This discussion is archived
4 Replies Latest reply: Jan 14, 2013 7:56 AM by 984653 RSS

Java 7 Update 11 and unsigned applets

984653 Newbie
Currently Being Moderated
Hi there,

after reading

The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation."
http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

I'm asking me why an unsigned applet running in a security sandbox shows a user warning by default whereas a (according to http://mindprod.com/jgloss/signedapplets.html potentially dangerous) signed applet having full access to local discs does not??

Our company is developing unsigned applets running in a sandbox. Due to the change in 7u11, we are in the need to either recommend all customers to change their security level back to "Medium", or let them again and again click "ok" when the alert window appears. "Dont show this message again for this application" does NOT work, everytime I reload a webpage with the same applet, I get this warning. If the website contains multiple applets, I get a warning for each of them which is even worse!

My questions are:

1. What is the idea to show messages for unsigned applets running in a secure sandbox.. why when running in a sandbox, and why not also for potentially more dangerous signed applets?
2. Does a non-admin user have privileges to change the security level by default?
3. Is there any recommended strategy to sign an applet to work across browsers, platforms, JRE versions?
4. Are there negative side-effects to sign an applet?

Thanks, Peter
  • 1. Re: Java 7 Update 11 and unsigned applets
    EJP Guru
    Currently Being Moderated
    Our company is developing unsigned applets ...
    Why?
    1. What is the idea to show messages for unsigned applets running in a secure sandbox.. why when running in a sandbox, and why not also for potentially more dangerous signed applets?
    With a signed applet you know who is taking the responsibility.
    2. Does a non-admin user have privileges to change the security level by default?
    Pass.
    3. Is there any recommended strategy to sign an applet to work across browsers, platforms, JRE versions?
    Err, sign it?
    4. Are there negative side-effects to sign an applet?
    Only that it forces you to sign all its components. Not sure what this question means.
  • 2. Re: Java 7 Update 11 and unsigned applets
    gimbal2 Guru
    Currently Being Moderated
    4. Are there negative side-effects to sign an applet?
    It requires you to know perfectly well what you're doing or you're going to have trouble (sign not working, errors, warning dialogs, etc.). That is a downer for plenty of people who only want to get by doing the very minimal. Can't say in which group you fall of course.
  • 3. Re: Java 7 Update 11 and unsigned applets
    984653 Newbie
    Currently Being Moderated
    Hi and thank you very much for responding!

    I'd be interested in further answers:
    Our company is developing unsigned applets ...
    Why?
    Sufficient functionality. We dont want to e. g. access the customers local file system, we just wanted to use the applet as viewer sending data to and from the server where the applet was loaded from. Nothing else.
    1. What is the idea to show messages for unsigned applets running in a secure sandbox.. why when running in a sandbox, and why not also for potentially more dangerous signed applets?
    With a signed applet you know who is taking the responsibility.
    With unsigned applets, I rely on the sandbox responsibility. I actually couldn't do anything dangerous by accident.
    With signed applets, I'm fully responsible that nothing bad happens to the clients data. Preventing this is the main task for the java sandbox, so why not use it?

    Just to clarify: Is it right that each signed applet has full access rights?
    3. Is there any recommended strategy to sign an applet to work across browsers, platforms, JRE versions?
    Err, sign it?
    Does the signing scheme matter? According to http://mindprod.com/jgloss/signedapplets.html, there are lots of...

    Could you recommend a good tutorial? I'm an absolute beginner concerning signing of applets.
    4. Are there negative side-effects to sign an applet?
    Only that it forces you to sign all its components. Not sure what this question means.
    What about loading time and jar filesize?

    Does JarIndex work with multiple signed modular applet jars?

    Must javascript code also be signed to talk to signed applets?

    Is a client able to see a signed applet a) without see or interact with a confirmation window and b) without doing any prerequisites (like adding certificates or similar)?


    Thanks, Peter
  • 4. Re: Java 7 Update 11 and unsigned applets
    984653 Newbie
    Currently Being Moderated
    Hi gimbal2, thanks for the answer. Apart from what the programmer must do - what steps must a normal end user do in order to see an signed applet?

    Peter

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points