[jira] [Commented] (CODEC-186) attributes are missing in MANIFEST.MF

Wed, 04 Jun 2014 09:39:13 -0700 

    [ 
https://issues.apache.org/jira/browse/CODEC-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017834#comment-14017834
 ] 

Joerg Schaible commented on CODEC-186:
--------------------------------------

Actually I wonder if we should do anything here. From the referred 
specification:

{quote}
Trusted-Library Attribute

The Trusted-Library attribute is used for applications and applets that are 
designed to allow untrusted components. No warning dialog is shown and an 
application or applet can load JAR files that contain untrusted classes or 
resources. Set the value of the attribute to true, for example:

Trusted-Library: true

This attribute prevents components in a privileged application or applet from 
being repurposed with untrusted components. All classes and resources in a JAR 
file containing this manifest attribute must be signed and request all 
permissions.
{quote}

We will never sign all classes and resources in our jar. With which key?

IMHO, if someone writes trusted applets or JNLP he has to modify the manifests 
anyway, especially if the code must be signed ... typically with an own key.

All those manifest entries are there to ensure the integrity of the applet, so 
what sense does it make to set all-permissions or a codebase of "*" when you 
really want "https://..."; ?

> attributes are missing in MANIFEST.MF
> -------------------------------------
>
>                 Key: CODEC-186
>                 URL: https://issues.apache.org/jira/browse/CODEC-186
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.5, 1.9
>            Reporter: Jeff Yu
>
> We are encountering an issue using commons-codec-1.5.jar inside an applet.
> Since the 7U45 of java, the MANIFEST of a jar used inside an applet must be 
> complete.
> 3 attributes are missing in the MANIFEST
> Trusted-Library : true
> Application-Name : <<as you want>>
> Permissions : all-permissions (or less if you want to be precise)
> Codebase : *
> see : 
> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
> Without these attributes, the JRE refuse to execute an applet containing 
> commons-codec-1.5.jar.
> Could you please fix that in order to make this jar usable inside an applet?
> Thanks



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to