Java.com

Download Help

Printable Version

Developers - Java Content in the Browser — Security Manifest Changes


This article applies to:
  • Platform(s): All Platforms
  • Java version(s): 7.0

Developers: As of 7u51, (January, 2014), your Rich Internet Applications (RIAs, also known as Applets and Web Start applications) must be updated. The updates required are on the packaging and distribution; no API code changes should be required. The impetus for these changes relates to potential re-purposing of sandboxed applications, whereby placing permissions within a signed JAR prevents modification of your specified permission level.
RIAs must contain two things:

  1. Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.
  2. Manifest Attributes
    1. Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.
    2. Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code.

See the Java Platform Group Product Management blog for more information.

Java 7 Update 45 (7u45), October 2013: LiveConnect calls will ask permission before interacting with Rich Internet Applications
  • Users will be prompted to grant permission for web pages (domains) that interact with Java applications through JavaScript LiveConnect.
  • Developers should add Manifest attribute Caller-Allowable-Codebase to identify the locations from which JavaScript code can call methods in the application
Java 7 Update 40 (7u40), September 2013: System Administrators may whitelist applications within their managed desktops
  • System Administrators may whitelist specific Java applications to run on users’ computers by using Deployment Rule Sets. System administrators may consult the Deployment Rule Set documentation or start with Deployment Rule Set examples.
Java 7 Update 21 (7u21), April 2013: All Java content accessed through the browser (including Applets and Applications) will ask permission before starting to run.
  • The message contained in the prompt will differ depending on the risk factors involved in running an application. See the Security Dialogs FAQ to review the common security messages.
  • Lower risk scenarios present simpler messaging and include a checkbox to suppress showing these messages the next time the application is accessed.
  • Higher risk scenarios, such as running an application without any identifying digital certificate, will require additional interaction.
Developers and system administrators will want to review more technical information about the signed code changes.

What effect do these changes have?

Put together, these changes allow users to verify the software publisher and confirm interaction with the application. The use of code-signing certificates allow Java to present accurate information about the application vendor to help the user decide if they should run the application.

Will these changes break the Java based applications I normally run?

The changes we describe should not break applications you normally run. However, they may prompt you to give explicit permission to allow the application to run by clicking a 'Run' button. This gives you the control to prevent high risk applications from running automatically on your computer.

System Administrators concerned about compatibility may use the Deployment Rule Set feature to whitelist specific Rich Internet Applications across managed desktops.

Why don't I see the option to select Do not show this again for this app in the security dialog for an unsigned application?

Starting with Java 7 Update 40, the option to select Do not show this again for this app is no longer available. Unlike previous versions a user cannot suppress the security dialog for an unsigned application and will have to select the option, I accept the risk and want to run this app, each time to run the unsigned application.

What is a Certificate Authority?

A Certificate Authority is a trusted third party, typically a commercial business, that issues digital certificates. The certificates are issued to organizations or individuals after verifying their identity. The digital certificate is added to computer applications to validate that the application came from the owner of the certificate. For more information, see http://wikipedia.org/wiki/Certificate_authority.

Why are these changes important to me?

Java in the browser is a popular target for attackers. In 2012, Java 7u10 introduced security features that require you to explicitly allow Java applications to run. You can also configure Java to block any application that is not trusted from running. Trusted applications are those that include a valid digital certificate issued by a Certificate Authority and thus provide information about the identity of the application provider. These certificates allow Java to enforce the safety and security of the applications created by these providers.

What additional steps can I take to ensure the security of systems running Java applications in the browser?

Java users, system administrators and developers are strongly encouraged to keep systems up-to-date with the latest versions. The Java auto-update mechanism is designed to keep Java users up-to-date with the latest security fixes.

If you have previously turned auto-update off, re-enable auto-update to ensure that you have the latest and most secure Java installation on your system. See Java 6 Auto-Update to Java 7 FAQ for more information.

End Users Java - Help (Java.com)
Security level settings in the Java Control Panel
Developers Java SE Security Secure Coding Guidelines for the Java Programming Language
JAR File Manifest Attributes for Security
Java SE 7 Security Documentation
technical information about the signed code change
Enterprise Oracle Java SE Support provides 24x7 email and phone support for mission-critical applications
Oracle Java SE Advanced and Oracle Java SE Suite products provide enterprise features that minimize the costs of deployment, monitoring, and maintenance of Java-based IT environments.
System Administrator Deployment Rule Sets for whitelisting applications
Deployment Best Practices
Java Plug-in Guide for System Administrators
Tutorial: Security Features in Java SE


Find expert help on Java installation and setup

Select Language | About Java | Support | Developers
Privacy | Terms of Use | Trademarks | Disclaimer

Oracle