This discussion is archived
3 Replies Latest reply: Apr 8, 2013 6:30 PM by 1000524 RSS

Java JRE Mixed Code Security starting with JRE 1.6.0_19 and on

1000524 Newbie
Currently Being Moderated
Initially around 2010 a main jar Java Applet was implemented, build, and deploy using JDK/JRE 1.6.0_12; the main jar and third party jars were signed, everything work fine. The main jar java applet and third party jars work fine with JRE 1.6.0_12 thru JRE 1.6.0_18. However, with the introduction of the Mixed Code security starting with JRE 1.6.0_19, the main jar will not launch with JRE 11.6.0_27 unless the Mixed Code security is disable. We are moving our JRE from 1.6.0_12 to update 27. I am trying to fix this problem, that is, to allow the signed main jar Java applet and the signed third party jars to launch when the Mixed Code security is enable.

I have a main jar that has the Java Applet source code and several third party jars that are use by the main jar; for instance, activation.jar, log4j-1.2.13.jar, ojdbc14.jar, etc. Using keytool.exe in JDK 1.6.0_27 I created a new keystore that has the private/public key pair for the Java applet. Using jarsigner.exe in JDK 1.6.0_27 I signed the main jar and all the third party jars with the private key successfully; each jar has a signature file .SF and a signature block file .DSA (Digital Signature Algorithm). I exported the public key to be use to verify the signed jars. The Java Applet and the third party jars are in a web apps' webcontent/applet directory, when the applet is launch using the web app, the main jar and the third party jar are downloaded into the user's computer. The digital signature part works fine, the Java applet is able to launch and work successfully when the JRE Mixed Code security is disable. This still does not solved the Mixed Code security when is enable. I tried by deploying the main jar as Trusted-Only and Trusted-Library. In both situations when the Mixed Code security is enable, the main jar Java Applets is not able to launch, I get different exceptions but same results.

Any ideas on how to resolve this dilemma?


Trusted-Only :: Mixed Code Enable
.........................
cache: Mark prevalidated: http://<hostname>:<port>/<path>/<main>.jar true tm=<numbers> cert=<numbers>
security: http://<hostname>:<port>/<path>/<main>.jar is newly asserting Trusted-Only
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
.........................
.........................
network: Cache entry not found [url: http://<hostname>:<port>/<path>/StatLib.jar, version: null]
network: Connecting http://<hostname>:<port>/<path>/StatLib.jar with proxy=DIRECT
network: Connecting http://<hostname>:<port>/ with proxy=DIRECT
network: Connecting http://<hostname>:<port>/<path>/StatLib.jar with cookie "<CheckboxChecked>=Y; JSESSIONID=<j_session_id>"
network: CleanupThread used 1 us
network: Downloading resource: http://<hostname>:<port>/<path>/StatLib.jar
     Content-Length: 62,219
     Content-Encoding: null
network: Wrote URL http://<hostname>:<port>/<path>/StatLib.jar to File C:\<path>\LocalLow\Sun\Java\Deployment\cache\6.0\24\167b0298-1365f142-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
cache: Adding MemoryCache entry: http://<hostname>:<port>/<path>/StatLib.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called
basic: Plugin2ClassLoader.isTrustedByPolicy returns false
security: resource name "com/<name>/statistics/lib/I_Dispatch.class" in http://<hostname>:<port>/<path>/StatLib.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://<hostname>:<port>/<path>/StatLib.jar
04/01/2013 16:58:41,588 - [FATAL Thread-15 com.lfg.<name>.<JavaObjectName>.<init>(<JavaName>.java:193)] - Error in <Method>() java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://<hostname>:<port>/<path>/StatLib.jar
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.defineClass1(Native Method)
     at java.lang.ClassLoader.defineClass(Unknown Source)
     at java.security.SecureClassLoader.defineClass(Unknown Source)
     at java.net.URLClassLoader.defineClass(Unknown Source)
     at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Unknown Source)
.... Java Applet is calling and loading a class in a third party jar that I signed but for some reason is been treated as unsigned ....

...........,............
network: Cache entry not found [url: http://<hostname>:<port>/<path>/ojdbc14.jar, version: null]
network: Connecting http://<hostname>:<port>/<path>/ojdbc14.jar with proxy=DIRECT
network: Connecting http://l<hostname>:<port>/ with proxy=DIRECT
network: Connecting http://<hostname>:<port>/<path>/ojdbc14.jar with cookie "CheckboxChecked=Y; JSESSIONID=<j_session_id>"
network: CleanupThread used 1 us
network: Downloading resource: http://<hostname>:<port>/<path>/ojdbc14.jar
     Content-Length: 1,448,790
     Content-Encoding: null
network: Wrote URL http://<hostname>:<port>/<path>/ojdbc14.jar to File C:\<path>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\534fe7f3-21a4d4ae-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
network: CleanupThread used 1 us
cache: Adding MemoryCache entry: http://<hostname>:<port>/<path>/ojdbc14.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called
basic: Plugin2ClassLoader.isTrustedByPolicy returns false
security: resource name "oracle/jdbc/driver/OracleDriver.class" in http://<hostname>:<port>/<path>/ojdbc14.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://<hostname>:<port>/<path>/ojdbc14.jar
java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://<hostname>:<port>/<path>/ojdbc14.jar
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     ..... java applet is loaded a java class in a third party jar that was signed, but is been treated as untrusted.....















