Permissions attribute required for all jars of a webstart application?

Question

since Java 7.0.45 a webstart application should define the permissions attribute in the manifest.mf file.

But is this entry needed for every jar that the application uses or only for the jar containing the main class?

I am asking, because I already have set this entry for the main jar, but java webstart (from Java 8) still tells me:

This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

EDIT: Hmm, strange thing. I just found out that the jar containing the main class was put at the last position in the classpath in the JNLP file. It put it to the top and the warning disappears.

Answer 1

It is only needed for the main jar - the Java 8 documentation says

This attribute is required in the manifest of the main JAR file for the RIA, secondary JAR files and extensions are not required to have the Permissions attribute.

However there were a few bugs (like this one or this one) when Oracle first rolled out this functionality, and there may still be some lurking. I notice several reports of the second quote bug which have all be closed as 'Cannot Reproduce'. You might want to check that your scenario works as expected with the most up-to-date version of Java.

Answer 2

But is this entry needed for every jar that the application uses or only for the jar containing the main class?

Every Jar. Any unsigned (or improperly signed) component might be a 'hole in the security boat'. With a hole in it, the boat will sink. For that reason, an app. is only considered trusted if all parts of it are secure.