8 Replies Latest reply: Mar 20, 2014 7:41 AM by user13550719 RSS

    Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning

    user13550719

      Dear members . I need your help please

      I have a game I am hosting at www.hiredforoneday.com

       

      I have signed the code with M/s Comodo. I have written the manifest file (and changed it so many times) but I still get the Oracle security warning:

       

       

      "This application will run with unrestricted access which may put your computer and personal information at risk.

      Run this application if you trust the location and publisher above"

       

      I am must admit am defeated/ do not understand what I am doing.

       

      Please I need your help on how to write the manifest code, how to correctly put it in the jar and how to reference from the html code

      The game can only be played online from www.hiredforone day.com

      I need the system clock of the client and also I have used getResources() to read images in the jar file

       

      on the site I have a (Play) button. When a call to the play button is made, the index page connects to the file play.html which is located in the jars folder.
      The play.html file calls the HiredForOneDay.jar file which is also located in the jars folder. Files like launch.jnlp, launch.html are all in the jarsfolder.

       

      My game uses Cardlayout (CardLayOutClass) in the Applet init()  the

      cardLayoutClass.showCongratulationsPanel(); which shows Congraculations class

       

      then  setJMenuBar(helpTopicSelector.getBar()); HelpTopicSelector is also another class

       

      below is the code

      [code]

      package hiredforoneday;

       

      /**
      * @(#)HiredForADayApplet.java
      *

       

      * @author Ruth Bugembe
      * @author John Bannick
      * @version 23 Dec 2012
      */
      @SuppressWarnings("serial")
      public class HiredForADayApplet extends javax.swing.JApplet{
         
         
         static CardLayoutClass cardLayoutClass;
         HelpTopicSelector helpTopicSelector;
          @Override
         @SuppressWarnings("static-access")
          public void init(){

       

                   cardLayoutClass = new CardLayoutClass();
                   helpTopicSelector  = new HelpTopicSelector(this);
                 
                   add(cardLayoutClass.getMainPanel(), BorderLayout.CENTER);
                   cardLayoutClass.showCongratulationsPanel();
                           
                   setJMenuBar(helpTopicSelector.getBar());            

       

          }
             
      }[/code]

       

       

      I have not sent in manifest code because I have made so many versions and now am confused

       

      Thank you again for your time

       

      Ruth

        • 1. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
          jashburn

          I don't think it's possible to prevent the warning message from popping up at least once. There might be a "Do not show this again" option on the warning dialog box that users can check to prevent it from popping up again. Code-wise the only thing I can think of is to remove reliance on client-side system clock so that the Permissions attribute in the manifest file can be set to "sandbox" rather than "all-permissions". Not sure if reading images from the same signed jar file still qualifies it as running under "sandbox" - try and see.

           

          It's worth noting that other Java RIA publishers such as Skillsoft Support Knowledge Base also face the same issue, and they simply document it as a relatively benign warning message.

          • 2. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
            user13550719

            Thank you very much for that answer. I have spent weeks on the problem.

             

            I am not an expert in Java but I have an application am hosting at www.hiredforoneday.com I need to time the players when answering questions and also in my animations I also need the time. Is there a way around this problem so that I do not use the client system clock? I will be very grateful if you can give me a sample code because the security alert scares my players.

             

            I also do not know how to write absolute paths for my graphics. my graphics are in a file ''images" in the src file

             

            Thank you in advance.

             

            Ruth

            • 3. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
              jwenting

              wouldn't be much of a security system if the programmer could just tell the applet to turn off security and it would do so without so much as alerting the end user

              • 4. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
                gimbal2

                jwenting wrote:

                 

                wouldn't be much of a security system if the programmer could just tell the applet to turn off security and it would do so without so much as alerting the end user

                I would hate that only a little more than web applications being able to print stuff without showing the print dialog.

                • 5. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
                  jashburn

                  @jwenting, it is not really about turning off security per se. It's more about looking for a way so that the Java plugin doesn't have a reason to display the warning pop-up because the applet has been made secure.

