Sign your custom jars with known and trusted certificates (e.g. Verisign, Thawte, etc).
I have the same issue with a brand new forms install with no custom jar files. I
think the only way to stop it is to put the urls in the java control panel
security exceptions. you need to include the port number(s).
After I said that I found that it still put out the security warning. But it was possible to stop it by running javaws ( jre1.8.0_202) from the command line wherein
It is a complete mystery why this happens. I had thought it was because the cert expired. But frmall.jar at least was timestamped.
jarsigner -verify -verbose -certs frmall.jar >foo
"The signer certificate expired on 2018-02-01. However, the JAR will be valid until the timestamp expires on 2020-12-29"
There definitely will be a problem after 12/29/2020 so we might as well get used to it. :-)
The only way I might anticipate this happening on a new installation would be if you are not using 184.108.40.206. Note that custom jar files include your own Java Beans or PJCs, icon/image jar files, and even jacob.jar. Anything that is not delivered with the installation and requires you to sign becomes an issue. You cannot use sign_webutil.bat/sh. You must use a real certificate that came from a CA.
You can use the Site Exception list to avoid some of the messaging, but not all messages. To avoid most of the messages you would need to use a Deployment Rule Set, but it needs to be properly signed too.
I don't know what jars it is looking at. In the formsweb.cfg I have:
same as for the webstart entry. So is it not just frmall.jar like below? The extensions.jnlp file
specifies no other jars.
Now I am more unhappy about the fact that java wants to update.
Java(TM) SE Runtime Environment (build 1.8.0_202-b26) downloaded from oracle support.
see attached where ie wants it to update. I fear it would update to a version beyond 8. Anyone let it do the update to see what it is going to do?
Looking at the base.jnlp which I have no idea about how it works, this part worries me:
<!-- Application Resources -->
<j2se version="%java_version%" href="http://java.sun.com/products/autodl/j2se"/>
<jar href="%contextRoot%/java/frmall.jar" download="eager" main="true" />
<extension name="Extensions" href="%contextRoot%/java/extensions.jnlp"/>
Is it telling it to go find a current version of java? We certainly do not want the current version. I think it was but now that url doesn't work thankfully.
You won't/can't be updated to anything but 8 because newer versions do not support Autoupdate.