2

We're experiencing the LiveConnect security warning in our application even though the applet is signed, and the Caller-Allowable-Codebase attribute is set:

pop-up

The second problem is that the Application and Publisher fields are set to UNKNOWN in IE, FF and Chrome. The first security information displayed seems to pick up the information from the certificate.

enter image description here

My manifest file:

Manifest-Version: 1.0
Implementation-Vendor: xxx xxx Buildings AB
Implementation-version: 1.5.0.49829
Application-Library-Allowable-Codebase: *
Application-Name: Building Operation WebStation
Permissions: all-permissions
Created-By: 1.7.0 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Specification-Version: 1.0
Codebase: *

I read the Oracle blog post about security changes with LiveConnect.

I have also tried adding the Application-Library-Allowable-Codebase: * attribute without success. It doesn't even seem to make any difference in the security attributes guide .

Checking that checkbox doesn't do anything, the next time we navigate to the applet, the warning will pop up again.

jarsigner.exe outputs "jar verified".

Examining the certificate we sign with shows the whole chain - our company > RapidSSL CA > GeoTrust Global CA. I've imported the certificate to several Windows certificate stores, even though just being signed by a trusted root CA should be enough.

We're testing on the latest JRE and we get the same result with JRE 8 Java Plug-in 10.67.2.01 Using JRE version 1.7.0_67-b01 Java HotSpot(TM) Client VM

Does anyone know

  1. how to get rid of the pop-up while still allowing LiveConnect calls?
  2. if not, how to populate the two UNKNOWN fields in the dialog ?
DavidPostill
  • 7,734
  • 9
  • 41
  • 60
jsaddwater
  • 1,781
  • 2
  • 18
  • 28

1 Answers1

3

The reason you are getting the first popup (the LiveConnect warning) is because you have used a wildcard * for the Caller-Allowable-Codebase:

Caller-Allowable-Codebase: *

You may need to replace the * with the domain name or IP address where the javascript files are located.

You probably need to do something similar with the codebase attribute as well.

See Codebase Attribute for more information on this attribute.

Caller-Allowable-Codebase Attribute

See Codebase Attribute for a description of the values that are allowed. If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning, and users have the choice to allow the call or block the call. An option to remember the choice is also provided, and if selected, the warning is no longer shown when the RIA is launched.

Source Caller-Allowable-Codebase Attribute

Java applet manifest - Allow all Caller-Allowable-Codebase

Removing the Trusted-Library attribute seems to be mandatory to get Caller-Allowable-Codebase working, no more warnings. However, this breaks Java 7 Update 21 - 40 which treated JavaScript code that calls code within a signed applet running with all permissions as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.

Source Java applet manifest - Allow all Caller-Allowable-Codebase, answer by Nikolas Pooch

Community
  • 1
  • 1
DavidPostill
  • 7,734
  • 9
  • 41
  • 60
  • Thanks David. I totally didn't see the part about the usage of the asterisk. Anyway, the dialog won't remember that you checked "Do not show this again" – jsaddwater Aug 18 '14 at 08:04