A solution for Secure Static Versioning problem in 1.5.0_06 and later?
There have been a few posts in this forum from folks who have problems with the new secure static versioning that came out in 1.5.0_06.
This was needed because of all the sandbox bugs found in earlier JRE releases that malware installers had become fond of. Sun rightly decided that something had to be done to prevent these older JRE's from being exploited by the Internet low life. So as of 1.5.0_06 if you asked for an older release like 1.4.2_08 via Static Versioning, your applet would instead run under the latest JRE that was installed on the workstation.
This isn't very good for large Intranet applications that have gone through QA on a given release of the JRE. Sadly there are sometime bugs even in minor upgrades that can affect applications. (The decompression performance regressing in 1.4.2_10 wreaked havoc on our application.)
SO HERE'S A DIFFERENT APPROACH TO CONSIDER:
Why not allow static versioning only for signed applets ?
Perhaps there is a chicken/egg problem here, the JRE has to be loaded to be able to make the check. But I don't think it would be hard to save the fact that the html page used static versioning and then exit the JVM if the applet is not signed.
Seems this would make the writers of large Intranet Java Clients happy while still keeping out the slime trying to install malware.
