Bug 227173 - Accomodate Any Upcoming Security Updates Affecting WebStart / Applets
Accomodate Any Upcoming Security Updates Affecting WebStart / Applets
Status: VERIFIED FIXED
Product: projects
Classification: Unclassified
Component: Java Webstart
7.3
PC Windows 7
: P2 (vote)
: 7.3.1
Assigned To: Petr Somol
issues@projects
73patch2-verified
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-07 14:56 UTC by Petr Somol
Modified: 2013-05-10 13:57 UTC (History)
4 users (show)

See Also:
Issue Type: TASK
:


Attachments
SE Properties on Mac (175.17 KB, image/png)
2013-05-06 13:20 UTC, Stepan Zebra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Somol 2013-03-07 14:56:34 UTC

    
Comment 1 Petr Somol 2013-04-09 15:26:19 UTC
SE WebStart fixed in jetmain
http://hg.netbeans.org/jet-main/rev/962aa760f8f3
Comment 2 Petr Somol 2013-04-10 16:04:19 UTC
FX WebStart fix in jetmain
http://hg.netbeans.org/jet-main/rev/f2656f0b67f4
Comment 3 Stepan Zebra 2013-04-29 15:20:02 UTC
Please check this list of findings from testing and confirm resolution (fix/wontfix) of each point:

a) Minor bug: In FX project, open Project Properties, enable signing, open Signing dialog, select "Sign by a specified key" -> "OK" button is now disabled until valid values are entered, don't enter anything and select back "Self-sign by generated key" -> "OK" is still disabled, but should be available now. 
b) Infos/Notes/Warnings in both SE and FX Project Properties and in SE build Output states just "WebStart applications". It might be better if also "Applets" were explicitly stated.
c) FX Project Propereties contains just "info" and Signing dialog contains just "note", whereas in SE both places contain "warning". The rules for SE and FX apps are the same, so the different amount of alert might be a little confusing. (At least in the Signing dialogs, "info" message in FX Project Properties makes sense if it's designed this way.)
d) The "warning" from SE disappears after setting up a signing with certificate. The "info" in FX remains present after setting up the signing. (Since the messages are different, this makes sense if it's designed this way.)
e) The text of the info/note/warning in FX contains "April 2013", while in SE it contains "JDK7u21". The update number is better for orientation than a calendar month.
f) FX Projects shows no unsigned/self-signed warnings in build Output.
Comment 4 Petr Somol 2013-05-02 12:41:03 UTC
(In reply to comment #3)
> Please check this list of findings from testing and confirm resolution
> (fix/wontfix) of each point:

fixes (selected, see below) in jetmain
http://hg.netbeans.org/jet-main/rev/cc7ee8337b73

> a) Minor bug: In FX project, open Project Properties, enable signing, open
> Signing dialog, select "Sign by a specified key" -> "OK" button is now disabled until valid values are entered, don't enter anything and select back "Self-sign by generated key" -> "OK" is still disabled, but should be available now. 

fixed

> b) Infos/Notes/Warnings in both SE and FX Project Properties and in SE build
> Output states just "WebStart applications". It might be better if also
> "Applets" were explicitly stated.

fixed

> c) FX Project Propereties contains just "info" and Signing dialog contains just
> "note", whereas in SE both places contain "warning". The rules for SE and FX
> apps are the same, so the different amount of alert might be a little
> confusing. (At least in the Signing dialogs, "info" message in FX Project
> Properties makes sense if it's designed this way.)

From UI perspective there is an important difference between SE WebStart panel and FX Deployment panel - in FX case the panel provides mix of setting where some are WebStart unrelated. Therefore, not everyone using the panel needs to be aware of the WS issue. Hence the Info sign which is unobtrusive. In SE WS panel the message is unambiguous because the context is unambiguous. But I accepted one change: inside the signing dialog the "warning" message is now the same in SE and FX.

> d) The "warning" from SE disappears after setting up a signing with
> certificate. The "info" in FX remains present after setting up the signing.
> (Since the messages are different, this makes sense if it's designed this way.)

The FX info sign does not change for reasons stated above. In SE I changed the behavior so that the warning does not disappear completely when non-self-signing is defined; instead, a calmer notification message is still displayed, repeating the fact that trusted certificate is needed. This makes sense as there is currently no way to detect reliably whether the current certificate is or is not trusted.

> e) The text of the info/note/warning in FX contains "April 2013", while in SE
> it contains "JDK7u21". The update number is better for orientation than a
> calendar month.

fixed

> f) FX Projects shows no unsigned/self-signed warnings in build Output.

wontfix. this is because the FX SDK always generates all deployment artifacts as part of every build - even if the user does not need WebStart. Showing the warning always would thus confuse users who deal with FX applications in standalone mode only. Note that the warnings are displayed when it is clear from context that WebStart or browser is involved.
Comment 5 Quality Engineering 2013-05-05 02:30:24 UTC
Integrated into 'main-golden', will be available in build *201305042300* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/cc7ee8337b73
User: Petr Somol <psomol@netbeans.org>
Log: #227173 - Accomodate Security Updates Affecting WebStart - polishing the UI
Comment 6 Stepan Zebra 2013-05-06 13:20:49 UTC
Created attachment 134139 [details]
SE Properties on Mac

Thanks for patching. All was verified on Windows 7.

UI is fine on Windows LaF, but some messages doesn't fit properly on Mac LaF and similarly on Nimbus LaF. (Other LaF's wasn't tested)
Comment 7 Petr Somol 2013-05-06 21:55:03 UTC
polished UI according to preceeding comment:
http://hg.netbeans.org/jet-main/rev/70083b52e18b
http://hg.netbeans.org/jet-main/rev/56493cc68373
Comment 9 Quality Engineering 2013-05-08 02:01:16 UTC
Integrated into 'releases', will be available in build *201305072358* or newer. Wait for official and publicly available build.
Changeset: http://hg.netbeans.org/releases/rev/43427e1df5d2
User: Petr Somol <psomol@netbeans.org>
Log: #227173 WebStart patch 1
Comment 10 Quality Engineering 2013-05-09 02:37:17 UTC
Integrated into 'main-golden', will be available in build *201305082300* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/70083b52e18b
User: Petr Somol <psomol@netbeans.org>
Log: #227173 - WebStart security update - UI improvements
Comment 11 Stepan Zebra 2013-05-10 13:57:38 UTC
verified in 7.3.1


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2014, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo