How do I fix "missing Codebase, Permissions, and Application-Name manifest attribute" in my JNLP app?

Asked 29/10, 2013 at 13:8 Answered 16/5, 2016 at 7:27

With the recent Java updates, many people are having trouble with their Java Web Start apps lacking Codebase, Permissions, and Application-name manifest attributes. Although there are resources out there to help you accomplish this, I couldn't find any comprehensive answers to this question, I so I felt a Q-and-A would be good. So, here's the question:

My Java Web Start app displays the following warnings in the console:

Missing Permissions manifest attribute for: http://www.codebase.com/myApp/dist/myApp.jar
Missing Codebase manifest attribute for: http://www.codebase.com/myApp/dist/myApp.jar
Missing Application-Name manifest attribute for: http://www.codebase.com/myApp/dist/myApp.jar

How do I fix this?

Clearing answered 29/10, 2013 at 13:8 Comment(0)

(1) First, you need to create a text file with all of the attributes you want to add. My text file looks like this:

Permissions: all-permissions
Codebase: http://www.codebase.com/myApp/dist
Application-Name: My Application

I named it addToManifest.txt. Obviously, you'll need to change the parameters to match your application's needs.

(2) Next, you need to add this to the main .jar and all of the libraries as well. The command to do this is:

jar ufm dist\myApp.jar addToManifest.txt

of course dist\myApp.jar will need to point to whatever your main .jar is. You'll also need to do this for all of the libraries as well.

jar ufm dist\lib\jcommon-1.0.16.jar addToManifest.txt
jar ufm dist\lib\jfreechart-1.0.13.jar addToManifest.txt
jar ufm dist\lib\joda-time-2.2.jar addToManifest.txt
...

(Note: on Windows, I wrote a .bat file for this.)

Once you do this, the attributes should be written to the .jars. You can open the .jars in a zip manager (like 7-Zip), extract the MANIFEST.MF file, open it in a text editor, and you should see the attributes listed.

(3) After adding the attributes, you need to resign your app. The command to do that is:

jarsigner dist\myApp.jar -keystore "C:\myApp\KEYSTORE.ks" alias -storepass password

You'll also need to do this for all of your libraries as well:

jarsigner dist\lib\jcommon-1.0.16.jar -keystore "C:\myApp\KEYSTORE.ks" alias -storepass password
jarsigner dist\lib\jfreechart-1.0.13.jar -keystore "C:\myApp\KEYSTORE.ks" alias -storepass password
jarsigner dist\lib\joda-time-2.2.jar -keystore "C:\myApp\KEYSTORE.ks" alias -storepass password

After that, your attributes should be added and your .jars should be signed!

NOTE: You only need to sign/deploy your libraries once unless you are changing the library structure. i.e., if you are updating your app but the libraries have already had their manifests altered, signed properly, and deployed, you won't need to resign/deploy the libraries unless you are adding/removing libraries from your app.

NOTE #2: The current version of Netbeans will add Codebase and Permissions manifest attributes to your primary .jar only, but not to your libraries. If you use Netbeans, you will receive a warning from the jar utility when you try to add a duplicate manifest attribute. There is a bug report in the queue to have this fixed https://netbeans.org/bugzilla/show_bug.cgi?id=234231.

EDIT: The latest version of Netbeans (8.0) now adds all three (Codebase, Permissions, and Application-Name) to the manifest for you.

Clearing answered 29/10, 2013 at 13:8 Comment(10)

"Note: If the Codebase attribute does not specify a secure server, such as HTTPS, some risk exists that your code could be repurposed in Man-in-the-Middle (MITM) attack schemes." See also JAR File Manifest Attributes for Security, cited here. – Mlawsky 29/10, 2013 at 18:34

Could you advice on how to deal with the situation where Codebase is unknown, i.e. I need to have Codebase: * in the manifest, as application is deployed in many places. Is there any way to avoid warnings? Thanks. – Phenylketonuria 15/11, 2013 at 8:46

@Phenylketonuria Either package it specific for each deployment, or easier, package it for one place, then simply call that single deployment from all the other apps. – Synergistic 22/1, 2014 at 10:25

Is it possible to just enter the manifest with a zip manager and change it by hand? wouldn't it be simpler? – Hennessy 22/1, 2014 at 16:52

@Amos, no. That definitely wouldn't be simpler. Especially if you need repackage/resign your .jars every time you release an update. – Clearing 4/2, 2014 at 13:26

Don't forget to add a newline at the end of the file! – Urbain 9/3, 2014 at 0:25

is this fixed in netbeans 8?? It would be great if you edit this great answer if it is solved :D – Zitvaa 12/4, 2014 at 2:52

@johnny, this is done on the .jar files that contain your application which get deployed to the server. The program is launched via a .jnlp file which is downloaded to the client and executed. – Clearing 12/8, 2014 at 15:32

Someone can help me #53960404 Thanks!! – Jamison 28/12, 2018 at 14:15

Note: My tests suggest that Manifest!Application-Name should be the same as jnlp!information.title – Marinetti 17/5, 2019 at 12:24

Another way could be to handle it in your build script itself.

