Hello,
We're testing our Web Start-deployed application in advance of the upcoming Java 7u51 release.
We couldn't find an early access version for 51, so we're using Java 7u60 from https://jdk7.java.net/download.html
Our application uses a third-party library that embeds licensing information in a .licenses file that you have to deploy in the /META-INF directory of the third party .jar file.
If we install Java 7u60 and launch our application, we're presented with the following stack trace:
<jnlp>
...
</jnlp> ]
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Java Web Start 10.60.2.02
Using JRE version 1.7.0_60-ea-b02 Java HotSpot(TM) Client VM
User home directory = C:\Users\me
----------------------------------------------------
----------------------------------------------------
#### Java Web Start Error:
#### Unsigned application requesting unrestricted access to system
Unsigned resource: http://..../thirdpartylibrary.jar
We're unable to launch our application, which launches fine in Java 7u45.
Prior to Java 7u60, when we signed this jar file, we could verify the signature.
If we switch to Java 7u60 and attempt to do that, we get the following:
C:\Users\me\...\META>jarsigner -verify -certs -verbose thirdpartylibrary.jar
257 Tue Jan 07 15:46:10 EST 2014 META-INF/MANIFEST.MF
270 Tue Jan 07 15:46:10 EST 2014 META-INF/_F723F71.SF
4754 Tue Jan 07 15:46:10 EST 2014 META-INF/_F723F71.RSA
0 Tue Jan 07 15:46:12 EST 2014 META-INF/
m 1363 Wed Jul 18 12:13:08 EDT 2012 META-INF/.licenses
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar is unsigned. (signatures missing or not parsable)
I'd really appreciate any thoughts anyone might have on this. We're obviously pretty concerned that our users are going to experience some disruptions once they upgrade.
I'm not even sure how to raise this issue to Oracle. The problem doesn't happen in a released version of Java, so I can't open a bug. I can open a bug against Java 7u60, but I'm not sure what priority that would be given. I can (and will) try to take it up with the third party, but I'm not sure whether they're even doing anything wrong. I can't find any information about not being able to include files in the META-INF/ directory. Any recommendations here would be greatly appreciated as well.
Thanks,
Jeff