Enterprise Client Community

Hello community,

we faced the problem that our application was not running any more due to security constraints introduces with the latest Java update 1.7_u51 (14.01.2014).

Oracle raised the security level so that our application was not running properly any more.
To solve the problem, we had to do two things I want to share with you, in case you run into the same problems:

(1) We had to include the whole certificate chain into the PFX/PKCS12 container we used for signing. In our case we just signed the code with our signing certificate. But for running the application on client side, an intermediate certificate was missing so that the new Java version considered the jar file to be self-signed. I can provide details if you face the same problem.

(2) We had to include some security-related options to the MANIFEST.MF file. This is a snippet from the ANT script we use to generate the manifest file:
<manifest file="${build.dir}/MANIFEST.MF">
<attribute name="SVN-Revision" value="${svn.lastchanged.revision}" />
<attribute name="Specification-Vendor" value="Nexus Technology GmbH" />
<attribute name="Implementation-Vendor" value="Nexus Technology GmbH" />
<attribute name="Implementation-Version" value="${ivy.revision}" />
<attribute name="Permissions" value="all-permissions"/>
<attribute name="Codebase" value="*"/>

<attribute name="Application-Library-Allowable-Codebase" value="*"/>
<attribute name="Caller-Allowable-Codebase" value="*"/>
</manifest>

Hope this helps you avoid the problems.

Tobias

...thanks Tobias!!!

Just one issue I want to add: this information is important for all these ones having own client side jar files (i.e. own client side Swing or FX implementation).

The client-side jar files that ship with CaptainCasa already have the corresponding manifest values already. (These are the /eclnt/lib/*.jar files).

Regards, Björn

Hi Björn,

just to make sure we are on the same page: I just downloaded the latest version (5_0_20140120) and checked the Manifest. It seems that the two options that are necessary from 1.7_u51 onwards are missing:


<attribute name="Application-Library-Allowable-Codebase" value="*"/>
<attribute name="Caller-Allowable-Codebase" value="*"/>

Can you double-check?

Tobias

Hi,

@Application-Library-Allowable-Codebase:
The docu says "This attribute is not needed if the JAR file for the RIA is in the same location as the JNLP file or HTML page that starts the RIA." And we currently did not see any problem yet in our 7.51 testing. Did this cause concrete problems on your side?

@Caller-Allowable-Codebase:
This is only required if you use the JavaScript bridge to communicate from the client running as applet to its surrounding HTML page.

...in principal we do not want to add too many "*" if not necessary ;-)

Thanks for your discussion on this!
Björn

I think you are right because Captain Casa has to fulfill the requirements for RIAs only and the two attributes are not necessary for this.

We had to add them in some components since we needed to access the Java components integrated in an applet which was called by javascript (live connect) and this call was blocked on high security level if these attributes were missing.

So for Captain Casa, you are on the safe side (for now, until Oracle comes up with the next surprise...)

Tobias