3

I'm working on deploying a Java applet over JNLP. The functionality of the Applet works as expected, my problems lies within the Security Warnings displayed during run time. I've searched extensively for answers on when and why they appear without any sufficient answers so I thought I try to get some answers here.

Premises: My Applet is signed using a self signed certificate which is also imported as trusted CA (the 'safer looking' warning is displayed). I will use a real certificate from Thawte or Verisign in production but this should be good enough for now. No external permissions is needed and disk access is done only through JNLP.

Since I want to be able to use FileSaveService and FileOpenService I've specified the j2ee-application-client-permissions tag in the security part of my JNLP file.

Javascript is used to invoke public functions in the applet.

This happens right now: When the applet is loaded I get a security prompt warning me that this Applet will run with unlimited access to the system. The warning is the trusted kind with the blue info display rather than the yellow warning. Why do I get this warning? Will this always appear even if I stick to using only JNLP libraries? How is this warning determined, is it by scanning my code or by reading some setting I can change? Is there a list of allowed classes to run without getting this warning?

Once the applet loads and I try to open a file dialog I get prompted again saying that the application has requested read/write permissions.

I assume the later warning is a JNLP warning since it first appeared when I started to use JNLP. Why do I get prompted both at startup as well as during use? Do I need to get both and will I get both once I have a proper certificate?

Most importantly I would like to get rid of the first warning since it looks rather scary to allow my applet to run with unrestricted access (especially since that is not at all my intention!). Is there any documentation that clears out what triggers the warnings and how to deal with them?

Edit: The file is validated with Janela without errors. Everything launches as it should, it's the warnings I want to understand.

<script>
var attributes = {
    id:'id',
    codebase:'www.mydomain.com/jars/',
    width:1, 
    height:1, 
    name:"Name"
};
var parameters = {
    jnlp_href:"www.mydomain.com/jars/jnlp.jnlp"
}                       
    deployJava.runApplet(attributes, parameters, '1.6');
</script>

JNLP file

<?xml version="1.0" encoding="UTF-8"?>
    <jnlp spec="1.0+" href="/jars/jnlp.jnlp">
    <information>
    <title>Title</title>
    <vendor>My Company</vendor>
    <description>Description</description>
    <description kind="short">Desc</description>
    <offline-allowed />
    </information>

    <resources>
    <j2se version="1.6+" />
    <jar href="ext1.jar" main="false" download="eager"/>
    <jar href="ext2.jar" main="false" download="eager" />
    <jar href="mainJar.jar" main="true" download="eager"/>
    </resources>
    <applet-desc 
    name="name"
    main-class="com.myCompany.applet.mainClass" 
    width="1"
    height="1">
    </applet-desc>
<security>
    <j2ee-application-client-permissions/>
</security>
 </jnlp>
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
Erik
  • 663
  • 2
  • 7
  • 10
  • 1) Make sure to validate the launch file using [JaNeLA](http://pscode.org/janela/). Many strange problems are caused by non-standard JNLP files. 2) *"Javascript is used to invoke public functions in the applet."* How does the applet behave if there is no JS used? How is it deployed in HTML? Do you have a link to where we can see it? – Andrew Thompson Apr 25 '12 at 18:55
  • See update. The page requires javascript and will complain long before the applet page is shown. We can assume everyone launching the applet have Javascript enabled. I can't show it to you since it's still being developed. Is there any documentation where I can read about the warnings and why they appear? – Erik Apr 25 '12 at 19:43
  • `www.mydomain.com/..` Is the page also at www.mydomain.com? If so, be sure to remove the prefix, so the JRE understands it is 'phoning home' for the resources. What version(s) of the JRE are you seeing this in? – Andrew Thompson Apr 25 '12 at 20:06
  • Where are the `archive` & `code` name/values pairs of the JS `attributes`? What happens if you drop a plain old unsigned applet such as the compatibility applet into the HTML (as opposed to including any signed Jars). **AFAIR if any signed Jars are referenced in the HTML, they will prompt the security check by the JRE.** – Andrew Thompson Apr 25 '12 at 20:17
  • What is the behavior of this (free floating) JWS API [file services demo](http://pscode.org/jws/api.html#fs)? Don't try the sand-boxed version, the link above it requests `j2ee-application-client-permissions` It does (unfortunately) give the same 'unrestricted access' message at the initial security warning, I hoped it would be more mild/limited - perhaps 'limited access'. After clicking 'Run' (but without clicking 'Always trust content from this publisher') the app. arrives on screen and neither the 'Open' or 'Save File' buttons causes further prompts. Am using 1.6.0_29 for testing. – Andrew Thompson Apr 25 '12 at 20:29
  • This is seen in IcedTea on Ubuntu so far. What's the expected behavior here? I shouldn't be seeing any prompt on the initial loading, only when I try to open the file dialog? – Erik Apr 25 '12 at 20:31
  • Regarding your last comment: I get prompted at start. It's however possible to open the dialog without any other prompts. Oracle shows an example without any warnings at startup so it should definitely be possible to do. http://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html – Erik Apr 25 '12 at 20:34
  • I think we need to delve into this further. Can you make a demo. page and put it on a public server? You might adapt the file service example. Remove the file extension stuff, convert it to an applet, it should not be too hard. – Andrew Thompson Apr 25 '12 at 20:37
  • There's no documentation on how these warnings works? Granted not for IceTea but for the official JRE:s? Seems very strange since these warnings impact the user experience. How is it evaluated that my applet needs unrestricted access? Regarding the example, I'll look into it and get back. – Erik Apr 25 '12 at 20:45
  • You might start with [this document](http://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/jnlpFileSyntax.html) `j2ee-application-client-permissions` "Requests that the RIA be run with a permission set that meets the security specifications of the J2EE application client environment." – Andrew Thompson Apr 25 '12 at 20:51
  • It seems like the applet wont run in the sandbox since it's signed. If I remove (the trusted, real!) signature, it's possible to launch the applet without a warning. Is it possible to enforce the applet to launch within the sandbox so I can run it without a warning even if it's signed? – Erik Apr 30 '12 at 18:59
  • Granting `j2ee-application-client-permissions` still allows the applet to pwn the local user. It's a freaky thing in there just to enforce Java EE restrictions whilst giving the client access to the local system (so, actually escapable if being deliberately malicious). Looks as if you can just avoid signing the code. The users won't have to consider whether they want to trust you to be infalible, you don't have to worry about signing and there's no [insufficiently] scary "dialogs" - everyone's a winner. – Tom Hawtin - tackline Apr 30 '12 at 22:40

1 Answers1

1

You don't have to sign your applet. If you don't sign, then the first warning doesn't appear.

http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

Hai Bi
  • 1,173
  • 1
  • 11
  • 21