Step 1: Define a target to update

<target name="updateManifest">
    <manifest file="${file}" mode="update">         
        <attribute name="Trusted-Only" value="true"/>
        <attribute name="Permissions" value="all-permissions"/>
        <attribute name="Codebase" value="*"/>          
    </manifest>
</target>

Step 2: Call the update target and use the new manifest in jar

    <ant target="updateManifest">
        <property name="file" location="manifest.use" />
    </ant>

    <jar jarfile="${jar_name}.jar" manifest="manifest.use">
        <fileset dir="${dest}">
            <include name="File1" />                
        </fileset>
    </jar>

Buckeye answered 30/10, 2013 at 6:16 Comment(1)

+1 -- it'd be even cooler if you provided the signjar task, as that needs to be (re)done as shown in step (3) of https://mcmap.net/q/456386/-how-do-i-fix-quot-missing-codebase-permissions-and-application-name-manifest-attribute-quot-in-my-jnlp-app – Vidicon 18/7, 2014 at 21:32

If the error message looks like this:

Missing Application-Name manifest attribute for: server root/filename.jar

You can solve it this way:

Start control panel
Choose Java Control Panel
Select Security tab
At Exception Site list click on Edit Site List button
Click on Add button.
Type the server root (eg.:https://ibank.cib.hu), and press OK
Restart your browser/application.

Resource here.

Alpaca answered 23/1, 2014 at 8:32 Comment(5)

This isn't really a solution. This is just a way to ignore the problem, not solve it. Shutting down the computer would be another way to ignore the problem without solving it. – Clearing 6/2, 2014 at 12:55

@Clearing this answer is for end-users. – Alpaca 10/2, 2014 at 10:53

I think this a good solution, usually you don't want all sites to be trusted. – Cutthroat 4/5, 2014 at 20:29

@2astalavista, understood. Only problem is, the Missing Application-Name message is a warning that only appears in the console, not an error that will be manifest to the user unless they are clever enough to display the console. Further: we should be loath to suggest a work-around so that the end-user can rid themselves of a security warning just because they consider it a nuisance, even if they are powerless to fix the problem outright. I don't know what Oracle was hoping for with this warning, but it exists for a reason. – Clearing 9/5, 2014 at 4:38

@Clearing if it only appear in the console, I would not got involved in this problem. – Alpaca 9/5, 2014 at 11:54

If you use Netbeans, set those attributes in your file nbproject/project.properties:

manifest.custom.codebase
manifest.custom.permissions
manifest.application.name.attribute

The very last one is supported only by Netbeans >= 8.0 (see here). The others should work even in Netbeans 7.2. I set jnlp.mixed.code to trusted_only too but maybe it isn't appropriate in your case. You can modify your file jnlp-impl.xml at your own risk if you can't switch to a more recent version of Netbeans.

atulsm's suggestion is better if you don't use Netbeans.

Fenugreek answered 17/4, 2015 at 12:59 Comment(0)

Sample for adding manifest to jar and signing jars..

<target name="-post-compile">
        <jar destfile="${build.web.dir}/jars/app.jar" >
            <fileset dir="${build.classes.dir}">
                <include name="com/sample/test/client/**/*.*"/>
                <include name="com/sample/test/share/**/*.*"/>
            </fileset>
            <manifest>
                <attribute name="Author" value="${user.name}"/>
                <attribute name="Permissions" value="all-permissions"/>
                <attribute name="Codebase" value="http://localhost:8080/app/"/>
                <attribute name="Application-Name" value="App"/>
            </manifest>
        </jar>
        <signjar keystore="app.keystore"  storepass="test"  jar="${build.web.dir}/jars/app.jar" alias="tomcat" />


        <copyfiles files="${file.reference.javadatepicker.jar}" todir="${build.web.dir}/jars"/>


        <delete dir="${build.web.dir}/WEB-INF/classes/com/sample/app/client"/>
        <!--keytool -genkey -alias tomcat -keystore app.keystore -keypass test -storepass test -validity 1960-->
        <signjar keystore="app.keystore"  storepass="test"  jar="${build.web.dir}/jars/javadatepicker.jar" alias="tomcat" />

    </target>

Envy answered 16/5, 2016 at 7:27 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags