the customers client with teamviewer, when he had the message about unsafe parts of the program on his monitor. I saw that he then pushed the button for continue the
    program. It was at this point, that exceptions occured about not found classes. The next time when this problem occurs, we will push button not allow. Perhaps the buttons are
    mixed up in the German version of the dialog?
    You could try, but if your application jars are all signed, then I don't think it is the case of mixing up the button.
    Please try to confirm if you can about latest 7u4 early-access build fix this problem on Windows or on Mac OS X Lion.
  • 4. Re: Problems with Java Webstart and security concept. Similar to 891457
    922905 Newbie
    Currently Being Moderated
    In end of march we found a solution in another item of this forum.

    NullPointer Exception ,web start Static class loading in sun JRE with JNLP

    We implemented the described class into our program and it solved complete our problem. Since 7 month,
    no crash.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points