Possible bug in Deployment Rule Sets present in Java versions above 1.7.0_51

Issue Summary

In Java 1.7 Update 71, Java 1.7 Update 72 and Java 1.8 Update 25 Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA.

RuleSet.xml Test

Ruleset.xml

<ruleset version="1.0+">
 <rule> 
   <id location="*.javatester.org" > 
   <action permission="run" version="1.6*" >
 </rule> 
<ruleset version="1.0+">
 <rule> 
   <id location="*.internaldomain.name">
   <action permission="run" version="1.6*">
 </rule>
</ruleset>

Test 1 (Control)

Installed Java Versions:
– 1.7 Update 51 b13 (both x86 and x64 however x86 is invoked)
– 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
Deployment Ruleset works as expected for both URLs

Test 2

Installed Java Versions:
– 1.7 Update 72 (both x86 and x64 however x86 is invoked)
– 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
The RuleSet works for JavaTester.org however on internaldomain.name we get the following error:

With the trace logging turned on, I suspected the version attribute supplied by the RIA. I was able to trick Java by adding the following to my system deployment.properties file:

deployment.javaws.jre.0.product=1.6.0_20
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.0.enabled=true

Because the RIA requests 1.6.0_20 it matches 1.6* from the deployment ruleset sooner than 1.6.0_26. However, if 1.6.0_20 is not available 1.6.0_26 should match according to the Deployment Rule Set documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
The version of the JRE that is used is determined by the following order of precedence:
1. The current version of the JRE is used if it is available and matches both the version attribute and the version requested by the RIA.
2. The latest available version of the JRE is used if it matches both the version attribute and the version requested by the RIA.
3. The current version of the JRE is used if it is available and matches the version attribute.
4. The latest available version of the JRE is used if it matches the version attribute.
If no version is available that meets the criteria, then the RIA is blocked, and a message is shown to the user. To provide a custom message, include the message element.
As a result:

  • If Java 1.6.0_20 is listed in the version requested by the RIA and 1.6.0_20 is listed in the deployment.properties file, #1 matches.
  • If Java 1.6.0_20 is listed in the version requested by the RIA, but 1.6.0_20 is NOT listed in the deployment.properties file the #1 SHOULD match, but doesn’t. It used to match up-to and including JRE 1.7 Update 51 however the ruleset appears to no longer match in subsequent versions.
  • #2 should never match with our current Deployment Ruleset. It would match if we specified 1.7* as a version in the Ruleset.xml.
  • #3 used to be broken as well after JRE 1.7 Update 51 however this bug has been marked as fixed. See: http://bugs.java.com/view_bug.do?bug_id=8032781

I have reproduced this issue with Java 1.7 Update 71, Java 1.7 Update 72, and Java 1.8 Update 25 when one of these versions are installed with Java 1.6 Update 26. I have also found one other potential reference to this bug:

Update From Testing with Oracle on Dec 4th:

This behavior has been confirmed as a bug reference #:20136595 which has inturn been labelled a duplicate of #: 20137782 (which is not publically viewable) Note: each customer reporting this specific issue will get their own bug reference number which will be closed as a duplicate.

We have also done some further testing with multiple version of JRE 1.7 and 1.8. Here are the results:
1.7.0_55 – Works
1.7.0_60 – Works
1.7.0_65 – Bug present
1.7.0_67 – Bug present
1.7.0_71 – Bug present

1.8.0_25 – Bug present
1.8.0_20 – Bug present
1.8.0_11 – Bug present
1.8.0_5 – Works

Update Dec 29th

I was not aware of the new “force” option released in deployment ruleset version 1.1. Ruleset version 1.1 is available in JRE 1.8 Update 20 and higher. In ruleset version 1.1 the following ruleset now works:

<ruleset version="1.1+">
 <rule> 
   <id location="*.javatester.org" > 
   <action permission="run" version="1.6*" force="true" >
 </rule> 
<ruleset version="1.0+">
 <rule> 
   <id location="*.internaldomain.name">
   <action permission="run" version="1.6*" force="true">
 </rule>
</ruleset>

It is possible that Oracle releases the ruleset version 1.1 in later versions of JRE 1.7 however it is important to note that JRE 1.7 will be end of life in the spring. As a result, I have chosen to deploy the latest 1.8 with the 1.1 version ruleset.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s