I am using Mac 10.7 running Java 1.7.0_21. I am trying to run a Java applet application that is signed and towards the end of the application I get a mixed mode security popup saying "Block potentially unsafe components from being run?". All the jars that I am using are signed.

I am able to run the same applet application on Mac 10.6 running Java 6 and I don't get the mixed mode warning. I am also able to run the application on windows without the mixed mode warning coming up.

Why do I get this keep getting this error when all my jars are signed?

I googled mixed mode warning and found this link.

http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest

and after reading this link, I am a little confused. According to this link it looks like I need to have either "Trusted-Only" or "Trusted-Library" attribute mentioned inside my manifest file. I looked at my manifest file and they don't have these attributes so should I put them in or just the fact that the jars is signed should have been enough.

Can someone please help me understand why I am getting this error even when everything is signed?

Update 21 of Java 7 is a strong security update that brings a certain number of breaking changes.

You should have a look to its release notes, there are two paragraphs and two known issues related to signed jars.

Your problem consists in this one:

Area: deploy/plugin

Synopsis: Security popup while closing application

Starting in JDK 7u21, JavaScript code that calls code within a signed applet running with all permissions is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute. See Mixing Code With Permissions and Code Without Permissions(doc link)'.

For a signed applet running with all permissions to JavaScript call, no security dialog (with mixed code warning) should pop up. However mixed code warning is being shown in some scenarios.

The good news: there is a workaround:

As a workaround, if the applet jar is running with all-permissions and uses "Trusted-library:true" attribute as manifest entry, the mixed code warning will not popup.

The best fix is using the Trusted-Library=true, however, if you cannot get this to work for some reason you can also change how the computer handles mixed security applets.

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html

Create the follow file on the user's workstation. C:\Windows\Sun\Java\Deployment\deployment.properties

In the file add the following line: deployment.security.mixcode="HIDE_RUN"

This will tell Java to hide the security warning and run the applet whenever there's a mixed code condition. Also, on the release notes it says:

As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.

For more information, see Mixing Privileged Code and Sandbox Code documentation.

The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests. For more information, see User Acceptance of RIAs.

FYI, JRE 6u19 if an applet contains both privileged components and sandbox components, warning dialogs are shown.

I also have an applet that generated this security warning starting with JRE 1.7.0_21.

Here is what I have learned. The "Trusted-Only: true" you would put in your applet manifest if you do not want the user to be asked if he will allow the call to another signed jar. The call will be blocked without the security warning. The "Trusted-Library: true" you add to the jar that you are calling. If this is in the jar's manifest and the jar is signed then when your applet calls it there will be no security warning and the call will not be blocked.

My applet uses the swing-layout-1.0.4.jar. To solve the problem I had to add the "Trusted-Library: true" to the swing-layout-1.0.4.jar. You should be able to do this by using the jar.exe application in the JDK.

jar vcmf swing-layout-1.0.4a.jar MyManifest.mf swing-layout-1.0.4.jar

MyManifest.mf is a text file containing "Trusted-Library: true". The space between the : and true is important and you must have a carriage return at the end of the line.

For some reason I could not get this to work so I rebuilt swing-layout using netbeans. The sources for swing-layout-1.0.4 are part of the netbeans install (under platform). I unzipped it opened it as a project. Under files I changed the manifest file to have the magic line (again it is important to have the space after the : and a blank line at the end of the manifest file) and hit the build. I then signed the jar and no more security warning.

I hope this helps or at least points you in the right direction

Thank you all for your replies. I tried adding Trusted-Library=true on a small sample and it seems to work. So now I will be trying to trying update the manifest file of all my jars. And since we use ant I will doing the following

        <jar update="true" jarfile="${deploy.dir}/javaApp.jar">
            <manifest>
                <attribute name="Trusted-Library" value="true" />
            </manifest>
        </jar>

to update the manifest files.