This question already has an answer here:
Logically solving Java Security Error
(1 answer)
Closed 9 years ago.
Since the latest Java update, two of my applets are displaying a warning pop-up to our users even though both of the jar files we are using are signed. I have verified they are signed using the jarsigner -verify MyJarFile.jar command. Below is the popup message we are seeing...
My applet invokes a C++ dll through JNI. The C++ dll invokes a C# netmodule.
Does anyone know what I can do to get this popup to go away? It says the application contains both signed and unsigned code, but I am signing every java file (there is only 1) in my jar file. Is there a higher level of signing I need to do?
Edit: This is occurring as of the latest Java update. See the quote below taken from this page.
Authors and vendors of applications deployed using either Java applets or Java Web Start technology – applications distributed to end users at runtime via the web browser or network - should sign their code using a trusted certificate for the best user experience. Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages presented depends upon risk factors like, code signed or unsigned, code requesting elevate privileges, JRE is above or below the security baseline, etc. Low risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk.
I figured out the answer. I did not have a manifest file in my eclipse project, so I created a file called manifest.mf and put the following code into it.
Manifest-Version: 1.0
Trusted-Library: true
When building the jar file in eclipse, on the 3rd page, it asks you for a manifest file. I believe it defaults this option to 'Create a manifest file for me', but this manifest file only contains the first line above. Choose the option that says 'Use existing manifest from workspace', and choose your manifest.mf file you just created. Then sign your jar as you normally would.
It was the Trusted-Library attribute that fixed the problem. Check out this page for more information on this attribute and other Privileged code jar files.
Related
I'm using the following link to access JNLP API's:
Using Filechooser
The project: JWSFileChooserDemo
Basically I want an Open and Save dialog box to get "text" file from user, saving it on server, reading it, processing etc and then showing the same .java file on Website.
For the above 2 lines I've tried:
1. "Integration of Applet with Web Application", this integration works correctly but integration of "Applet .jar file in Web Application" restricts the reading of file.
2. Then I used Servlets to do the same job, but file reading doesn't works therefor me.
3. Now, I'm using JNLP, Java Web Start for the same.
But according to what I've read on the website, the applet should be signed for these file operations. Under NetbeansIDE there is an option to enable WEB START and self-signing an applet. But this doesn't work for me.
I created the same program as mentioned in the link(using javax.jnlp), but after clicking on Open, it is looping towards else statement which shows "User cancelled save request.".
I think, the above error is due applet is not signed properly as when I run the JNLP file given on the link..it asks for following confirmation i.e.
So, should I sign an applet using Project properties->WebStart->Enable WebStart->signing->self-signing by generated key or by signing it using keytools which generated certificate i.e .crt file. Is there any other way to do this?
Is there any other way to do this?
It is possible to use the JNLP API services in an unsigned application. Having said that, Oracle has decided that in a future JRE, unsigned code will not be loaded at all (using the default security preferences).
Note that those two linked pages refer to two different ways to load files.
'Using Filechooser' uses the JFileChooser provided with Swing. An applet/JWS app. that uses a file chooser needs to declare all-permissions in the launch file.
The JWSFileChooserDemo demo. OTOH, uses the JNLP API file services, and would produce a prompt at run-time similar to the one shown. At the moment these do not need to be signed.
As far as 'self signed' goes, Oracle has also put warnings against using that. The publisher of a self-signed app. at the moment, will show as UNKNOWN with extra warnings about accepting code from unknown sources. In the future, the JRE will also automatically reject self-signed code.
For the longer term, the only real option is to supply a digitally signed app. Signed using a verified certificate from a Certification Authority.
My company produces Java Applications for Servers and delivers JNLP files to start local Applications. Since OSX 10.8.4 it is required to sign JNLP files with a Developer ID to keep Gatekeeper happy (it's actually in the release notes at the very bottom).
The question is: how to accomplish this? AFAIK you can sign Apps (we have some Java Apps signed with Developer IDs) - but JNLP - Files are just that: files.
Next: how to do this with generated JNLP files. We have to modify them as they come from a server - e.g. properties, base URL and so forth.
AFAIK Java has a certain mechanism to say JNLP files are signed via their respective JAR file (the one that holds the main class) - but: Jar files are signed with a different certificate they will not satisfy Gatekeeper as well.
I did find one reference on how to sign tools and stuff, but it does not apply the scenario of dynamic files.
What I do not want as answers: Right-Click and Open to override the Gatekeeper or change the System- or Java settings. This is not an option.
