0 Replies Latest reply: Sep 26, 2013 8:24 PM by bldsweng RSS

    Insecure JNLP java_vm_args cannot avoid security alerts even with a signed JNLP


      I am using a signed JNLP launch file that is validated against JNLP-INF/APPLICATION_TEMPLATE.JNLP in my main resource JAR (which I know works because if I change the JNLP in an invalid way the Java Plugin JNLP Client complains as expected). The main resource JAR is also properly signed with a real code signing certificate, marked as a Trusted-Library in the Manifest, and has "all-permissions" in the JNLP.


      In my JNLP launch file, I have some java_vm_args that are considered insecure. For example, --XX:+PrintGC. Despite the fact that the JNLP is signed, I get two security alerts:


      1) A yellow exclamation mark alert which when More Information are examined asserts that the JNLP file is NOT signed.

      2) If I accept and run anyway, then I get another alert saying:


      "This application is going to perform an insecure operation. Do you want to continue?"


      Is there any way to avoid these issues while still being able to specify arbitrary VM arguments for the applet?