commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Duong BaTien <>
Subject Re: [Digester] Digester is a security violation when using JNLP?
Date Sat, 19 Feb 2005 00:02:58 GMT
Vic wrote:

> Digester reads an XML file, and JNLP/WebStart classloader won't let 
> you read files without signing all the jars.
> I chose not to use commons-chains(it uses digester) on the Swing side 
> becuase of this.
> Siging the jars leads to this 4 year old bug:
> Stanley Ho last repose was... we will try to address in in Java 6. ??? 
> beucase we, the developers, just don't grasp them trying to keep us 
> safe. And they apear not to have any usability or deployment concerns.
> (This bug is fixed in open source implementation of the JNLP 
> classloader )
> Sun is holding a chat w/ developers on 3/1 to talk about WebStart 
> issues, they seem un-aware or un-affected that people are chosing 
> Flash VM for RiA becuase of this one issue.
> ( This to me is an example of why I want my users deploy open source 
> versions of JRE, becuase I can patch it. My other idea is to hire 
> Stanley Ho .... just so that Sun puts somone else there. )
> Hubert, I use continus build, to deploy my applications once a day 
> just to see what happens, and not find out last minute some silly 
> design issue. You can read more about webstart
> .V
I read the following article: and seek practical 
suggestions from those who have some insight to compare pro and con 
between this approach and JNLP distributed framework, especially JNLP is 
now a part of Java.


> Hubert Rabago wrote:
>> If I sign my jars, will this still be a problem?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message