Developers - Java Content in the Browser — Security Manifest Changes
This article applies to:
Developers: As of 7u51, (January, 2014), your Rich Internet Applications (RIAs, also known as Applets and Web Start applications) must be updated. The updates required are on the packaging and distribution; no API code changes should be required. The impetus for these changes relates to potential re-purposing of sandboxed applications, whereby placing permissions within a signed JAR prevents modification of your specified permission level.
See the Java Platform Group Product Management blog for more information.Java 7 Update 45 (7u45), October 2013: LiveConnect calls will ask permission before interacting with Rich Internet Applications
What effect do these changes have?Put together, these changes allow users to verify the software publisher and confirm interaction with the application. The use of code-signing certificates allow Java to present accurate information about the application vendor to help the user decide if they should run the application.
Will these changes break the Java based applications I normally run?The changes we describe should not break applications you normally run. However, they may prompt you to give explicit permission to allow the application to run by clicking a 'Run' button. This gives you the control to prevent high risk applications from running automatically on your computer.
System Administrators concerned about compatibility may use the Deployment Rule Set feature to whitelist specific Rich Internet Applications across managed desktops.
Why don't I see the option to select Do not show this again for this app in the security dialog for an unsigned application?Starting with Java 7 Update 40, the option to select Do not show this again for this app is no longer available. Unlike previous versions a user cannot suppress the security dialog for an unsigned application and will have to select the option, I accept the risk and want to run this app, each time to run the unsigned application.
What is a Certificate Authority?A Certificate Authority is a trusted third party, typically a commercial business, that issues digital certificates. The certificates are issued to organizations or individuals after verifying their identity. The digital certificate is added to computer applications to validate that the application came from the owner of the certificate. For more information, see http://wikipedia.org/wiki/Certificate_authority.
Why are these changes important to me?Java in the browser is a popular target for attackers. In 2012, Java 7u10 introduced security features that require you to explicitly allow Java applications to run. You can also configure Java to block any application that is not trusted from running. Trusted applications are those that include a valid digital certificate issued by a Certificate Authority and thus provide information about the identity of the application provider. These certificates allow Java to enforce the safety and security of the applications created by these providers.
What additional steps can I take to ensure the security of systems running Java applications in the browser?Java users, system administrators and developers are strongly encouraged to keep systems up-to-date with the latest versions. The Java auto-update mechanism is designed to keep Java users up-to-date with the latest security fixes.
If you have previously turned auto-update off, re-enable auto-update to ensure that you have the latest and most secure Java installation on your system. See Java 6 Auto-Update to Java 7 FAQ for more information.