Login/Register
Warning relied on Caller-Allowable-Codebase attribute not shown always
Asked Answered
javaapplet
A

1

35

I have the following manifest information in the signed Java applet. My build environment is old and is currently restricted to JDK 1.6.

Manifest-Version: 1.0
Implementation-Vendor: Foo, Inc.
Application-Library-Allowable-Codebase: * 
Application-Name: FooBar
Permissions: all-permissions 
Sealed: true 
Created-By: 1.6.0_20 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: https://*

According to Java documentation -

If a stand-alone asterisk (*) or an asterisk used with a top-level domain such as *.org is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning. Users have the choice to allow the call or block the call. An option to remember the choice is also provided. If the user chooses to remember the choice, no further warning messages are shown for the same RIA when it receives calls from JavaScript code from the same source.

Java script code in my web application relies on the return code from the Applet to show appropriate status on the portal. The messages shown vary depending on the status code returned. But for this to happen, Java warning window should appear. In Firefox v51 & JRE 1.8.121, this warning window shows up sometimes. When it doesn't, communication between JavaScript and Applet is absent. What could be issue that warning window doesn't appear all the time ?

Abloom answered 9/2, 2017 at 21:48 Comment(4)
Can you provide a reproducible example? See stackoverflow.com/help/mcve and sscce.org Also, have you debugged (debug logging, etc.) to know what's happening when you're not getting the warning dialog?Sized
Java applets are old and going to be deprecated in java 9, also browsers are removing support for the java pluginCockroach
If possible, rebuild your front-end in HTML5 and JS, possibly use jQuery for AJAX calls to your web application, and structure it properly. If not, your product is very doomed. Also, your configuration is highly insecure for your Applet - any codebase, all-permissions. I really hope you validate well, because that is just begging for a code-injection attack. That's one of the main reasons Applets were discontinued anyway - lack of decent security.Cousins
@AdamEdison-MusicEducator It seems like security is available in java applets. The problem is in not applying security to applets and granting all permissions to everything. I imagine most users do not look into their java security manager settings or even have a security manager applied.Bascule
D
1

I am using the same live connect method to communicate between the applet and Javascript. I came across many different warning screens throughout the past few years from JRE6u45 until the current JRE8u131. It depends on which warning screen you are now facing.

Did you use Firefox every time? Firefox does not support the Java plugin since a certain version see here. FYI, Chrome and MS Edge do not support Java Applet. Please check if you are not using them.

The Caller-Allowable-Codebase attribute should not trigger any warning. It should block the applet from running if it does not include the domain correctly. There should be no warning message that allow you to run.

Generally most warning screens come from the JRE instead of the browser. So you may also check the following items:

  • the code signing cert is valid and not expired.
  • Go to Java Control Panel, clear the applet cache (In General Tab)
  • Enable Java content is checked (Security Tab)
  • Restore Security Prompts (Security Tab)
  • Enabled mixed code to show warning if needed (Advanced Tab)
  • Enable the logging and tracing, show Java console (Java Control Panel -> Security Tab)

Please provide more details screen or warning messages you have.

Dolora answered 23/6, 2017 at 16:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.