6

I have a linux box which is not connected to Internet. I have installed on it Firefox 24.0 and jre1.7.0_40 (and also 1.7.0_17) When I start FF with a web application locally installed on the box I'm getting a warning popup that

Java Update Needed; YourJava version is out of date

I don't undesrtand how Java knows that is 'out of date' ??? What compares to what ? I would assume that checks the available versions at oracle.com and if the current one installed on the system is too old then drops this warning.

Or the application itself which is started carries some information about Java version what was available or what was used at its compile time ??

Satheesh Cheveri
  • 3,621
  • 3
  • 27
  • 46
wildfrontier
  • 101
  • 1
  • 5
  • 1
    I believe it checks the CLIENT Java version and compares to the version RECOMMENDED for your application. – iWumbo Dec 11 '13 at 16:40
  • In this case we cannot talk about a client-server architecture, I mean the client is itself the host. – wildfrontier Dec 11 '13 at 17:17
  • the application itself is not developed by me and the Firefox together with jre and the application is also provided by a 3thd party company – wildfrontier Dec 11 '13 at 17:19

1 Answers1

4

There is an explanation in the 1.7.0u10 release notes.

The JRE relies on periodic checks with an Oracle Server to determine if it (the JRE)is still considered up-to-date with all the available security fixes (above the security baseline). In the past, if the JRE was unable to contact the Oracle Server, it continued to behave as though it is still the most recent version with regard to security, for an indefinite period.

To avoid this problem, a secondary mechanism, that does not rely on external communication, has been added to the JDK 7u10. From this release onwards, all JREs will contain a hard-coded expiration date. The expiration date is calculated to end after the scheduled release of the next Critical Patch Update.

The online check gets its data from https://javadl-esd-secure.oracle.com/update/baseline.version , I believe.

The expiration date and versions hardcoded in the JRE are stored in the BuiltInProperties.class located in the deploy.jar

For 1.7.0u45, we have

public static final boolean JRE_BASELINE_CHECKS_ENABLED = true;
public static final String JRE_EXPIRATION_DATE = "02/14/2014";
public static final String BASELINE_VERSION_131 = "1.3.1_21";
public static final String BASELINE_VERSION_142 = "1.4.2_43";
public static final String BASELINE_VERSION_150 = "1.5.0_55";
public static final String BASELINE_VERSION_160 = "1.6.0_65";
public static final String BASELINE_VERSION_170 = "1.7.0_45";
public static final String BASELINE_VERSION_180 = "1.8.0";
public static final String CURRENT_VERSION = "1.7.0_45";
public static final String CURRENT_NODOT_VERSION = "170";
public static final String DEPLOY_VERSION = "10.45.2.18";
public static final String DEPLOY_NOBUILD_VERSION = "10.45.2";
public static final String DEPLOY_NODOT_VERSION = "10452";
public static final String JAVAWS_NAME = "javaws-10.45.2.18";
public static final String JAVAWS_VERSION = "10.45.2.18";
RealHowTo
  • 34,977
  • 11
  • 70
  • 85
  • Thank you ! I was able to prove this for myself: looked in BuiltInProperties.class and saw: 12/10/2013. If I set my date to Dec 09 2013 and started browser with that web app the security warning popup no more comes. But when I set back the date to current (today) I would expected that security warning should be dropped again, but didn't – wildfrontier Dec 12 '13 at 14:16
  • My questions: 1. why I couldn't reproduce this in reverse order ? Setting in advance the date to override the hardcoded date in BuiltInProperties.class. I tried to clear browser's cahe also but didn't receive the security warning 2. is there any way to avoid poping up security warning whithout this hack to set system date back ? I mean here to set some config file manually which I can do with a script for example ? – wildfrontier Dec 12 '13 at 14:16
  • There is a file called deployment.properties (at least on Windows). This file contains properties (deployment.expiration.decision.*) related to the expiration check. Maybe deleting this file between your test may help. – RealHowTo Dec 12 '13 at 15:02
  • Thank you ! Yes, that helped, now I'm getting again the popup with setting current date/time. And don't you have any idea how could I get rid off the pop dropping with staying at the current date ? – wildfrontier Dec 12 '13 at 17:31
  • Accept the current answer since this is another question ;-) – RealHowTo Dec 12 '13 at 19:21
  • Thanks. I managed to patch the JRE and blackhole the esd server and now the nagging prompt is gone... – Alain Pannetier Mar 05 '15 at 12:40