Java and JavaFX security
After the last Java update (7u11), when my applet is loaded into a page in firefox, you must allow the app to run with a big security warning, unless in fact the applet has access to personal information of any type.
In IE, it keeps propagating this warning once, but when you click "always allow" it doesn't do it anymore. In Firefox, even if you click "always allow", every time you leave and return, it will prompt again. I'm worried about scaring potential users.
The applet creates a network connection to a daemon hosted on the same server / IP as the web server. (port 4444 at the moment). Previously, this would not have been a security breach, but now it is happening and must be approved.
The applet sends constantly changing information (prices, times, etc.) to the client, and the data must maintain a direct connection to the server, which must be presented correctly. The client sends a limited amount of data (basically a self-developed protocol for determining what information you want to view). The applet does not have access to personal files or other information on the system. This applet only accesses its own resources (things included in the .jar file) and there are no files on the user's hard drive.
In another post, after updating java, when visiting my page using an applet, it showed the error "you must install java". You choose to download and install, it says Java is already installed, do you want to reinstall? If you say no, the error is still displayed. If you say reinstall, the applet is now loaded, but with all the security features.
I know I have to work for this. Yahoo games and pogo games use a Java environment with some client-server traffic, but they don't show a bunch of security warnings. The only difference is my applet uses JavaFX where yahoo and pogo use Swing or AWT.
source to share
Starting with Java 7u11, the default security level for Java applets has been changed from Medium to High - this may result in new security warnings that you see when running an application against Java 7u11. From the Java 7u11 release note :
Summary: Default Security Level Setting Changed to High The default security level for Java applets and Web Launch applications has been increased from Medium to High. This affects the conditions that an unsigned (sandboxed) Java application can run. Previously, as long as you had the latest secure Java versions of the applets installed, the web start applications will continue to work as usual. With "High" the user is always warned before any unsigned application is started to prevent trouble-free operation.
IMO, this means Oracle's assumption that the attack surface for Java is too large for them to be able to properly prevent disk loading attacks, such as when a user just navigates to a web page that is running Java and a web page exploits an unaffected Java vulnerability to compromise the user's system. Thus, Oracle's answer is to improve security for Java applications in browsers so that they never run without the user's prior consent to execute. Many will say that this is good for the web in general, although it is not desirable if you've previously relied on an unsigned, non-malicious application that should be delivered to the user without a pop-up security alert.
With a Yahoo or Pogo game, presumably the game has been signed, in which case a warning will be shown the first time the game is launched with the publisher, but the user can choose to always trust the publisher, in which case the user will not subsequently be warned when the user will refer to an applet from the same publisher. You can do the same for your application if you like.
You can also ask the user to lower their default security preferences (for example, High to Medium) and then there will be no warning message when your unsigned application is launched, but this is not practical because Oracle changed the default security preference from Medium to high for a good reason.
There should be no difference in warning behavior for JavaFX versus Swing or AWT applets - if one exists, it will be a fatal error that will be reported to Oracle.
Regardless of Java security settings, individual browser vendors can block Java or Java version and display a warning to the user. Some images of what these block messages look in different browsers are in Disabled Java Alerts and Impact on Java Web Start Applications (the title of the message mentions Web Start applications, but the warning images in the message relate to applets - be they applets - Swing or JavaFX based).
Here is an example of a warning message that Java will generate for an unsigned application. A warning message was generated on Mac OS X 10.8 by clicking the Test Java button on the Oracle java.com site when starting Java 7u11.
source to share