Hi, I'm tracking issue JDK-8046211 and noticed today it was resolved as "won't fix" without any comment. I'm curious as to why it was closed?
Our situation: We have a Java applet consisting of 4 jar files and a JNLP file. These files are served over HTTPS from a public webserver (no authentication required). The applet contains an up-to-date manifest with all the entries required since the new Java security baseline. The applet/JNLP file is accessed from a web application using Javascript (deployJava.js). All interaction with the applet is through Javascript. The web application itself runs on a different server and is protected using client certificates (2-way SSL) and basic authentication. Now until Java 7u55 everything worked fine. When loading the applet only one popup was displayed asking the user to trust the applet (which is properly signed) and that was all. However since 7u55 (also 7u60) things have changed: the applet loads fine but as soon as we call a method on the applet (though LiveConnect) the Java VM displays a popup asking the user to select a client certificate and thereafter asks the user to authenticate using BasicAuth. Important note: the user doesn't actually has to select a valid certificate or enter any credentials. If the user cancels any of the dialogs the applet continues to function properly. Logging shows the applet is using the same cookie as the browser so authentication against the server isn't actually taking place. Basically the Java VM is prompting for authentication dialogs for no good reason because the user is already authenticated with a browser cookie. Prior to 7u55 we didn't experience this issue (we have users with 7u40, 7u45 and 7u51). Altogether it appears we encountered JDK-8046211, which has the characteristics of a regression issue. If you guys need any logging or additional information I'd be happy to help. Regards, Richard
