Newsletter sign-up

View all newsletters

Sign up for our technology specific newsletters.

Enterprise Java

Email Address:

Why JavaSoft already released another JDK 1.1 beta

Find out all the details on how beta 2 fixes some bugs, including a security-related glitch

By Kieron Murphy, JavaWorld.com, 01/01/97

Just as Fall Internet World was gearing up, programmers at JavaSoft were finalizing the beta 2 release of the Java Developer Kit version 1.1. The initial beta release of the 1.1 version took place on December 3. Ten days later, Sun was ready with a second release to provide additional source code and to resolve a number of bugs in security and other significant areas.

JavaSoft has made the following changes in the JDK 1.1 beta release:

• The source code for the public classes in the java.* package now is included in the file src.zip. These classes correspond to the public classes contained in classes.zip.
  
  
• A fix exterminates a bug in the Jar tool manifest-build that limits the number of files in some configurations of Solaris to 64 entries.
  
  
• A fix in the javakey security tool prevents signed Jar files from having invalid signatures. An implementation inconsistency in javakey had caused signature checking to fail. Though not a security hole per se, this bug caused applets to run as untrusted, with minimal permissions enabled.
  
  
• A change allows unlimited numerical values of case statements now to be used in switch statements. (For example, a switch statement containing the two cases 0 and 99999999 had caused the compiler to run out of memory.)
  
  
• In the initial release for Win32, the class java.io.LineNumberReader had been documented, but the class file was absent from classes.zip. The java.io.LineNumberReader has now been added to classes.zip.
  
  
• A fix prevents DecimalNumberFormat methods from throwing exceptions. The class java.text.DecimalNumberFormat had thrown an exception when any of its format or parse methods were called.
  
  

As could be expected, the security-bug fix drew most of the attention among the Javarati at Internet World -- as do all admissions of security flaws in Java from Sun's cop of engineers.

"Actually this isn't in any way a security breach, only an unfortunate bug that basically made it impossible to take advantage of the newer security feature of signed applets," said an assuring Lew Tucker, director of corporate and ISV relations at JavaSoft. "In the first JDK 1.1 beta release, the older model of treating all applets as untrusted was enforced. Now people can try out our new digital signature features."

Home security

"The [javakey] bug was discovered the first time we tried to use digital signing ourselves," said Marianne Mueller, a senior security engineer at Sun. "We publish our software on the Web, and once we put it out there, many of us inside the company download a copy and do some testing. So one of the JavaSoft engineers who downloaded the JDK 1.1 beta 1 release immediately noticed the bug. It wasn't a real security bug in that it didn't expose any security holes. It was just that the signature checking always failed. So signed classes that should have been allowed more functionality were instead still restricted to the sandbox."

The fix was a straightforward programming fix of a straightforward programming bug, according to Mueller. "It wasn't a tricky system security hole or anything like that," she added. "Developers now will be able to create signed applets and to configure their systems to allow those applets greater freedom. We distribute a tool called appletviewer that developers can use to help them create and test their signed applets. Down the road, we expect that Java-enabled browsers will support Java digital signatures, but I don't know the dates for when that will be available to end users. We're working very closely with our Java licensees to help make that happen."

 

About Us | Advertise | Contact Us | Terms of Service/Privacy

Copyright, 2006-2008 Network World, Inc. All rights reserved.