[UPDATE]
Since OSX 10.9.5 you also have to sign using OSX 10.9+ and have valid version 2 signatures. How will this be done?
I think I found a solution. The only one I can currently think up. We basically need to wrap the JNLP with a custom app launcher, sign the app, make sure we can modify the JNLP on the fly on a server and then have it run.
As you may be aware, there is an app bundler project which can wrap up any JAR files into an OSX executable. This can be signed, delivered and will not fail Gatekeeper. I made a custom fork (which is up for a pull int o the main fork) that can take an JNLP file, wrap it up and you have a custom application doing just all the stuff a JNLP should do.
A Requirement is, however, that you do have a valid "Developer ID Application" certificate
Head over to bitbucket.org and download the current version
Run the ant task and build the appbundler package.
Have a look at the documentation for an example build script that will create the app container.
The example does not include the JNLP into the application right now.
The applications signature is created in a way so that the JNLP file can be modified later.
The application is being put into a zip file. This is important for downloading an application since they are only directories
Create your server code. Load the ZIP file, put the JNLP File into the directory <yourapp>.app/Contents/Java/
Deliver the zip file.
Now, if everything went fine, the zip file should automatically be unpacked in the Download folder and you should see your application icon. If you really made no mistake, you can execute the application as if it was a normal one.
I hope this will help a lot of developers fixing the broken JNLP behavior with OSX.
[UPDATE for modifiable JNLPs]
Since OSX 10.9.5 it is required to have valid version 2 signatures on your app. This means that it the trick that was previously used by the app bundler (set a resource list file) does not work anymore. Everything and anything has to be signed now and it is virtually impossible to change the signed app afterwards.
I did however find a way: Use the app bundler. Set the JNLP to a file inside the Contents/_CodeSignature directory. Do not yet copy your modifiable JNLP in there but do this e.g. using Java later on when patching the zip (you'll need some code here anyway).
Please note: this should really only be needed if you have to put another JNLP file dynamically into the app container (thats is what the questions was about)
UPDATE (08-2017)
Oracle will be releasing Java 9 by the end of September. The appbundler does not handle the java9 vm correctly. They changed a whole lot of the API and the way that javaws works. For I need to say: stick with java8 if you want to use wrapped JNLP apps.
We've been able to determine that you can sign a jnlp file with codesign, using the "Developer ID Application" Certificate, like this:
codesign -f -s "Developer ID Application: " foo.jnlp
The result from this operation seems to pass Gatekeeper on the local machine. However, it seems like the signature gets stored as extended HFS attributes, and as a result, it is not transmitted if a user fetches the file from a HTTP transaction.
It might work if you took the .jnlp file, and packaged it in some kind of container, like a .dmg or maybe a .tar.gz, however, that's both a lot of work, and it provides a fairly challenging user experience.
From an email thread with Apple tech support, it seems the official word is to use the xip tool to work around the reliance on HFS extended attributes with codesign:
Instead of codesign, use xip (pronounced "chip")
to create a signed archive of your JNLP file. Provide your Developer
ID Installer identity as the argument to the --sign option, not your
Developer ID Application identity.
A xip archive is essentially a signed zip archive so it can be served
over the Internet in the same way as a zip archive. It will be
unarchived automatically on the client Mac.
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/xip.1.html
From my experimentation the xip tool always generates an archive with the jnlp contained in a folder when unxip'd.
Just to summarise the discussion; currently there is no existing solution on how to come around this.
This means that end users cannot launch an application via JNLP easily. Basically one needs to tell the user to Right-Click and Open to override the Gatekeeper.
The other solution would be to make an signed Mac application and have users install that via disk image.
Would it work to bundle a simple executable shell script called something like "myapp" in a signed .dmg which looks like this:
javaws http://path/to/my/app.jnlp
that way you can change the .jnlp however you like without changing your .dmg. I don't have an Apple Developer ID, so I can't try it myself right now.
I coded a Java program to read and modify a file on the computer. The program is based only on 1 class.
At the moment who want to use it has to run it from terminal, I'm looking on how to insert it on a webpage and make it run on the visitor's computer. It would be fine to have a file chooser (the user will want this modification).
I searched on internet and found Java applets, but I read that they aren't downloaded and executed locally so the program won't work.
How to provide a Java class file from a webpage, for use on the computer of the end-user?
If you really want to download a Java program and run it locally, you should check out Java Web Start.
