Vista/Java security test - applets/jws

Bugs reported* against Java under the new Vista/IE
security model affect signed applets, and also
trusted JWS applications.

<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6548078>
<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6504236>

The basic gist is that Vista imposes a more
restrictive security environment (particularly
to do with file access) than the original
trusted app. would receive.

It had earlier been noted that some JWS/browser
interaction problems can be sorted by 'disconnecting'
the launch from the browser and any security model
it might impose, so that led me to wonder if a new
ability of the JNLP API's BasicService in Java 6 might
help here.

The BasicService.showDocument(URL) method will
normally show the URL in the user's default browser,
but Java 6+ will hand an URL for a JNLP file
directly to javaws.

So I have a test..
Here is an unsigned web start application that
should not be affected by the bug.
<http://www.physci.org/jws/jwsapp.jnlp>
It is intended to display details of launch files,
and also offer to launch them - so it is running as
Java 6+.

Here is a *signed* web start app. that requests
full permissions, if launched from IE, it should
trigger the bug..
<http://www.physci.org/giffer/giffer.jnlp>

However, if my theory is correct (I don't have
access to machines running Vista), the first app.,
the launcher, should be able to launch the second
app., the Gif encoder**, just fine.

** Or it's 'big brother' listed below it..
<http://www.physci.org/giffer/giffer0512.jnlp>

Can anyone with Vista tell me if it works to
get around this bug, by launching trusted JWS
apps. directly from a sandoxed JWS app.?

--
Andrew Thompson
http://www.athompson.info/andrew/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200707/1