We have developed a Java based Enterprise Web Application and currently using in Production environment. With the recent Java Security vulnerability issue, the client machines (desktops) were upgraded to Java 7 update 11 (Java plugin for Web browser). After the upgrade, users are having issues in accessing the application. User gets a Security Warning popup - "Do you want to run this application? An Application from the location below is requesting permission to run Location: xyz.... ". Even if they check the "Do not show this again for this app" checkbox, it still shows the Security Warning popup for every screen clicked by the user. The Application has "Trusted Certificate" but using a 3rd party jar which has an unsigned applet. The popup goes away if we change security level to Medium. We don't want to reduce the security level from 'High' to 'Medium' because of the Security issues and users may access other websites.
Is there a way to resolve the unsigned applet issue without compromising the security?
With Java 7u11 Oracle increased the default security level to help reduce the of recently discovered exploits getting past the security sandbox.
That said, I seem to recall from a few years ago that any untrusted component delivered to the client might cause the entire application to be treated as untrusted (as it should), and this may be the case here.
Although license issues may prevent you from doing this, I have found that unpacking and then repacking-and-resigning (with your own key) all 3rd party JARs can get around this, but only you can decide whether this is (a) legal and (b) advisable in the first place.