Briefly, it allows the user to download and run a Java program locally on their machine. It does clever stuff like identify if an updated version is available for download, and will run the cached version if that's the current version.
Here's a tutorial.
..it would be fine to have a file chooser ..
In that case, there are basically the two options as I've outlined in comments throughout this question & the answers. I'll collect them together here:
Digitally sign the applet, get the user to accept the digitally signed code when prompted (before the applet is loaded), then offer a JFileChooser to browse to the file.
If the user has a plugin 2 JRE (chase the links in the JWS info. page for more details), it is possible to deliver the applet to the user unprompted, then leverage the JNLP API to produce a file chooser. The user will be prompted before the dialog appears, this time with a more specific warning.
JWS
For an example, see my applet based GIF animation tool which uses the JNLP API when the user goes to load image frames or save the animated GIF.
That applet is not open source (mostly because of my laziness in not wanting to revisit & tidy the code) but there is a much better example of using the JNLP file services that comes complete with source.
Digital signatures
I don't have any great links about the process of digitally signing code, but note that the 'example of using the JNLP file services' listed above provides one set of signed Jars for 2 different security environments. It also (hopefully obviously) demonstrates how to digitally sign code using Ant (it all happens by invoking the default task in the build.xml).
Applets can modify files locally, if they are signed and the user allows them to.
Read up on signed applets.
I read that they aren't downloaded and excuted locally
Whereever you read that, it is 100% incorrect. Applets are downloaded into the browser and executed at the client host.
I know similar questions have been asked but i have searched for hours and as of yet have not come up with a workable solution.
I have a Java applet which will be a "paint" like application. So, I need the user to be able to upload images from their file system. I first tried using a JFileChooser which works great in the eclipse environment. However, when put online i get a "java.security.AccessControlException: access denied" exception.
I was thinking that perhaps within the applet i could call a script (located on my server) which would prompt the user to select a file - but i have no idea how to do this. I am using zymic web hosting, so the only supported scripting language is PHP.
I also tried signing the applet. Since i don't want to spend money on certificates, i self signed the applet. When i tried running it, I got an error stating "The Publisher Cannot Be Verified By A Trusted Source".
Any help would be greatly appreciated. - Thanks:)
A trusted applet can most certainly load files from the local file-system. The "Publisher Cannot Be Verified By A Trusted Source" message that is produced by self-signed applets is onerous & scary (for good reason), but if the user OKs it, it works just fine.
Here is a small demo. of exactly that.
Since the 'Next Generation' Plug-In, even sand-boxed applets can access the local file system. See the last 2 links on the Applet tag info page for further details.
Here is an applet that uses the Next Generation file abilities.
Unsigned applets can not access the file system for security reasons.
There is a tutorial about uploading files using PHP here
Maybe you can work that into your page in order to allow the file to be uploaded and then load it from your web server with the applet.
Do keep in mind the warning at the end of that example under the section "php - file upload: safe practices"
I was in the process of turning my jar that reads and writes files into an applet. It displays properly until I add in the read and write function. Then Firefox just shows a black box (no error popups).
I have done a lot of research and it seems in order to get it to work I need to have the applet signed and then it will ask the user for permission, however I also read that I can't make an applet write files and it must be server side.
So my question is can I make an applet read and write files without sever side scripting?
and if so how do I get my applet signed (I read some tutorials but I'm kinda new to this).
An applet that is signed can read and write files on the local machine.
There are two types of certificates that you can use, the first is a certificate you create with keytool, an app that comes with the JDK. The second option is to sign an applet with a certificate from a Certificate Authority like Verisign.
The difference is that the self made certificate will show warning messages to the client specifying that the certificate isn't trusted. This is just a warning, but can scare users. The downside of a certificate from a real certificate authority is that it cost money.
To generate a certificate use
keytool -genkey
then to do the signing, it depends how you build your applet.
For instance if you use Ant, there is a signjar task that will sign the applet.
So my question is can I make an applet read and write files without sever side scripting?
Sure, and in a 1.6.0_10+(1) JRE (the 'Next Generation' plug-in), it does not even require the Jars to be digitally signed.
An applet deployed using Java Web Start in a next gen. plug-in has access to the JNLP API services. The FileContents object of the API provides basic I/O. Here is a demo. of using the FileContents (the source is also available at the link).
(1) Note: JWS could launch free-floating applets since Java 1.2. But with 1.6.0_10+ a JWS applet can remain embedded in a browser window (for Win. & *nix at least - I hear 'no Mac.').