I have Java 1.7 installed. We have a web site with two applets. When one of them is loaded I receive the following dialog. When the other is loaded I don't. Why is it that some applets cause this security warning and others don't?
Is there something in particular that causes this warning?
Dialog text in searchable form:
Do you want to run this application? Your version of Java is insecure and an application from the location below is requesting permission to run.
Is there something in particular that causes this warning?
Code that is not digitally signed. See Java 7 Update 21 Security Improvements in Detail .
After further investigation I discovered the cause of this warning. This is apparently a new security feature of Java 7. When you execute an applet a call is made home to Oracle to see if your Java is up to date. If it is not up to date you receive this new dialog letting you know so. The primary risk identified in the dialog is that there is a new patch for Java. If you update Java you will no longer receive this dialog until the next update comes out.
Related
We are trying to download something from GE that uses Java to download when logging into the site. This is a windows 7 Professional PC. I have other computers that are able to do this successfully. Here is my order of operations:
Log into the site and select the file I want to download
Click download
It takes me to the page that says it will start in a few seconds but nothing happens. It is supposed to have a box that asks for Java to run.
I have reinstalled Java fresh and still nothing. Tried with multiple user accounts. Added the site to the list of exceptions in the firewalls and Java configuration. I have tried an earlier version of Java. This happens in Mozilla, Chrome and IE. I have made sure that the Java plugin shows up and is enabled. I just cant think of what I am missing. And since we are a contractor GE is not going to help us. Can anyone here think of anything?
Are you sure you have the Java plugin enabled? e.g. in Firefox, go to Settings, Plugins, and change Java Platform SE8 'Next Generation Java Plugin' to 'always activate'?
This sounds similar to the issues I had with Cisco WebVPN, Java-style. Once you have Java installed correctly and set as a plugin for any of the browsers you would like to use, see below.
Before you even start looking at browsers - if you think it is already set up correctly
Look at your Anti-Virus programs or anything else that could prevent it from working. McAfee Host Intrusion Protection is known to cause many Java programs to fail. Kapersky had issues, a while back, with Java on Windows (Java Applets not loading in Windows 8 ).
You must have a 64-bit browser to use 64-bit Java (also mentioned in the Chrome link below).
See below for any specific things that can be modified in the browser.
Chrome 43 is the more complicated browser to set up. They have a dedicated page with instructions.
How do I use Java with the Google Chrome browser?
Firefox 38 will prompt you.
In Internet Explorer 11, it's under Internet Options->Security. I recommend adding the hostname the applet is on as a Trusted Site (Select Trusted Sites and click the Sites button, then add the first part of the url). Click the Custom level button and make sure that Scripting of Java applets is not disabled.
If you still have problems with the applet:
Verify your Java version will work with the applet you are accessing
Verify the plugin is enabled for the browser through the Java Control Panel, which is available in Windows Control Panel, or on Mac/Linux, execute it from the JDK directory ($JAVA_HOME/ControlPanel ).
I ended up fixing the issue. I had to allow their UK site on the list for Java and enable the SSL 2.0 for HTTP in Java config as well
I am trying to run a small applet in my Chrome window, but am getting the error message.
I do see all the replies telling me to change my security to medium, but that option does not exist in version 8. So far several hours of googling and asking help from classmates has brought no progress.
Can anyone suggest something please?
Medium was removed in Java 8u20:
Medium (removed from Java 8 Update 20 and later versions)
Only unsigned applications that request all permissions are blocked. All other applications are allowed to run with security prompts. Selecting the Medium security level is not recommended and will make your computer more vulnerable should you run a malicious application.
Keep in mind, this only applies to unsigned applets that request all permissions.
What to do
To run these applets, you now must add the site to the exception list under the Security tab when you access your Java settings from the Control Panel.
If the applet is not on a website, you must use the applet viewer, which allows you to run applets outside of a browser
I have already asked this and was heavily downvoted. Unfortunately, I still can't solve it. I don't know what I do, but sooner or later I loose an ability to run java applets and java web start applications in all browsers.
Here is an example what is happening.
I am opening page with applets http://csis.pace.edu/~bergin/Java/applets.htm and getting the following picture:
with signs plugins were blocked. I am trying to unblock
which causes another dialog
after OK I have another
next
if clicked
And so on.
Applet doesn't run.
After dancing with PATHes, Java updates and so one, once I can have applet run. But sooner or later I will stuck in this position again.
I would like to know, is it possible to exclude this situation in principle?
I mean I don't want to disable security at all, but I mean that in case my explicit permission everything should run. Is it possible to do that?
UPDATE
First of all, I don't understand, why can't I run applet on outdated java if I want?
