Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6632928

HTTPS with certificate authorization required causes unacceptable user experience

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Duplicate
    • Affects Version/s: 6u4
    • Fix Version/s: None
    • Component/s: deploy
    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_xp

      Description

      J2SE Version (please include all output from java -version flag):
        java version "1.6.0_03-ea"
        Java(TM) SE Runtime Environment (build 1.6.0_03-ea-b02)
        Java HotSpot(TM) Client VM (build 1.6.0_03-ea-b02, mixed mode, sharing)

        (This is the old update 3...before it was pushed back to update 4.)

      Does this problem occur on J2SE 1.4.x or 5.0.x ? Yes / No (pick one)
       No

      Operating System Configuration Information (be specific):
        Windows XP PRO SP2
        IE 7.0

      Hardware Configuration Information (be specific):
        Sony VAIO laptop 2.8 Gz
        1.25 GB RAM

      Bug Description:
        When setting up the webserver (that holds the jnlp and jar files) to force certificate
        authentication of SSL, webstart brings up the confirmation dialog way too many times.
        Maybe about once for every jar file. In my test case it is between 20 and 30 times.
        However, after the download starts, all the rest seem to be cancelable with no adverse
        affects.

        This seems to only happen when an update is detected.

        There is also the possibility that the dialogs will be created in such a fashion that
        the certificate dialog is blocked by modality constraints and the only thing that can
        be done is cancel the download process. (Since the download seems to waiting on the
        certificate dialog, yet the certificate dialog is inaccessible since it is "behind"
        the download dialog.)

        This modal blocking seems a bit rare for me. However, when this happened the next
        jnlp access did not act as I expected.

        What I expected to happen after I canceled the download, was that when I clicked on
        the jnlp link again, it would bring up 20-30 certificate dialogs and download the
        application. What actually happened is that it just downloaded the application, with
        maybe one certificate dialog (not the 20-30 I expected).

        I have two certificates installed in my browser and when this confirmation dialog
        comes up I need to choose a certificate. Possibly if I had just one certificate
        this would not have been so noticible.

        I think people using smart cards or something to hold their certificates are going to
        have problems with Java 6.0, since the card may hold several certificates and they
        will need to type in a password. I have sent several bugs on these types of issues
        before and getting frustrated. It seems that the webstart team has no test case for
        this. If our clients that use certificate authentication ever upgrade to Java 6,
        this is going to be HUGE problem for us.

        Please, please, please address these issues and create a test case that uses smart
        cards and multiple client certificates.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dgu Dennis Gu (Inactive)
                Reporter:
                tyao Ting-Yun Ingrid Yao (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: