1

I recently updated to Java 7 (Update 45) and now my website applet deployment is triggering two security dialogs. The first one is the "normal" one, that shows the information of the certificate that signed the applet. Everything fine with that. However a second popup occurs now right after that, asking again to allow the Java application (must be the applet).

Why is that second dialog appearing and how does one control what values are used there for application name and publisher?

Allow access to the following application from this website?

enter image description here

jan
  • 2,741
  • 4
  • 35
  • 56
  • Any chance you could copy paste that information as text and translate it into English, or at least give us a quick summary in English? – Andrew Thompson Oct 21 '13 at 08:58

2 Answers2

2

You need to include Caller-Allowable-Codebase: in your manifest file. If you need to be able to use it from different domains and you know them all in advance then you can just include them in a space separated list. If you don't know all domains you'll be deploying to then use * as the value instead.

See this page for details on this attribute: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable

Chris R
  • 2,464
  • 3
  • 25
  • 31
  • 1
    Also see this question for more on this topic: http://stackoverflow.com/questions/19393826/java-applet-manifest-allow-all-caller-allowable-codebase – Chris R Oct 21 '13 at 15:57
  • This soulution works for Java 7 Update 45 but breaks Java 7 Update 21-40! – jan Oct 22 '13 at 11:59
  • Yep it's a pain isn't it! I've got the same issue. Oracle have this as a known issue with 7u45 (see https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and). See the question I linked to in my post above for more information on this and possible workarounds. – Chris R Oct 22 '13 at 15:42
0

http://java.com/en/download/help/javascript_applet.xml

The website uses JavaScript code in conjunction with the Java application. This message is shown to alert you of a possible security concern because the website was not explicitly granted access permission by the application.

This is part of the new security feature introduced in Java 7 update 45:

http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html#newft

The JavaScript to Java (LiveConnect) security dialog prompt is shown once per Applet classLoader instance

I don't checked it yet, but it looks like one needs to assamble different builds for each domain where the applet shall run, now.

jan
  • 2,741
  • 4
  • 35
  • 56