OCAP1.1.3 Section 18.104.22.168:
In case that a signed application is not stored in application storage, all files described in all hash files of the application SHALL be downloaded via HTTP protocol, cached in the host, and authenticated prior to launching. Authentication of files on a remote HTTP server is not allowed.
In the RI, we just go ahead and store the application anyway, but with a storage_priority of "-1" (an implementation-specific value, not a spec-legal value). This storage priority is given to signed, non-stored apps signaled via OC and HTTP. If application storage is full, and an application with storage_priority > 0 is signaled, these apps will be the first to be deleted. Additionally, upon reboot and re-initialization of the app storage database, all apps with storage_priority < 0 will be deleted.
Does this over-wright the fact the stack may disable Authentication (i.e use NoAuthenticationManager)?
Is there a way to skip/disable that in a development environment?
There is no way to disable this functionality. The act of determining whether or not an application "is supposed to be signed" (determined by the AppID) is independent of the act of determining whether of not the application "is correctly signed by certs that chain to a known root" (determined by the registered AuthManager ). The former case is what we use to determine whether or not an HTTP app should be downloaded.
We would need a pretty compelling reason to add logic to disable this functionality for testing purposes.
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.