3 Replies Latest reply on Jun 13, 2012 5:04 PM by 924899

    Java 7u4 webstart security exception: Class does not match trust level...

      We began to notice that with Java 7 (particularly with update 4), that all our users began to see this with our Webstart app:

      [14:42:58,422] AWT-EventQueue-0(DEBUG) java.lang.SecurityException: class "<class name>" does not match trust level of other classes in the same package
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader$1.run(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader$1.run(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.security.AccessController.doPrivileged(Native Method)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.net.URLClassLoader.findClass(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.lang.ClassLoader.loadClass(Unknown Source)
      [14:42:58,422] AWT-EventQueue-0(DEBUG) at java.lang.ClassLoader.loadClass(Unknown Source)...More

      Where <class name> = pretty much every class at random points in the app execution, breaking several behavior.
      If our users were to use Java 6, they have no problems! Just 7 (update 4).
      We sign ALL our jars, both the main application jar and it's library jars. i.e Users launching our webstart app see the blue shield instead of yellow or red.

      This is obviously an issue as users are more frequently now upgrading to Java 7.
      I have tried to force our app to use Java 6 on the user machine either by using a previous installation, or installing a new one....with the <j2se version="1.6" /> tag around resources but this causes it's own problems that would probably be best to make into it's own thread. Did Oracle break Webstart with Java 7?

      Edited by: buffness on Jun 5, 2012 3:58 PM