Developers - Java Content in the Browser — Security Manifest Changes
This article applies to:
- Platform(s): All Platforms
- Java version(s): 7.0, 8.0
Developers: As of 7u51, (January, 2014), your Rich Internet Applications (RIAs, also known as Applets and Web Start applications) must be updated. The updates required are on the packaging and distribution; no API code changes should be required. The impetus for these changes relates to potential re-purposing of sandboxed applications whereby placing permissions within a signed JAR prevents modification of your specified permission level.
RIAs must contain two things:
- Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.
- Manifest Attributes
- Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.
- Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code.
See the Java Platform Group Product Management blog for more information.
Java 7 Update 45 (7u45), October 2013: LiveConnect calls will ask permission before interacting with Rich Internet Applications- Users will be prompted to grant permission for web pages (domains) that interact with Java applications through JavaScript LiveConnect.
- Developers should add Manifest attribute
Caller-Allowable-Codebaseto identify the locations from which JavaScript code can call methods in the application
- System Administrators may whitelist specific Java applications to run on users’ computers by using Deployment Rule Sets. System administrators may consult the Deployment Rule Set documentation or start with Deployment Rule Set examples.
- The message contained in the prompt will differ depending on the risk factors involved in running an application. See the Security Dialogs FAQ to review the common security messages.
- Lower risk scenarios present simpler messaging and include a checkbox to suppress showing these messages the next time the application is accessed.
- Higher risk scenarios, such as running an application without any identifying digital certificate, will require additional interaction.
What effect do these changes have?
Put together, these changes allow users to verify the software publisher and confirm interaction with the application. The use of code-signing certificates allow Java to present accurate information about the application vendor to help the user decide if they should run the application.Will these changes break the Java based applications I normally run?
The changes we describe should not break applications you normally run. However, they may prompt you to give explicit permission to allow the application to run by clicking a 'Run' button. This gives you the control to prevent high risk applications from running automatically on your computer.System Administrators concerned about compatibility may use the Deployment Rule Set feature to whitelist specific Rich Internet Applications across managed desktops.
Why don't I see the option to select Do not show this again for this app in the security dialog for an unsigned application?
Starting with Java 7 Update 40, the option to select Do not show this again for this app is no longer available. Unlike previous versions a user cannot suppress the security dialog for an unsigned application and will have to select the option, I accept the risk and want to run this app each time to run the unsigned application.What is a Certificate Authority?
A Certificate Authority is a trusted third party, typically a commercial business, that issues digital certificates. The certificates are issued to organizations or individuals after verifying their identity. The digital certificate is added to computer applications to validate that the application came from the owner of the certificate. For more information, see http://wikipedia.org/wiki/Certificate_authority.Why are these changes important to me?
Java in the browser is a popular target for attackers. In 2012, Java 7u10 introduced security features that require you to explicitly allow Java applications to run. You can also configure Java to block any application that is not trusted from running. Trusted applications are those that include a valid digital certificate issued by a Certificate Authority and thus provide information about the identity of the application provider. These certificates allow Java to enforce the safety and security of the applications created by these providers.What additional steps can I take to ensure the security of systems running Java applications in the browser?
Java users, system administrators and developers are strongly encouraged to keep systems up-to-date with the latest versions. The Java auto-update mechanism is designed to keep Java users up-to-date with the latest security fixes.If you have previously turned auto-update off, re-enable auto-update to ensure that you have the latest and most secure Java installation on your system. See Java 6 Auto-Update to Java 7 FAQ for more information.
| End Users |
Java - Help (Java.com) Security level settings in the Java Control Panel |
| Developers |
Java SE Security Secure Coding Guidelines for the Java Programming Language JAR File Manifest Attributes for Security Java SE Security Documentation Technical information about the signed code change |
| Enterprise |
Oracle Java SE Support provides 24x7 email and phone support for mission-critical applications Oracle Java SE Advanced and Oracle Java SE Suite products provide enterprise features that minimize the costs of deployment, monitoring, and maintenance of Java-based IT environments. |
| System Administrator |
Deployment Rule Sets for whitelisting applications Deployment Best Practices Java Rich Internet Applications Guide Tutorial: Security Features in Java SE |