We use Java Web Start to let customers load our java swing application through web. Inorder to load up application this way we need to sign jars so that the user has full trust on the application they are loading and dont end up loading some patched jars etc. that were not meant to be loaded.
We have several jars that are utilized. Since the swing application is integrated with several third party applications and dlls that we have made for performance reasons we bundle these dll files in a seperate jar so that they are available at run time. So when the application is fully loaded we write these files out on user’s directory so that they are accessible to our application.
Recently our CTO changed the directory where these files used to reside and he didn’t bothered the build process to reflect this change so we ended up with empty jar files. Due to this we discovered a flaw in Java WebStart. If you end up signing an empty jar file the Java Webstart application won’t load that jar instead will give you an error that the respective jar is not signed. I dont know if this has already been docusmented or not. But this seems to be a bug in Java Web Start which needs to be taken care of.