Skip to Main Content
Forums

Java SE (Java Platform, Standard Edition)

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Error with Java WebStart Signed Jars on 1.6.0_19's new Mixed Code

843802Apr 1 2010 — edited Apr 28 2011
All,

First, we have a valid code signing certificate/keystore from Thawte that works for signing webstart jars as of update 18. For some reason, if you run our webstart application on update 19 JRE, the runtime believes that some of the jars are not signed and some are. Even though we create and sign the jars in the exact same way and after inspecting the jar the JRE believes are not signed they have the necessary signing entries/files in the manifest folder. Not sure why the signing process would work for some of our jars and not for others. There is nothing really all that different.

So, because the JRE believes some of the jars are not signed the new security warning "...contains both signed and unsigned code." pops up ( [Error Description|http://java.com/en/download/help/error_mixedcode.xml] ). If I press yes, then I get the following exception.
java.lang.SecurityException: trusted loader attempted to load sandboxed resource from https://path-to-our.jar
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at main.JwsMain.main(JwsMain.java:32)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.javaws.Launcher.executeApplication(Unknown Source)
	at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
	at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
	at com.sun.javaws.Launcher.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
If I press "no" I get the following exception (I get this exception if I try to run our WebStart application with no signed jars as well, no warnings about missing certs, just straight to error)
java.lang.NullPointerException
	at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
	at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
	at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler.assertTrust(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler.access$700(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at main.JwsMain.main(JwsMain.java:32)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.javaws.Launcher.executeApplication(Unknown Source)
	at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
	at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
	at com.sun.javaws.Launcher.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Does anyone know why this would be happening? It only occurs with the new update. We use the same keystore and process for signing all of our jars so it really doesn't make since why some of them work and some of them don't. Also, our JNLP is correct or it wouldn't work in update 18.

Edit: We've tried it on Windows XP SP3 and compiled the code using update 18 and used jarsigner both from 18 and 19 with same results.

Edited by: chenthor on Apr 1, 2010 8:44 AM

Edited by: chenthor on Apr 1, 2010 8:51 AM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 26 2011
Added on Apr 1 2010
#java-web-start-jnlp
10 comments
5,650 views