Bug 234231 - Permissions and codebase in manifest
Permissions and codebase in manifest
Status: RESOLVED FIXED
Product: projects
Classification: Unclassified
Component: Java Webstart
7.4
PC Windows 7
: P3 (vote)
: 8.0
Assigned To: Tomas Zezula
issues@projects
:
Depends on: 231951
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-11 03:10 UTC by rwilson352
Modified: 2014-03-11 15:53 UTC (History)
7 users (show)

See Also:
Issue Type: DEFECT
:


Attachments
Manifest error on 1.7.0_45-b18 (96.65 KB, image/jpeg)
2013-10-19 08:45 UTC, jaigharge
Details
java patch 1 (170.91 KB, patch)
2013-11-16 19:23 UTC, cindyberg
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rwilson352 2013-08-11 03:10:02 UTC
When you create a Java Web Start application using Netbeans, after configuring your Java Web Start properties, a "clean & build" gives you all of the elements you need to launch your program: the .jar file, the .jnlp file, the /lib folder, etc.

However, with the recent release of Java 7u25 came a change where, when the MANIFEST.MF file does not contain the "Permissions" and "Codebase" attributes, the program will give a runtime warning similar to this:

Missing Permissions manifest attribute for: http://www.codebase.com/codebasepath/dist/Program.jar
Missing Codebase manifest attribute for: http://www.codebase.com/codebasepath/dist/Program.jar

The next release of Netbeans should automatically add the proper attributes to the generated .jar's manifest. Currently, after a clean & build, the developer needs to complete a (confusing, difficult) process of adding the manifest attributes manually and re-sign the .jar and the library .jars, all manually as well.

Speculation: I also suspect that this missing manifest problem is causing a NPE in the JNLPClassLoader.getPermissions() method. Not a Netbeans bug, but fixing the missing manifest attributes bug could solve another problem as well.
Comment 1 Petr Somol 2013-08-13 11:51:20 UTC
Eventually we opted for a solution without UI change, due to the fact that we are now several months after NB7.4 feature freeze.

fixed in jetmain separately for SE and FX:
http://hg.netbeans.org/jet-main/rev/6f7b1939cd99
http://hg.netbeans.org/jet-main/rev/b62d48762fec

In SE the Codebase value is set based on what codebase type is selected in WebStart panel. In FX the Codebase is set by default to *.
Permissions attribute is set according to whether signing is enabled or not, following the previous convention used when generating jnlp (both in SE and FX).

Both in SE and FX the default Codebase and Permission attributes can be overridden by setting project properties:
manifest.custom.codebase
manifest.custom.permissions
Comment 2 Quality Engineering 2013-08-14 14:38:35 UTC
Integrated into 'main-silver', will be available in build *201308141142* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)

Changeset: http://hg.netbeans.org/main-silver/rev/b62d48762fec
User: Petr Somol <psomol@netbeans.org>
Log: #234231 - Permissions and codebase in manifest (FX)
Comment 3 rwilson352 2013-08-20 03:49:36 UTC
Petr,

Thank you very much for the timely turnaround on this defect fix.

There is just one more thing: The new specifications require the library .jar MANIFEST.MF files to be written with the “permissions” and “codebase” attributes as well, not just the primary .jar. My apologies if I was unclear about that. So, everything that Netbeans puts into the /lib folder on a JWS clean & build needs to have this same feature.

Thanks again for your work, Petr. I am going to mark this as reopened.

Ryan
Comment 4 rwilson352 2013-09-25 21:20:09 UTC
Is there any way this could get attention before 7.4 launches? Just checked 7.4 RC1 and noticed it is still not fixed.

To reiterate the problem:
The main .jar is correct.
Every .jar in the /lib folder needs "Permissions" and "Codebase" manifest attributes added upon clean & build of a Java web start application.
Comment 5 Tomas Zezula 2013-09-26 10:56:59 UTC
We are still evaluating this problem.
The thing is that the IDE should not modify 3rd party libraries on the class paths. The problem is even bigger when the 3rd part library is signed in this case such a library needs to be resigned by another (main jar developer) certificate. Modification of these jars way violate the 3rd party library licence.
Comment 6 Tomas Zezula 2013-09-26 11:06:21 UTC
I personally believe that the Permissions and Codebase should be in main jar only.
Or the JNLP should contain signed part with these attributes.
Comment 7 rwilson352 2013-09-27 20:08:14 UTC
Tomas,

This is, indeed, then an interesting predicament. Because the JVM will spit out warnings into the console upon execution for every /lib .jar that doesn't contain a Codebase and Permissions manifest attribute.

