Avoid security level blocking without adding url in exception site list

Question

I have created Java signed applet, it runs perfectly if I set my Java(JRE 8) security level high and add my site url in exception site list.

But if we do not add site url in exception site list, java security exception comes as explained here : add url in exception site list

I have created a signed applet using a third part certificate.

Here is my manifest file after creating signed applet:

Is there any option available to avoid these security blocking popups by adding some changes in manifest file while creating signed applet, or any script, java code to avoid these popups without adding site url in exception site list?

Or is it really mandatory from Java that we must need to add site url in exception site list to avoid such blocking error.

Basically is there any option available to add our url in exception site list through manifest file or any Java code ? Blocking popup comes if we don't set url in exception list

Is it mandatory if I want to sign my applet using signed certificate then it must be a code signing certificate? wildcard or ssl certificate will not work?

As I am getting self signed applet block issue though I have signed my applet with wildcard certificate.

*"I have created java signed applet,.."* Self signed or signed with a valid code signing certificate? BTW - Why code an applet? If it is due to the teacher specifying it, please refer them to [Why CS teachers should **stop** teaching Java applets](http://programmers.blogoverflow.com/2013/05/why-cs-teachers-should-stop-teaching-java-applets/). — Andrew Thompson, Dec 21 '14 at 01:00
Andrew asked the right question: What certificate did you use to sign your applet? Is the root CA of that issuer part of the JDK certificates? — Lonzak, Dec 22 '14 at 07:14
You say you're adding the manifest, but I don't see it. And which exact popup would you like to block? Can we have a screenshot so it's clearer what we're talking about? — flup, Dec 23 '14 at 13:33
Your application is self-signed, the popup says. You say that you've signed using a third party certificate. Could it be that something went wrong with the signing? — flup, Dec 23 '14 at 15:55

score 3 · Answer 1 · edited Oct 07 '21 at 10:53

3

Your application is considered to be self-signed because you've signed it with a certificate that's not intended for code signing. Self-signed applications are blocked with this nasty-looking popup:

You can prevent this popup, if you sign using a code signing certificate that's signed by a trusted certificate authority. Then the user will get a way nicer looking confirmation dialog that lists your name as the publisher of the application:

See also Oracle's documentation on security dialogs for a description of the dialogs and why and when they appear.

Take a look at the documentation on working with Signed RIAs, in particular 23.2 "Signing RIAs", for information on how to create a code signing certificate to sign your applet.

A second nice link is http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html#5

--UPDATE--

What exactly makes a certificate a Code Signing Certificate?

X.509 certificates may include key usage fields (KU's) and extended key usage fields (EKU's). These fields, when present, restrict the valid usage of the certificate. The java plugin checks for the presence of these fields.

I've found the source code for the EndEntityChecker that performs this check.

/**
 * Check whether this certificate can be used for code signing.
 * @throws CertificateException if not.
 */
private void checkCodeSigning(X509Certificate cert)
        throws CertificateException {
    Set<String> exts = getCriticalExtensions(cert);

    if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
        throw new ValidatorException
           ("KeyUsage does not allow digital signatures",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (checkEKU(cert, exts, OID_EKU_CODE_SIGNING) == false) {
        throw new ValidatorException
            ("Extended key usage does not permit use for code signing",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    [...]

    checkRemainingExtensions(exts);
}

The check methods look as follows:

/**
 * Utility method checking if the extended key usage extension in
 * certificate cert allows use for expectedEKU.
 */
private boolean checkEKU(X509Certificate cert, Set<String> exts,
        String expectedEKU) throws CertificateException {
    List<String> eku = cert.getExtendedKeyUsage();
    if (eku == null) {
        return true;
    }
    return eku.contains(expectedEKU) || eku.contains(OID_EKU_ANY_USAGE);
}

Note that if no KU or EKU is specified, the KU or EKU checker returns true. But if KU's are specified, the digital signature KU should be one of them. Similarly, if any EKU's are specified, either the EKU code signing (identified by oid 1.3.6.1.5.5.7.3.3) or the EKU any usage (identified by oid 2.5.29.37.0) should be specified as well.

Finally, the checkRemainingExtensions method balks when it encounters other relevant critical EKU's.

