Skip to main content

JAI 1.1.3 change on 9/17/11

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
9 replies [Last post]
erunquist
Offline
Joined: 2009-05-01

Over the weekend our Java Web Start applications that use JAI broke.
Nothing changed in our systems during that time. The application
instances that were left running over the weekend are fine, but we
can't launch any new instances of these applications.

The error indicates a jar signing problem:

#### Java Web Start Error:
#### Unsigned application requesting unrestricted access to system
Unsigned resource:
http://download.java.net/media/jai/webstart/release/1.1.3/solaris-sparc
/jai_codec.jar

Interestingly, the modification date on this jar is 9/17/11 (this past
Saturday). It's not just this jar. All the jars in JAI 1.1.3 have this
date on java.net:

http://download.java.net/media/jai/webstart/release/1.1.3/

There's a decent chance that my problems have nothing to do with the
new date stamp on these JAI jars, but I'd really like to know what, if
anything has changed in these files.

Anybody else using JAI via Web Start?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
erunquist
Offline
Joined: 2009-05-01

Web Start cache and compare it against the version Oracle posted 9/17.
The new version of the jar is not digitally signed. The old version
was. That appears to be why Java Web Start is failing for us.

Why would Oracle rip the signatures off the jars? Was the Sun
certificate expiring, or in question due to CA issues? Why didn't
Oracle sign the jars with a new certificate?

imagero
Offline
Joined: 2003-11-18

Well, probably they just forgot (how) to do it...

rgd
Offline
Joined: 2005-08-23

On 9/20/11 7:34 AM, erunquist@lifetouch.com wrote:
> Update: I was able to pull a good version of jai_core.jar out of the
> Web Start cache and compare it against the version Oracle posted 9/17.
> The new version of the jar is not digitally signed. The old version
> was. That appears to be why Java Web Start is failing for us.
>
> Why would Oracle rip the signatures off the jars? Was the Sun
> certificate expiring, or in question due to CA issues? Why didn't
> Oracle sign the jars with a new certificate?
>

They probably forgot about it, or didn't think about it. Raise the
issue with them, they should be able to fix it quickly.

-Bob

darwinjob
Offline
Joined: 2004-11-16

No guys, they did for purpose. Read this (from kcr):

http://forums.java.net/node/844342

In short - if you want Webstart you have to host and sign everything yourself. From Oracle with love.

rgd
Offline
Joined: 2005-08-23

Sweet!!

So what the h*** is the "security issue" anyway?? Sounds like
bogus-speak for "we're too lazy".

-Bob

On 9/21/11 12:27 AM, forums@java.net wrote:
> No guys, they did for purpose. Read this (from kcr):
>
> http://forums.java.net/node/844342
>
> In short - if you want Webstart you have to host and sign everything
> yourself. From Oracle with love.
>
>

dclunie
Offline
Joined: 2004-12-23

Hi Bob

The level of security concern with things that are signed with expired
certificates is something I have always wondered about, especially
when I have to fork out money to pay for my code signing certificate,
for example, and I have always wondered if there was any real risk
to very long lived signing certificates (and trusting things signed
by them).

I still can't find any figures, but the most rational explanation I
could find with a quick Google comes from Greg, who quotes Bruce
Schneier:

http://www.amug.org/~glguerin/opinion/revocation.html#expiration

"Expirations provide a safety net. A bad credential can be out there
for only so long, because it will expire eventually"

I was surprised to read about how many bogus signing certificate
issues had actually occurred. E.g.:

http://www.schneier.com/blog/archives/2011/03/comodo_group_is.html

I feel vindicated that I was paranoid enough to download and re-sign
all the Sun supplied JIIO jars and serve them up myself, once I started
to see expired certificate warnings back in March.

I guess we had a good run while it lasted, but Oracle really could have
just re-signed these and saved everyone a lot of bother. It is almost as
though through their carelessness that they are trying to kill Java, as
others have mentioned.

One upside, is only one "do you accept" dialog for the web start user,
instead of multiple (one for stuff from my site and one for stuff
from Sun's).

David

On 9/21/11 6:00 PM, Bob Deen wrote:
> Sweet!!
>
> So what the h*** is the "security issue" anyway?? Sounds like bogus-speak for "we're too lazy".
>
> -Bob
>
> On 9/21/11 12:27 AM, forums@java.net wrote:
>> No guys, they did for purpose. Read this (from kcr):
>>
>> http://forums.java.net/node/844342
>>
>> In short - if you want Webstart you have to host and sign everything
>> yourself. From Oracle with love.
>>
>>

erunquist
Offline
Joined: 2009-05-01

Thanks for the link, that helped explain what's going on.

I did as one of the posters suggested. I downloaded all the unsigned jars from Oracle:

http://download.java.net/media/jai/webstart/release/1.1.3/

Then signed all the jars with our certificate and put the whole bundle on one of our internal servers. Then, went through all our JNLP files and updated the "extension" link to point to our servers instead of java.net.

All in all, this is a good change. It forced me to learn a bit more about Web Start, and now we aren't dependent on the flaky java.net servers. Those servers shutdown our applications twice this summer for hours. As an added bonus, now we could have JAI Web Start applications that use only pure Java operators, just by setting up a separate JAI Web Start bundle that doesn't include the native libraries.

I'm still disappointed that Oracle didn't think to post something to these JAI forums about their change. They changed binaries that were released four years ago, with the full expectation their change would break people's apps. These forums seem like a natural place to post an explanation for their actions.

erunquist
Offline
Joined: 2009-05-01

I'm slowly turning the crank on the Oracle Service Request process within our support contract, but I'm not sure this kind of problem will be covered by our contract.

Do you have any suggestions on who to contact at Oracle about this, directly?

rgd
Offline
Joined: 2005-08-23

I do not, unfortunately. Whoever you can get that will listen. ;-)

It may not be part of the contract but you should be able to use that as
leverage to get it to happen. Not like it's hard for them to do,
technically.

-Bob

On 9/20/11 2:53 PM, forums@java.net wrote:
> I'm slowly turning the crank on the Oracle Service Request process
> within our
> support contract, but I'm not sure this kind of problem will be covered by
> our contract.
>
> Do you have any suggestions on who to contact at Oracle about this,
> directly?
>
>