commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vic <>
Subject Re: [Digester] Digester is a security violation when using JNLP?
Date Fri, 18 Feb 2005 22:57:12 GMT
Digester reads an XML file, and JNLP/WebStart classloader won't let you 
read files without signing all the jars.
I chose not to use commons-chains(it uses digester) on the Swing side 
becuase of this.

Siging the jars leads to this 4 year old bug:
Stanley Ho last repose was... we will try to address in in Java 6. ??? 
beucase we, the developers, just don't grasp them trying to keep us 
safe. And they apear not to have any usability or deployment concerns.
(This bug is fixed in open source implementation of the JNLP classloader )

Sun is holding a chat w/ developers on 3/1 to talk about WebStart 
issues, they seem un-aware or un-affected that people are chosing Flash 
VM for RiA becuase of this one issue.

( This to me is an example of why I want my users deploy open source 
versions of JRE, becuase I can patch it. My other idea is to hire 
Stanley Ho .... just so that Sun puts somone else there. )
Hubert, I use continus build, to deploy my applications once a day just 
to see what happens, and not find out last minute some silly design 
issue. You can read more about webstart


Hubert Rabago wrote:

>If I sign my jars, will this still be a problem?

Forums, Boards, Blogs and News in RiA <>

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message