Friday, April 26, 2013

Java Security Warning : Block potentially unsafe components from being run?

Cause of the issue: 

Signed Java Web Start applications and applets that contain signed and unsigned components could potentially be unsafe unless the mixed code was intended by the application vendor. As of the Java SE 6 Update 19 release, when a program contains both signed and unsigned components, a warning dialog is raised. 

Solution : 

Trusted-Only Attribute

For applications and applets that do not require unsigned components, the Trusted-Only attribute should be used. No warning dialog will be displayed and an application or applet that loads a jar file containing this attribute will not load any untrusted classes or resources. This attribute prevents a signed application or applet from being re-purposed with unsigned components. You can specify Trusted-Only: true in the manifest file. For example:

Manifest-Version: 1.0
Trusted-Only: true
Created-By: 1.6.0-internal (Sun Microsystems Inc.)
All classes and resources in the application or applet must be signed and trusted.

Trusted-Library Attribute


For applications and applets that are designed to allow unsigned components, the Trusted-Library attribute should be used. No warning dialog will be displayed and an application or applet may load jar files containing untrusted classes or resources. This attribute prevents signed components in an application or applet from being re-purposed with unsigned components. You can specify Trusted-Library: true in the manifest file. For example:
Manifest-Version: 1.0
Trusted-Library: true
Created-By: 1.6.0-internal (Sun Microsystems Inc.)
All classes and resources in a jar file containing this manifest attribute must be signed and trusted.

To fix the popup you need to add and extra attribute called Trusted:Library : true  into the manifest file.

How to add attribute to manifest file: 

Basic command to create a jar file is : 

            jar cfm jar-file manifest-addition input-file(s) 

m  option indicates that you want to merge information from an existing file to the manifest file of the jar file you are creating.
manifest-addition is the name( or path and name) of the existing text file whose content in our case will be either  Trusted-Only: true or  Trusted-Library: true

After the jar is create you have to sign the jar with your certificates and cross check f the manifest files has the correct attributes.

Liveconnect call for Applet ID * is not allowed in this JVM instance


The fix is to change the MANIFEST.MF file to have a Trusted-Library:true instead of Trusted-Only :true.

MANIFIEST.MF File should have the following three line and code signing classes  :

Manifest-Version: 1.0
Trusted-Library: true
Created-By: 1.6.0_16 (Sun Microsystems Inc.)

Modifying the manifest file :

The basic command has this format:
jar cfm jar-file manifest-addition input-file(s)
Let's look at the options and arguments used in this command:
  • The c option indicates that you want to create a JAR file.
  • The m option indicates that you want to merge information from an existing file into the manifest file of the JAR file you're creating.
  • The f option indicates that you want the output to go to a file (the JAR file you're creating) rather than to standard output.
  • manifest-addition is the name (or path and name) of the existing text file whose contents you want to add to the contents of JAR file's manifest.
  • jar-file is the name that you want the resulting JAR file to have.
  • The input-file(s) argument is a space-separated list of one or more files that you want to be placed in your JAR file.
The m and f options must be in the same order as the corresponding arguments.

example : jar cvfm  Test.jar manifestTest.text Upload.java

and manifestTest.text will have the Trusted-Library: true line.