Cannot launch applet using Java 7u21
Asked Answered
S

4

7

So we installed the Java 7u21 release that is supposed to tighten the security for applets. Unfortunately it tightened it so much that our applet does not run anymore. Not good.

The interesting thing is that it only stopped working while we operate it with JWS. If we launch it as a standard applet from a standard web page everything works fine.

In JWS mode we get security issues on at least reflection and java.lang.Thread.setDefaultUncaughtExceptionHandler.

The certificates look ok.

The release notes from Oracle does not provide much input on anything related to JWS.

My question to the community is hence: does anyone have an idea or (even better) a solution to this?

Additional info related to the given suggestions/comments:

This applet is run by hundreds of third-party clients worldwide so changing the security policy is unfortunately not an option. The issue is reproducible for the clients. I can however confirm that changing the policy file resolves the issue.

When I run the applet from a Tomcat launched from Eclipse (thereby of course not having a signed applet) it brings up the warning notification in the browser as expected. Being the gullible person that I am I allow the applet to run since it was launched from my own dev environment. This still causes the security failure.

I have contemplated if this is a bug in Java but I want to see if there is anyone else seeing the same issue. I think we all know that the Oracle turnaround time for fixing bugs is not always the best...

Thanks for any input.


Thanks a lot Tony, your suggestion get me able to create applets in 7u21, propperly; i considered it as a forward step the fact that i am signing and waking up many applets yet over the browsers, these over 7u21. I culdn't to do it today earlier. But i get trapped since some hours, in the fact that i have not reached to wake my first third party applet from the legacy app i have (i.e. working fine in JVM 1.6 or the older).

The applets involved, i signed them, but i always get the error: SecurityException - "Bad applet class name". I have some applets, and html code calling them, the problem is that my first applet in chain (neither any other in the invoke chain) might not behave like the other signed applet are doing propperly (these applets are from java web site for training), this 3th party applet simple does not run and throw de exception above mentioned. My thrid part applet i dont know what it does internally. Sorry i might be asking for a particullar case that is no easy to solve without the source code, however, please trust to tell me any idea no matter wich it is.

best regards

Stendhal answered 18/4, 2013 at 12:48 Comment(2)
Check the bug DB for hits. If none found, raise a new one.Benny
Maybe this gives some more detailed info: Java 7 Update 21 Security Improvements in DetailRejoinder
S
4

My colleague cracked it. Giving vodka to a Polish guy can sometimes produce the needed inspiration. :-)

Anyway, it seems like the security tag is now required in the jnlp information sent to the applet (what is being returned with content type set to application/x-java-jnlp-file).

By adding

<security> 
    <all-permissions/>
</security>

it works.

Hope this helps.

Stendhal answered 2/5, 2013 at 9:6 Comment(0)
C
4

Here is the page that explains it.

Oracle Code on Mixed code

What you need to do is take all of your jars are get the new TrustedLibrary line in the manifest file. For me that meant a recompile of older code. You could probably just unjar the current jars and then rejar including the TrustedLibrary line.

You also MUST sign all of your code. Not just the applet. That means if you have 3 jars then all the code in all 3 jars must be signed also.

Cohligan answered 19/4, 2013 at 0:18 Comment(0)
S
4

My colleague cracked it. Giving vodka to a Polish guy can sometimes produce the needed inspiration. :-)

Anyway, it seems like the security tag is now required in the jnlp information sent to the applet (what is being returned with content type set to application/x-java-jnlp-file).

By adding

<security> 
    <all-permissions/>
</security>

it works.

Hope this helps.

Stendhal answered 2/5, 2013 at 9:6 Comment(0)
S
1

The following quote from the Security page of the Java SE documentation is pertinent:

"The standard java policy files can be used to enhance the permissions granted to untrusted apps. In addition to $JRE_HOME/lib/security/java.policy and $USER_HOME/.java.policy (used by all java programs), applications and applets loaded by Java Web Start and Java Plug-in load two additional policy files, whose location can be configured by the deployment configuration properties: deployment.user.security.policy and deployment.system.security.policy."

Check the policy files in those locations.

Sanburn answered 18/4, 2013 at 13:0 Comment(0)
G
1

An additional hint to all developers using unsigned applets. Last week at the JAX2013 conference, Wolfgang Weigand from Oracle mentioned that after the October 2013 Java 7 Release there will be only the highest level of the applet security slider, i.e. only applets signed with a trusted (not selfsigned) certificate will be able to run. Up to now, this information has not been published yet on the official Oracle web site.

The answer above quoting from the JAVA6 Security page may be a bit outdated due to the latest security changes in Java Platform

Gelinas answered 29/4, 2013 at 21:0 Comment(2)
So signing jars with a key from an own made keystore won't work anymore?Makalu
@Makalu If Oracle realises these security enhancement as explained on the conference then the answer is yes.Gelinas

© 2022 - 2024 — McMap. All rights reserved.