How do I write a manifest file for the new java security barriers
Asked Answered
M

3

7

I have a Java applet that I need to deploy on my website.

My website has a lot of pages and the applet appears on a number of them. My website's base domain is www.mycompany.com. But the applet will appear on, for example: www.mycompany.com/dog, www.mycompany.com/cat, www.mycompany.com/pen, etc.

The package of the entry point is com.mycompany.MyApplet.

Following the instructions at Java Security Manifest Changes in the Browser, I have created the below manifest for my app. Will someone please review it for me so that I get it correct? Basically I don't want any sort of warning to show up when people try to run my applet from my website.

MANIFEST

Manifest-Version: 1.0
Created-By: 1.7.0_51
Permissions: sandbox
Application-Name: My Farming Business
Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
Caller-Allowable-Codebase:www.mycompany.com
Codebase: www.mycompany.com

Presently I get the following dialog after redeploying with the above manifest:

Application Blocked by Security Settings: Your security settings have blocked an untrusted application from running

Ref: How do I inject new manifest into an existing jar for applet

Also, I have used the following steps to sign my jar:

  1. keytool -genkey -keystore myKeyStore -alias me
  2. keytool -selfcert -keystore myKeyStore -alias me
  3. jarsigner -keystore myKeyStore jarfile.jar me
Miso answered 27/1, 2014 at 6:26 Comment(3)
In my manifest I have even Implementation-Vendor: Company Name, but I don't have `Trusted-Only' entry. What warnings show in Java Console?Vetavetch
In your settings, what is your Java Security level?Malcom
This is a really well-asked question. Very rare. Very nice.Frydman
B
4

As for the error you get I can think of three possible problems:

1) Your applet does not ask permission for what it is trying to do.

What happens? The "permissions" is telling the user how much "power" does the application have over the user's computer. "sandbox" doesn't let the application do much and "all-permissions" gain the applet a little more control. of course, you would want to use the lowest permission you can (i.e. sandbox) because the lower permission you use, the less warning prompts the user get. However, if, for example your applet is trying to gain access to the user's personal files but it's "permissions" attribute is set to "sandbox" the applet won't work, as it did not ask permission for what it is trying to do.

How to solve it? Simple, just change Permissions: sandbox to Permissions: all-permissions

2) Your computer is not allowing self signed applications to run.

What happens? Most browsers have very strict rules applying to applets. especially if you're requiring all-permissions (which you are not).

How to solve it? Change your java security in java control panel to something lower. you can either search for "java control panel" in your computer or go yourself to this path (windows 8 can't find the java control panel for some reason so you have to look for it yourself) C:\program files\java\jre7\bin\javacpl.exe in the JCP go to security tab and change it to medium.

3) Your operating system doesn't allow you to run applets that you signed your self. (pay attention "applets that you signed your self" not "self signed applets", which is everything that doesn't have an official certificate. Operating systems usually treat them differently.)

How to solve it? Upload the applet to a web host service and enter it from another computer, all computers but the ones you signed the applet with should be able to open the applet.


As for what you mentioned about users not getting any security prompts, it is an almost impossible demand. With the variety of OS, browsers and anti-viruses you can never know. However, there are a few methods in which you can reduce the amount of security prompts:

  • Self signed applets (self signing is what you did with the command prompt) are very likely to always show security prompts. You can buy an official SSL and it will reduce the amount of prompts significantly.
  • If you are requiring "all-permissions" you'll get much more prompts than if you require "sandbox" permissions.

I highly recommend you to look at the following links:

SSL: Where could I buy a valid SSL certificate?

Permissions: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html


If you've got problem number 1 that would be the manifest file:

Manifest-Version: 1.0
    Created-By: 1.7.0_51
    Permissions: all-permissions
    Application-Name: My Farming Business
    Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
    Caller-Allowable-Codebase:www.mycompany.com
    Codebase: *

Eitherwise (If your problem is 2 or 3), you don't even have to change the manifest file.

As @tigran mentioned, if you want to run your applet from several different places you'd probably want to change "codebase" to *.

Blintze answered 29/1, 2014 at 18:22 Comment(1)
Thank you for the thorough answer. In case someone else stumbles here: I keep the permissions sandbox and following your instructions reduced the warnings to simply: Publisher UNKNOWN which basically means I need to pay a third party for my certificate as opposed to using self-signing.Miso
D
1

You need to change the permission section to get it to work:

    Manifest-Version: 1.0
    Created-By: 1.7.0_51
    Permissions: all-permissions
    Application-Name: My Farming Business
    Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
    Caller-Allowable-Codebase:www.mycompany.com
    Codebase: *

Permissions: all-permissions is the key part.

Darton answered 29/1, 2014 at 17:11 Comment(1)
I awarded the bounty to the other answer because it is more thorough. But thanks for the * reference. +1Miso
J
0

I signed a java applet here and it worked fine. It runs in the browser.

The steps to generate the key and sign the applet were (it is slightly different from your steps):

    keytool -genkey

    keytool -selfcert

//here the trick...it actually created another jar !

    jarsigner -signedjar tecladoVirtualSigned.jar tecladoVirtual.jar mykey

This new applet runs. The old app (not signed) shows that permission problem.

Jubilate answered 30/1, 2014 at 17:21 Comment(1)
But the warning shown is as if the jar is not yet signed. Thats why I sugested to do the steps again. In a slightly different way. Creating another jar with the command jarsignerJubilate

© 2022 - 2024 — McMap. All rights reserved.