Java applet - LiveConnect security popup alert
We are seeing the LiveConnect security warning in our application even though the applet is signed and the Caller-Allowable-Codebase attribute is set:
The second problem is that the app and publisher fields are set to UNKNOWN in IE, FF and Chrome. The first security information displayed seems to display information from the certificate.
My manifest file:
Manifest-Version: 1.0
Implementation-Vendor: xxx xxx Buildings AB
Implementation-version: 1.5.0.49829
Application-Library-Allowable-Codebase: *
Application-Name: Building Operation WebStation
Permissions: all-permissions
Created-By: 1.7.0 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Specification-Version: 1.0
Codebase: *
I read the Oracle blog post about security changes in LiveConnect .
I have also tried adding the Application-Library-Allowable-Codebase: * attribute with no success. It doesn't even make any difference in the security attributes manual .
Checking that the checkbox does nothing, the next time we navigate to the applet, the warning will appear again.
jarsigner.exe outputs "jar verified".
Examining the certificate we sign reveals the entire chain - our company> RapidSSL CA> GeoTrust Global CA. I've imported the certificate into several Windows certificate stores, although it's enough to just sign with a trusted root CA.
We are testing the latest JRE and getting the same result with JRE 8 Java Plug-in 10.67.2.01 Using JRE version 1.7.0_67-b01 Java HotSpot Client VM (TM)
Somebody knows
- How do I get rid of the popup while still allowing LiveConnect calls?
- if not, how to fill in the two UNKNOWN fields in the dialog?
source to share
The reason you get the first popup (LiveConnect warning) is because you used a wildcard *
for Caller-Allowable-Codebase
:
Caller-Allowable-Codebase: *
You may need to replace *
with the domain name or IP address where the javascript files are located .
You probably need to do something like this with the attribute codebase
.
For more information on this attribute, see the Codebase Attribute .
Caller-Allowable-Codebase Attribute
See Codebase Attribute for a description of the valid values. If the value of the Caller-Allowable-Codebase attribute is a stand-alone asterisk (*) , then calls from JavaScript code to your RIA show a security warning and users have to allow the call or block the call . An option is also provided to remember the selection, and if selected, the warning disappears when the RIA starts.
Source attribute called-codebase
Java Applet Manifest - Allow all Caller-Allowable-Codebase features
Removing the Trusted-Library attribute appears to be required for Caller-Allowable-Codebase to work, no more warnings. ... However, this breaks Java 7 Update 21-40, which handles JavaScript code that invokes code in a signed applet with all permissions, as mixed code and warning dialogs are raised if signed JARs are not marked with the Trusted-Library = true attribute.
Java applet manifest source - allow all codebase accessible to the caller , answer Nikolas Pooch
source to share