Trusted-Library :: Mixed Code Enable*
..............................
cache: Mark prevalidated: http://l<hostname>:<port>/<path>/<main>.jar true tm=<numbers> cert=<numbers>
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: exception: java.lang.NoClassDefFoundError: org/apache/log4j/Logger.
java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
     at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.instantiateApplet(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
     at com.<path>.<MainClassApplet>.<clinit>(<MainClassApplet>.java:<line_number>)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
     at java.lang.reflect.Constructor.newInstance(Unknown Source)
     at java.lang.Class.newInstance0(Unknown Source)
     at java.lang.Class.newInstance(Unknown Source)
     at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter$1.run(Unknown Source)
     at java.awt.event.InvocationEvent.dispatch(Unknown Source)
     at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
     at java.awt.EventQueue.access$200(Unknown Source)
     at java.awt.EventQueue$3.run(Unknown Source)
     at java.awt.EventQueue$3.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
     at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
     at java.awt.EventQueue$4.run(Unknown Source)
     at java.awt.EventQueue$4.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
     at java.awt.EventQueue.dispatchEvent(Unknown Source)
     at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
     at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     ... 27 more
Ignored exception: java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
basic: Dialog type is not candidate for embedding
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@40ab5b6c
security: Reset deny session certificate store



The main jar applet (Rich Internet Application) is call using JavaScript code in a JavaServer Pages file (HTML page) with the <OBJECT> html tag.
<SCRIPT>
     function getstarted(str1, str2) {
document.Form1.textArea.focus();      
     this.document.Applet.startApplet(str1, str2, "web");
}
</SCRIPT>
<BODY onload="getstarted('<%out.write(request.getParameter("string1"));%>','<%out.write(request.getParameter("string2"));%>')">
<FORM NAME="Form1">
<TEXTAREA name="textArea" rows="1" cols="20"></TEXTAREA>
</FORM>
     <OBJECT classid="clsid:CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA"
     width="0"
     height="0"
     NAME="Applet"
     TYPE="application/x-java-applet;version=1.6"
     codebase="http://java.sun.com/update/1.6.0/jinstall-6u27-windows-i586.cab#Version=1,6,0,27">
     <PARAM name="code" value="com.<path>.Applet">
     <PARAM name="archive" value="activation.jar, .. log4j-1.2.13.jar, mail.jar, ...
-main_jar-.jar, StatLib.jar, .. xercesImpl.jar, xsdlib.jar">
     <PARAM NAME="MAYSCRIPT" VALUE="true">      
No Java 2 SDK, Standard Edition v 1.4.2 support for the APPLET!!
     </OBJECT>
</BODY>


It is my understanding that JavaScript code is treated like unsigned code. When a signed applet is accessed from JavaScript code in an HTML page, the signed applet is executed within the security sandbox. This implies that the signed applet essentially behaves like an unsigned applet.

I am debating if I should use JNLP with the Deployment Tookit (deployJava.js) to deploy the applet or if I should add classes to the main JAR file's class-path in the main JAR file's manifest file; whose manifest references a different JAR file (or several different JAR files) that serve as utilities for the purposes of my applet.


I believe this may answer my question but not sure yet http://stackoverflow.com/questions/4680823/java-lang-securityexception-class-org-apache-log4j-logger-does-not-match-trus?answertab=active#


Any idea on how to resolved this Mixed Code issue?

Please advise, thanks.

Edited by: Gibran E. Castillo on Apr 2, 2013 2:55 PM
  • 1. Re: Java JRE Mixed Code Security starting with JRE 1.6.0_19 and on
    sabre150 Expert
    Currently Being Moderated
    I seem to be missing something. You seem to be signing ALL your jars including the third party ones so why do you need to enable mixed mode?

    P.S. Are you making sure nothing is cached after you change the mixed mode options ? Browsers have a nasty habit of caching everything to do with Applets.
  • 2. Re: Java JRE Mixed Code Security starting with JRE 1.6.0_19 and on
    1000524 Newbie
    Currently Being Moderated
    What are you missing?

    I inherited this app and signing the third party jars is how it was setup, I was wondering the same thing too, why was it necessary to sign the third party jars?

    The applet runs in either JRE 1.6.0_13 or JRE 1.6.0_27 depending on the other Java apps the user uses. JRE 1.6.0_13 does not have the mixed code security (so it is like is disable), but JRE 1.6.0_27 does have the mixed code security and the applet will not launch with mixed code security enable, so we have to disable it. With all the hacking going on in the last two years, is important to improve security; so this is a must.

    Yes, I always clear up the cache.

    Any idea on how to resolve this problem?
  • 3. Re: Java JRE Mixed Code Security starting with JRE 1.6.0_19 and on
    1000524 Newbie
    Currently Being Moderated
    I fixed the problem by adding all the signed third party jar files in the applet's jar manifest.mf file with the Class-Path attribute and by adding all the third party jars in the .JSP page <OBJECT> tag in the “archive” attribute, with applet jarr listed and loaded last.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points