I have a simple applet that doesn't stray outside the sandbox. It used to work fine before Java 7 but now it craps out with security warnings. It does nothing but play a game, it doesn't even save the state of the game. Any ideas on how to fix?
This is the applet, it's a very simple chess program.
The warnings and popups I'm getting are:
activate javaTM platform SE 7U?
activation blocked by security settings - I never changed any security settings and as I said, this applet stays firmly in the sandbox so I can't see what the issue is.
Viewing the java error window I see
Java Plug-in 10.51.2.13
Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM
User home directory = C:\Users\Mike
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
I'm not sure why it shows the C:\Users\Mike directory in the above listing, there is no access to files etc.
The applet plays fine if I run it in appletviewer.
What do I need to do to make this simply work in anyone's browser?
Thanks for reading.
PS I have a similar problem with a (rather funky) Connect 4 program I wrote. It worked fine for years and then just stopped with the Java 7.
More hoops. WebStart is also implemented by the plugin, so similar restrictions apply. Have you looked through all settings if there is something that may need fiddling?
posted 5 years ago
I don't really change my security settings because I like to have something that's representative of what most users might have.
At the moment I'm having the problem with my own applets running on my own web site but I'm guessing no user can run any of my programs any more apart from those I've converted to exe's.
These apps run entirely in the sandbox and so should be as safe as houses (if we can still say that in these post sub-prime days).
I'm just shaking my head wondering what those who administer Java are actually thinking.
It's also the time I spent writing these apps .... wasted
I mentioned that as a way of finding out what it might take to make them run. But you're right, a stock system has advantages.
The folks administering Java have belatedly come to the conclusion that they need to take more drastic steps to address the security holes of the JVM, just like the folks running Silverlight and Flash have had to conclude. They may have gone overboard with this one.
posted 5 years ago
So what should I do? I hate the idea of throwing away a bunch of programs, all of which I'm quite fond of.
Mich Robinson wrote:So what should I do? I hate the idea of throwing away a bunch of programs, all of which I'm quite fond of.
I'm afraid you will probably have to sign the applets - I'm not even sure is self signed certificates are acceptable these days so you may have to get a certificate from a trusted authority.
As to why you are now getting the problems see this article: https://www.java.com/en/download/help/appsecuritydialogs.xml
The only other alternative I'm aware of is to add the applets URL to Exception Site List, located under the Security tab of the Java Control Panel. But obviously suggesting to all your potential users that they do this is not really an acceptable solution.
posted 5 years ago
You'd think that something running entirely in the sandbox would be trusted but I guess Oracle knows something we don't.
Does self signing allow users to continue using applets & webstart apps or do they need to do stuff themselves?
Does it cost to get a certificate from a signing authority? any idea how much? does paying for a cert somehow stop exploiters from doing the same?
I'll admit I didn't understand the keytool application - I followed an example from somewhere and managed to sign my stuff a year ago but it turned out the keys were all for a year and now they've run out. No idea what to do now!
It amazes me that people haven't complained loudly about all this.
I don't know how sandbox-suitable applets work these days, but it seems your experiments in the field are providing you with some answers. As for the other questions:
Self-signing allows users to continue using applets and webstart apps, but the users either have to set their Java security level to Medium or else configure the Java security panel to accept code from particular URLs. I've tried these and they both work.
It costs several hundred dollars to get a Verisign certificate (it wasn't me who wrote the cheque at work but that was my understanding). The issuers of those certificates don't just sell them to anybody but I have no idea how they ensure that you aren't a bad guy. All I know is that they do some kind of checking.
As for your expired certificates, all you have to do is throw away those signed jars and create new ones with the keytool application. I have to say I didn't understand it either and just used the MSMD (Monkey See Monkey Do) process as well.
posted 5 years ago
I don't want to force my users to alter their security settings then self signing is out. I can't justify paying out for an official certificate and I have no idea whether they'd give me one.
I'll try the keytool again but I feel like one lone monkey with a type writer trying to produce Shakespeare.
It makes me wonder what sort of person created that keytool app - I presume the same sort of guy that documented how it was used!
I'll also try to move my existing applications to exe's as these seem to install and run without a million security warnings popping up.
This seems like a crazy solution but heyho.
I looked into whether this is going to get changed in future versions of Java but can't see anything. It's interesting that they're focusing on important things like lambda expressions while ignoring the small issue that you can't even release a sandboxed app that doesn't raise a dozen security popups. Perhaps by getting rid of the grass roots support of the language they feel they can make Java more of a corporate solution. I can't help feeling like I've just been completely shafted by Oracle in this.
The fact is that for signing something (an applet, an executable, etc) it helps much to know what is a certificate, a digital signature (it is PKI stuff), and the true is that the topic is somehow dense. so I'll try to be concise.
You start with a public/private key pair (some bits mathematically related generated by keytool), you send the public part (public key/CSR) to a certification authority (one of the certification authorities that any java default installation has registered by default), they verify you are who you say you are (they could ask for a notarial letter), and if they verify your identity correctly they will sign your public key with their certification authority, this is, they generate a certificate for you.
You latter use your private key (which is private, never sent anywhere) to sign your applet and append your certificate to the signed code (jarsigner comes here), so a client (java plugin) that downloads your applet does the following verification:
1. Verify the signature is correct, this is that is has been generated with your private key.
2. Check if the certificate has been issued/generated by a certification authority included in the default java list.
3. Execute your code.
Well, the procedure for signing your applet and get it working for all your clients like before could go as this:
1. Read http://www.youdzone.com/signature.html and get sure to understand the basics of digital signature.
2. Using keytool (or a frontend like Portecle) generate a key pair (the result will be a keystore.jks file), then a CSR with your public key and send this CSR to the certification authority.
3. Install the certificate sent by the certification authority to your keystore.jks
4. Sign you .jar using jarsigner
5. Follow new requirements for MANIFEST.MF, include "Permissions" attribute, see https://www.java.com/en/download/help/java_blocked.xml
If you need any clarification on any part of the process I can detail it for you (e.g. commands involved)