Java applet security warning prompt in 1.7 upade 55

Question

With Java 7u55, an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via JavaScript and that page isn't listed in the manifest’s Caller-Allowable-Codebase attribute.

If Caller-Allowable-Codebase : IP Address of server is given then security prompts are not seen. However,our application is an intranet site and hosted in IIS. Client system access the Website at http:://<ServerName>/<WebSite VirtualPathName> The server name/IP Address is not the one which is fixed. The application can be installed in any Web Server.

Is there any way around to stop the warning prompt?

Answer 1

Short answer is no. The only thing is that your are able to put several domains/ips in the attribute:

host.example.com 127.0.0.1 192.168.1.100

If its an internal network you may try to use 192.168.0.* or 192.168.0.1/24

In the release notes of 7u55 you can read the following:

Using "" in Caller-Allowable-Codebase Attribute If a stand-alone asterisk () is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to RIA will show a security warning, and users have the choice to allow the call or block the call.

Additionally the JAR File Manifest Attributes documentation states:

The Caller-Allowable-Codebase attribute is used to identify the domains from which JavaScript code can make calls to your RIA without security prompts. Set this attribute to the domain that hosts the JavaScript code. If a call is made from JavaScript code that is not located in a domain specified by the Caller-Allowable-Codebase attribute, the call is blocked.

If the Caller-Allowable-Codebase attribute is not present, calls from JavaScript code to your RIA show a security warning, and users have the choice to allow the call or block the call. For unsigned RIAs, JavaScript code that requires access to the RIA must be in the same location as the main JAR file for your RIA, otherwise, the user is prompted to allow access.

See Codebase Attribute for a description of the values that are allowed. If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning, and users have the choice to allow the call or block the call. An option to remember the choice is also provided, and if selected, the warning is no longer shown when the RIA is launched.

Update: I know that it is frustrating and on a personal note I think that oracle will destroy the usage of applets (or whats left of it) due to their latest security decisions. As you may saw is that the restriction only apply if you

1. omit the Caller-Allowable-Codebase attribute
2. or if you use a stand-alone asterisk (*)

What you can do is:

"specify more than one domain, separate the domains by a space"

I haven't tried it however I would put all internal ip adress ranges in there:

Caller-Allowable-Codebase: 10.* 192.168.* 172.* 169.*

If that works you may try to add all IP address ranges ;-)

Caller-Allowable-Codebase: 1.* 2.* 3.* 4.* 5.* .... 255.* 

If the subnetting syntax works you may also try:

 0.0.0.0/0 (whole IP 4 address space) or something like that