Reputation: 1829
Java applet - LiveConnect security warning popup
We're experiencing the LiveConnect security warning in our application even though the applet is signed, and the Caller-Allowable-Codebase attribute is set:
The second problem is that the Application and Publisher fields are set to UNKNOWN in IE, FF and Chrome. The first security information displayed seems to pick up the information from the certificate.
My manifest file:
Manifest-Version: 1.0
Implementation-Vendor: xxx xxx Buildings AB
Implementation-version: 1.5.0.49829
Application-Library-Allowable-Codebase: *
Application-Name: Building Operation WebStation
Permissions: all-permissions
Created-By: 1.7.0 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Specification-Version: 1.0
Codebase: *
I read the Oracle blog post about security changes with LiveConnect.
I have also tried adding the Application-Library-Allowable-Codebase: * attribute without success. It doesn't even seem to make any difference in the security attributes guide .
Checking that checkbox doesn't do anything, the next time we navigate to the applet, the warning will pop up again.
jarsigner.exe outputs "jar verified".
Examining the certificate we sign with shows the whole chain - our company > RapidSSL CA > GeoTrust Global CA. I've imported the certificate to several Windows certificate stores, even though just being signed by a trusted root CA should be enough.
We're testing on the latest JRE and we get the same result with JRE 8 Java Plug-in 10.67.2.01 Using JRE version 1.7.0_67-b01 Java HotSpot(TM) Client VM
Does anyone know
- how to get rid of the pop-up while still allowing LiveConnect calls?
- if not, how to populate the two UNKNOWN fields in the dialog ?
Upvotes: 2
Views: 1295
Answers (1)
Reputation: 7921
The reason you are getting the first popup (the LiveConnect warning) is because you have used a wildcard * for the Caller-Allowable-Codebase:
Caller-Allowable-Codebase: *
You may need to replace the * with the domain name or IP address where the javascript files are located.
You probably need to do something similar with the codebase attribute as well.
See Codebase Attribute for more information on this attribute.
Caller-Allowable-Codebase Attribute
See Codebase Attribute for a description of the values that are allowed. If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning, and users have the choice to allow the call or block the call. An option to remember the choice is also provided, and if selected, the warning is no longer shown when the RIA is launched.
Source Caller-Allowable-Codebase Attribute
Java applet manifest - Allow all Caller-Allowable-Codebase
Removing the Trusted-Library attribute seems to be mandatory to get Caller-Allowable-Codebase working, no more warnings. However, this breaks Java 7 Update 21 - 40 which treated JavaScript code that calls code within a signed applet running with all permissions as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.
Source Java applet manifest - Allow all Caller-Allowable-Codebase, answer by Nikolas Pooch
Upvotes: 3
Related Questions
- "Allow access to the following application from this website" Prompt - Java
- Java 7u51: LiveConnect (JavaScript) blocked due to security settings
- Java applet security warning prompt in 1.7 upade 55
- Liveconnect Applet problems
- access denied (java.net.SocketPermission 127.0.0.1:8080 connect,resolve)
- Java applet security error
- What do I need to do to get LiveConnect working again?
- Security Warning in signed applet
- java is insecure message when running some applets
- Problem with Java Applet <--> Javascript communication