                   

                  Oracle introduced a number of new security-related warning pop-ups since Java 7u21 such that users who hadn't seen them before are alarmed to see them now. You can see some of the pop ups at https://blogs.oracle.com/proactivesupportDevTools/entry/a_closer_look_into_jre . A number of them are for good measure, e.g., when the jar file is not signed or signed but not using a trusted CA certificate, or when the jar's manifest file is missing some attributes that help prevent security issues such as applet repurposing. Pop ups for these are completely warranted, and developers should take steps to rectify them. In fact applets with these issues may not even run starting from Java 7u51 as this update release enforces a number of security measures, and blocks applets from running if these measures (trusted CA signing and some manifest attributes) are not in place.

                   

                  In this particular case the jar file is signed using a trusted CA certificate, and it seems that the mandatory manifest attributes have also been put in. Therefore of question is if there is anything else that needs to be done to satisfy the Java plugin of the applet's security, or is it by design that the Java plugin will display the warning message at least once no matter what. Iinm, the message here displays the Java logo that signifies a lower security risk (see https://www.java.com/en/download/help/appsecuritydialogs.xml ) but still it goes back to what I wrote about users being alarmed when there weren't such messages before. One of my previous links suggests that the warning message is unavoidable. Here's another one that suggests similarly: http://www-01.ibm.com/support/docview.wss?uid=swg21654503 (scroll down to the last question on the page.)

                   

                  @Ruth, I've noticed in your manifest file you have:

                  Application-Library-Allowable-Codebase: *

                  Codebase: *

                   

                  Referring to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html , you might want to try replacing * with the web site's domain.

                   

                  Also, you have:

                  Caller-Allowable-Codebase: * localhost 127.0.0.1 www.hiredforoneday.co

                  m/jars/HiredForOneDay.jar

                   

                  Not sure if the value being on separate lines matter, but I recall that manifest attribute value checking is quite strict, so you might want to put them into a single line. Also try removing the *. Other than that I don't see anything wrong with it. If the warning message is still displayed after changing the above, I think we can really conclude that it is unavoidable for all-permissions applets.

                   

                  For your animation, you might want to try using one of the Timer classes, or a simple sleep() in the animation loop. To time user's answers, perhaps you can implement a timer that sends out a tick, say, every 50 milliseconds, and count the number of ticks between the question and answer. Finally, the usual way to load images packaged in the jar file is to use Image image = getClass().getResource("/absolute/package/filename"); but I'm not sure if this will work with sandbox Permissions. An alternative would be to externalise the images into the same web server that serves out the applet, and load them from the applet using URLConnection. (This is fine if there aren't many images to load as having many round-trips back to the server can cause performance issues.)

                   

                  Hth!

                  • 6. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
                    jwenting

                    " the Java plugin doesn't have a reason to display the warning pop-up because the applet has been made secure."

                     

                    and you want me as an end user to just assume that every applet where the programmer asserts that it is secure can be trusted and therefore no security is needed (because that's what it does, turns off sandbox security if you agree with it).

                     

                    So yes, it turns off security, and you want the applet programmer to be able to tell the JVM that security should be turned off.

                    Which of course means that there might as well be no security at all, as every malware author would of course instantly do just that.

                    • 7. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
                      gimbal2

                      Hey, if the Jedi can do it with the wave of a hand, why not Java developers?

                       

                      *waves hand*

                       

                      You will instantly trust my software to not email your addressbook to iamnotahacker@h0tmail.com.

                      • 8. Re: Please need help with my Comodo signed applet manifest to get rid of the Oracle security warning
                        user13550719

                        Thanks everyone for your help.

                        I am ashamed to admit am defeated.I have spent weeks on this problem and it is not going away. I have put used all the advice I get even I have put codes in doPrivileged() nothing works.Does anyone know where I can post the code so do it for me? at a cheap cost.

                         

                        below is the security error I get

                         

                        I have a valid certificate from Comodo and I am signing it in netbeans

                         

                        Thanks again

                        [code]

                        java.lang.SecurityException: attempted to open sandboxed jar http://localhost/Sample/jars/HiredForOneDay.jar as a Trusted-Library
                            at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)
                            at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
                            at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
                            at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader$1.run(Unknown Source)
                            at java.security.AccessController.doPrivileged(Native Method)
                            at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
                            at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
                            at java.lang.ClassLoader.loadClass(Unknown Source)
                            at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
                            at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
                            at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
                            at java.lang.Thread.run(Unknown Source)

                         

                                        at com.sun.deploy.security.CPCallbackHandler$ParentElement.checkResource(Unknown Source)

                         

                                        at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)

                         

                         

                        [/code]