So, what you're saying is that Oracle changed things so that developers are required to break the license agreements attached to the 3rd-party libraries by adding attributes to the manifests of the library jars?

Fascinating!

Well, is there any way we can tell Oracle that this is a mistake?? I suppose they are just warnings, I'm not sure if the lack of Permissions and Codebase attributes is actually causing any errors. But I suspect that it will in due time.

Since Netbeans is owned by Oracle, do you guys have any way to communicate with the Java development team about this issue?

This really is fascinating. I'd like to hear how it turns out.
Comment 8 rwilson352 2013-10-17 11:32:41 UTC
There has been an update to this problem as of 7u45 which came out yesterday. Now the applications have a further requirement for the "Application-Name" manifest attribute. Upon execution, the program receives this error:

"Missing Application-Name: manifest attribute for: http://www.codebase.com/codebasepath/dist/Program.jar"

This error displays once for each library.

NOW, I know this isn't really a Netbeans problem at this point. BUT, if you guys are in any proximity to the primary Java development team at Oracle, could you please tell them the dilemma? That they are requiring Java Web Start developers to violate the license agreements attached to the third-party apps?

Thank you, Netbeans team!
Comment 9 alec.evans 2013-10-17 12:47:21 UTC
Could i add to this that the IDE is already altering 3rd party library JARS when it signs them.
Comment 10 jaigharge 2013-10-19 08:45:22 UTC
Created attachment 141290 [details]
Manifest error on 1.7.0_45-b18

Latest Java 1.7.0_45-b18 gives some serious warnings if Permissions, Codebase, Application-Name is not added in Manifest files. Please tell me how should I fix this.

I am getting list of warnings in my Java console as shown below:
Missing Application-Name: manifest attribute for: http://vcare.abc.local:8180/VCareDesktop/app/vCareApp.jar
Missing Permissions manifest attribute for: http://vcare.abc.local:8180/VCareDesktop/app/vCareApp.jar
Missing Codebase manifest attribute for: http://vcare.abc.local:8180/VCareDesktop/app/vCareApp.jar

These warnings are coming for all JARS which I have added in projects library.

Please check the attached file for the new warning on UI which comes with this latest version.
Comment 11 miloscorp 2013-10-24 23:59:15 UTC
manifest.custom.codebase
manifest.custom.permissions

this solves half the problem, but it still the "Application-Name" issue, will it be fixed any time soon?
Comment 12 jaigharge 2013-10-29 08:59:25 UTC
Hi Miloscorp,

Please elaborate how to use manifest.custom.codebase and manifest.custom.permissions in Netbeans.
Will this work for library JAR's as well?

Thanks,
Jai
Comment 14 Tomas Zezula 2013-10-30 22:43:41 UTC
Added Application-Name attribute
jet-main a73f79ab9aaa
Comment 15 Tomas Zezula 2013-10-30 23:07:06 UTC
Regarding the attributes in libraries I will change the build to put the codebase, permissions and application_name to all the lib jars which are not yet signed.
Comment 16 Tomas Zezula 2013-10-31 13:44:10 UTC
Fixed jet-main 7bf5db8023ab
Fixed as described in comment #15.

The library jars of signed JavaWS application are extended by Codebase, Application-Name, Permissions attributes for all library jars which are not yet signed.
When a library jar already has Codebase, Application-Name or Permissions attribute the attribute is not overwritten.
The library modification is done right before signing.
Comment 17 jczwo 2013-11-04 12:57:53 UTC
This needs to be fixed for NetBeans Platform Applications too. Is there an update planed for ANT files in the harness directory?
Comment 18 Tomas Zezula 2013-11-04 13:00:24 UTC
Create a new issue on apisupport/project.
Comment 19 rwilson352 2013-11-04 13:10:49 UTC
Tomas,

Upon a "Clean and Build," the library files are deleted and completely re-built, am I correct? So a "Clean and Build" operation will always re-add the attributes and resign the .jars, correct?
Comment 20 cindyberg 2013-11-16 19:23:20 UTC
Created attachment 142270 [details]
java patch 1
Comment 21 Tomas Zezula 2013-11-22 10:48:56 UTC
>Upon a "Clean and Build," the library files are deleted and completely re-built, am I correct?
Yes, when you do Clean & Build the "diet" folder is completely deleted.
During the build the libraries are copied into the "dist/lib" folder and during signing     permissions, codebase and application-name are inserted into libraries (if they are not  yet signed).


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo