What does the Java Applet security warning "JAR file manifest does not contain the Permissions attribute"mean?

Asked 24/10, 2013 at 11:19 Answered 13/1, 2014 at 10:34

java jar applet manifest security-warning

I have a Java Applet which needs access to the local filesystem of the client. I have created a simple certificate for my own (it is NOT certified by Verisign,Commodo, ...). I signed the jar with the following template:

del \Users\koalabruder\.keystore
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -genkey -alias %1 -keypass kp -dname "cn=inin" -storepass ab987c
"C:\Program Files\Java\jdk1.7.0_45\bin\jarsigner.exe" -storepass abc -keypass kp %2 %1
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -export -storepass abc -alias %1 -file %3

The simple security warning that I have "no signed certificate" has been in existence for years and is not my problem.

My problem is, that the security warning changed because one of the last Java updates:

This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more Information.

What does it mean? How can I fix it? Do I have to buy a certificate? Do I have to fix the Manifest (MANIFEST.MF)? What is the Permission attribute?

Update: Here is my Manifest from the jar file

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.4
Application-Name: inin 
Permissions: all-permissions 
Created-By: 1.7.0_45-b18 (Oracle Corporation)

Name: net/inin/transfer/ul/UlPanel.class
SHA-256-Digest: asdfasddddddddddddddddddddddddddddddddd=

Downs answered 24/10, 2013 at 11:19 Comment(3)

javaquery.com/2013/10/this-application-will-be-blocked-in.html – Aposematic 24/10, 2013 at 11:23

same here, permissions set correctly, the JNLP itself is loaded and the app starts, we get the message when the app accesses a https-page on the internet!? – Vatic 24/10, 2013 at 20:34

I also get the warning only under https, did you find a solution? – Political 29/10, 2013 at 9:9

You don't need to buy a certificate, just fix the manifest file.

Add this line:

permissions: all-permissions

Or this line if you need only limited access:

permissions: sandbox

Stedt answered 24/10, 2013 at 11:20 Comment(6)

I have inserted the manifest to the question. It does not work. – Downs 24/10, 2013 at 12:34

That looks correct, are you sure that manifest is being used when you try to run the applet. Might need to clear your cache in your browser. – Stedt 24/10, 2013 at 12:37

Wait, are you saying the manifest fails to load or the message still exists. If you are saying the message still exists then there is something else going on, and I would still lean to saying that the permissions piece is fine, but it is not getting updated where you think it is. – Stedt 25/10, 2013 at 11:11

What do you mean? If I sign the jar the manifest is manipulated. So I think the manifest is loaded. – Downs 25/10, 2013 at 14:47

If you have added the permissions attribute and are still getting the error that the permissions attribute doesn't exist, then either you didn't really add it or it is being cached somewhere. – Stedt 25/10, 2013 at 14:48

putting values to manifest wont persist .. because manifest is generated .. I am adding this data to template by which manifest is generated .. see me answer for more info – Extravasation 28/2, 2014 at 10:3

I ran into the same problem and changing my manifest did not fix it.

Finally I found out, that I referenced a library which came in its own jar with its own manifest. I was using a copy of that jar-file that did not have Permissions and Codebase.

So, if you reference any libraries except the JRE System library, check the manifest in the jar file (e.g. by opening it with 7zip). If it does not contain the attributes, you can:

check, if the manufacturer has a new version. He might have noticed the problem by now.
Unzip the jar file, edit the manifest and jar it again, or
Merge the library with your own jar.

For the last two, check the license under which the library is published. Maybe you are not allowed to manipulate the product this way.

Harewood answered 25/12, 2013 at 14:46 Comment(0)

In Netbeans I noted that manifest file is generated during build ..so briefly what I have done to fix this issue to include my manifest attributes inside that template which is responsible for generating manifest.

To do so follow these steps :

1- Open this file with any editor: (PATH)\nbproject\jfx-impl.xml
(PATH): is the path of your project.

2- Search for : "// manifest". mine looks like:

                // manifest
                var man = jar.createManifest();
                var a1val = project.getProperty("application.vendor");
                var a1 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a1.setName("Implementation-Vendor");
                a1.setValue(a1val);
                man.addConfiguredAttribute(a1);
                var a2val = project.getProperty("application.title");
                var a2 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a2.setName("Implementation-Title");
                a2.setValue(a2val);
                man.addConfiguredAttribute(a2);
                var a3 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a3.setName("Implementation-Version");
                a3.setValue("1.0");
                man.addConfiguredAttribute(a3);


                //******insert your Attributes code here*******

                jar.perform();

3- Under "//*insert your Attributes here**", you can insert your own manifest attributes code, in my situation its enough to include codebase, and permissions.. you can use my code as well:

                ...                 
                //******insert your Attributes here*******
                var a50 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a50.setName("permissions");
                a50.setValue("all-permissions");
                man.addConfiguredAttribute(a50);

                var a51 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a51.setName("codebase");
                a51.setValue("*");
                man.addConfiguredAttribute(a51);
                ...

4- Then build and you wont see that warning again.

Some notes:

I strongly recommend to check the manifest attributes documentation which relates to security @ http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html
dont use the wildcard "*" value in codebase, and it will be better to use https instead of http for security sake :-) I am using it for developing only.

good luck,'.

Extravasation answered 6/11, 2013 at 9:41 Comment(0)

I've met this warning while updating the signature on a pre-existing applet (a component that interfaces a user smartcard, and so to work correctly requires to be signed with a "strong" certificate).

Adding also the codebase attribute, e.g: "Codebase: xyz.com" actually makes the warning disappear (note that the original warning text was refering, as in this case, to issues related to the "Permission" attribute not the codebase one...).

It's probably a bug in the jre?

Hydroscope answered 13/1, 2014 at 10:34 Comment(0)

Recommended topics

Hot tags