Friday, April 26, 2013

Java Security Warning : Block potentially unsafe components from being run?

Cause of the issue: 

Signed Java Web Start applications and applets that contain signed and unsigned components could potentially be unsafe unless the mixed code was intended by the application vendor. As of the Java SE 6 Update 19 release, when a program contains both signed and unsigned components, a warning dialog is raised. 

Solution : 

Trusted-Only Attribute

For applications and applets that do not require unsigned components, the Trusted-Only attribute should be used. No warning dialog will be displayed and an application or applet that loads a jar file containing this attribute will not load any untrusted classes or resources. This attribute prevents a signed application or applet from being re-purposed with unsigned components. You can specify Trusted-Only: true in the manifest file. For example:

Manifest-Version: 1.0
Trusted-Only: true
Created-By: 1.6.0-internal (Sun Microsystems Inc.)
All classes and resources in the application or applet must be signed and trusted.

Trusted-Library Attribute


For applications and applets that are designed to allow unsigned components, the Trusted-Library attribute should be used. No warning dialog will be displayed and an application or applet may load jar files containing untrusted classes or resources. This attribute prevents signed components in an application or applet from being re-purposed with unsigned components. You can specify Trusted-Library: true in the manifest file. For example:
Manifest-Version: 1.0
Trusted-Library: true
Created-By: 1.6.0-internal (Sun Microsystems Inc.)
All classes and resources in a jar file containing this manifest attribute must be signed and trusted.

To fix the popup you need to add and extra attribute called Trusted:Library : true  into the manifest file.

How to add attribute to manifest file: 

Basic command to create a jar file is : 

            jar cfm jar-file manifest-addition input-file(s) 

m  option indicates that you want to merge information from an existing file to the manifest file of the jar file you are creating.
manifest-addition is the name( or path and name) of the existing text file whose content in our case will be either  Trusted-Only: true or  Trusted-Library: true

After the jar is create you have to sign the jar with your certificates and cross check f the manifest files has the correct attributes.

7 comments:

  1. but after adding Trusted-Library :true attribute am getting classnotfoundexception.

    ReplyDelete
  2. I have added this attribute and signed my jar and placed into my application.But while loading applets am getting clasnotfoundexception.plz suggest solution for this .
    thank u

    ReplyDelete
  3. Can you put the details of the exception..

    ReplyDelete
  4. My applet also is not working when I updated my java plugin to 1.7.21_*. I am getting
    'class not found exception'. Please help me.

    ReplyDelete
  5. sorry yogesh!if am clicking on details nothing is getting displayed.
    just ClassNotFoundException and giving classname in alert message

    ReplyDelete
  6. Nice article, helped me, Just a small correction it is "Trusted-Library : true" not "Trusted:Library : true" , as fat fingered in the article.

    ReplyDelete
  7. Please read the following URL more more information regarding the popup blockers for java 7 version.

    https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and

    https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

    ReplyDelete