I am a human and robots should obey me! :)
Suppose I wish to debug my applet on old version of java, why not?
Second, there is no information about what version it thinks I have and what version it wants?
Without this information it is possible that there is just a bug in version detection mechanism.
I have multiple versions of Java in Program Files since I am a Java developer. Then how can I know which one it uses?
UPDATE 2
I have updated my Java from 1.8.0_20 to 1.8.0_25 and now situation have changed, but applets are sill impossible to run.
The proof I have "latest" java:
The proof I have added the site above to exclusions list:
The effect of applet run:
(applet not runs)
Clicking details result:
(no any details in fact)
So, what to do?
UPDATE 3
This site is not working: http://ssd.jpl.nasa.gov/sbdb.cgi?sstr=2012VP113;orb=1;cov=0;log=0;cad=0#orb
(show orbit diagram)
Reloading/restarting browser does not help.
I looked at your html source and realized you're using the .class file directly instead of wrapping it in a jar file. This is what you have:
<applet code="GSort.class" width=700 height=400>
I think applets no longer work when using .class files directly due to new security requirements. They have to be wrapped in jar files because you need to add some security settings to the meta-inf folder of the jar file. Here is how oracle recommends deploying an applet:
https://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html
Edit:
I tried again with adding the site url to the Java security exception list and this time I got it to work! It looks like chrome stays in memory after exiting so changing Java security doesn't affect it unless you shut down chrome completely and restart it. Easiest way is to use Internet Explorer. Try it with Internet Explorer and it should work (assuming that you still have the site added under java security exception list).
Is there a way to point to a specific JRE/JDK location to run a JWS application? I'm looking into specifying the actual location of the JRE, not only it's version via Java SE element of JNLP file. I dont want to access any system JRE, I only want to use whats bundled with my application.
Currently I am trying to bundle 1.6_45 with my app. However I am encountering issues when a user has 1.7_xx JRE installed on their system. It blocks the launch of the webstart application. The jars are self signed and getting them signed by a CA authority is not an option as it is too $$. I changed the j2se version tag in my jnlp to say 1.6* and this allowed it to run with 1.7_xx present. One bug squashed.
Now the issue is that systems are being upgraded to 1.6_71 [private oracle version], that apparently has some 1.7 security fixes backported in it. So now because of the jnlp tag having 1.6*, my app is picking up 1.6_71 and completely hanging. Webstart just opens the java console and hangs. I tried adding -Djnlpx.home to the jnlp java-vm-args, pointing to the bundled jre/bin, but no luck there.
One way I tried [from a post here on SO] is that I created a shortcut to my particular javaws passing the jnlp file location as a parameter. This did not work. It still picked up 1.6_71 and hung.
At this point, if I google anymore, its going to start showing me a captcha...sigh.
Any pointers are greatly appreciated! Thanks!
Is there a way to point to a specific JRE/JDK location to run a JWS application?
Short answer, no. Long answer, nope.
Oracle's latest release of Java 7 Update 51 includes new security changes that will block some applications. This is the new "security baseline" and there is apparently an equivalent code level for 1.6.
One of the configuration options that helps determine what exactly happens is the Security Level, found in the Security tab from (Windows) Control Panel -> Java. If you set the security level at it's lowest (can't remember the name) then you might not get blocked. Security level High will block unsigned and self-signed. Security Level Very High will be even more restrictive, like blocking an expired application - meaning the certificate has expired.
Also, maybe you could try setting the specific level of the JRE you want to run - see the link
http://docs.oracle.com/javase/6/docs/technotes/guides/javaws/developersguide/syntax.html#jnlp
for more info.
I recently updated to Java 7 (Update 45) and now my website applet deployment is triggering two security dialogs. The first one is the "normal" one, that shows the information of the certificate that signed the applet. Everything fine with that. However a second popup occurs now right after that, asking again to allow the Java application (must be the applet).
Why is that second dialog appearing and how does one control what values are used there for application name and publisher?
Allow access to the following application from this website?
You need to include Caller-Allowable-Codebase: in your manifest file. If you need to be able to use it from different domains and you know them all in advance then you can just include them in a space separated list. If you don't know all domains you'll be deploying to then use * as the value instead.
See this page for details on this attribute: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable
http://java.com/en/download/help/javascript_applet.xml
The website uses JavaScript code in conjunction with the Java application. This message is shown to alert you of a possible security concern because the website was not explicitly granted access permission by the application.
This is part of the new security feature introduced in Java 7 update 45:
http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html#newft
The JavaScript to Java (LiveConnect) security dialog prompt is shown once per Applet classLoader instance
I don't checked it yet, but it looks like one needs to assamble different builds for each domain where the applet shall run, now.