So I expect that your wildcard SSL certificate specifies at least one EKU that is not code signing and therefore is not recognized as a valid code signing certificate by the java plugin.

edited Oct 07 '21 at 10:53

Community

1
1

answered Dec 23 '14 at 16:10

flup

26,937
7
52
74

1

I agree with your point, if we sign our applet using a certificate that's signed by a trusted certificate authority, then we can avoid popup which you have shown in your answer. But my concern is about exception site list. – Java Dec 24 '14 at 10:51
Is your signed applet(signed by a trusted certificate authority) still runs successfully without adding url in exception site list & java default priority(high)? – Java Dec 24 '14 at 10:52
"application blocked" is the bad popup user gets for self-signed applet. "Do you want to run this application?" is normal informative dialog that user gets for properly signed applet. This popup is a feature and cannot be prevented by code. But *User* can choose to turn it off by checking the checkbox. – flup Dec 24 '14 at 11:04
Actually I am ok with normal informative dialogs like `do you wan to run this application` or that popup you have shown in above. Only thing is that, I want to execute my applet without adding my application url in exception site list. Is there any way for that ? – Java Dec 24 '14 at 11:23
Yes, this is what happens for properly signed applets that are *not* in the exception site list, for java on high security. See for yourself, my screenshot was taken on http://docs.oracle.com/javase/tutorial/deployment/applet/lifeCycle.html – flup Dec 24 '14 at 11:54
can you tell me to create third party certificate to cross check whether my certificate is having all the things to create signed applet.. – Java Dec 24 '14 at 15:05
Actually I am using wildcard certificate. – Java Dec 24 '14 at 15:24
You need a code signing certificate. There's plenty certificate authorities eager to sell you one. Take a look at [Oracle's instructions](https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/certificates.html), in particular 23.2 "Signing RIAs", for more information. – flup Dec 24 '14 at 17:01
Also of interest perhaps: http://stackoverflow.com/questions/1077800/which-code-signing-authority-should-i-go-with – flup Dec 24 '14 at 17:50
-so is it mandatory if I wan to sign my applet using signed certificate then it must be `a code signing certificate`? wildcard or ssl certificate will not work? As I am getting self signed applet block issue though I have signed my applet with wildcard certificate. – Java Dec 26 '14 at 10:05
Similar issue here: http://security.stackexchange.com/questions/49543/java-applet-need-code-signing-certificate-vs-ssl-certificate – flup Dec 28 '14 at 12:01
It need not be explicitly marked as a code signing certificate. But it must **not** be marked explicitly for a different usage. I strongly suspect your SSL certificate is marked as a server certificate and therefore its code signatures are not considered valid. – flup Dec 28 '14 at 13:51
One more concern @flup what if my application is an intranet application running on intranet server, and my server will not having any such certificate,then is it possible to still achieve our main condition i.e Avoid security level blocking without adding url in exception site list ? is windows certificate will work for our applets? – Java Dec 30 '14 at 10:13
In an intranet situation, your company's IT department controls the workstations. Your company can therefore function as its own CA. Create a self-signed corporate CA certificate, add it to all workstations as a trusted CA. Create a code signing certificate, sign it with the CA certificate, and use it to sign your jars. In a microsoft environment, ADFS v2.0 can help with the administration and creation of the certificates. – flup Dec 30 '14 at 14:40
are self signed corporate certificate & just self signed certificate are different? – Java Dec 30 '14 at 14:56
And for intranet case: there will be 3 steps:1.create self signed certificate, add them to all workstations need to import this certificate in to their keystore.3.Then purchase code signing certificate and use to sign jar file. Please correct me if I am wrong. – Java Dec 30 '14 at 15:01
That said, the IT department can also add the applet's server to the exception site list. – flup Dec 30 '14 at 15:10
No, you need not purchase the code signing certificate in a corporate situation. You can create it yourself. The whole point is that you *are* the Certificate Authority. So you can sign your own code signing certificate. – flup Dec 30 '14 at 15:11
The only reason you need a third party certificate authority is that of trust. The third party CA certificates are listed as trusted in the middleware of anybody's computer. In the intranet, you can add your own CA certificate to all intranet computers. And you do not need a third party. – flup Dec 30 '14 at 15:15
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/67928/discussion-between-java-and-flup). – Java Dec 30 '14 at 15:17

alain.janinm · Answer 2 · 2014-12-23T15:12:36.780

Or is it really mandatory from JAVA that we must need to add site url in exception site list to avoid such blocking error.

Basically yes. End users can disable the securoty popup, but you can't do it through you application. If you look at the Oracle documentation "Avoiding security dialogs". It's clearly stated that the securoty popup is an expected behaviour :

The Java Runtime will automatically warn the user about possible security sensitive issues. If you are confident that applications you use are safe, then it is possible to bypass security dialogs to simplify user experience. If a Java applet/webstart application is signed, a certificate security warning dialog box will pop up and the user must click the Run button to give all permissions to the code of application.

And if you read the options to avoid the popup you wil see that they all imply modifying something on the end users computer.

Here are the options (quoted from "Avoiding security dialogs"):

User accepts the certificate used to sign the application and selects the check box Always trust content from this publisher. Then next time permissions will be granted to this application automatically (until the certificate expires or is removed from the trusted key store).
The certificate can be manually imported into the JRE trusted certificate store. To import the certificate using the Java Control Panel, choose the Security tab and select Certificates > Trusted Certificates. To import a certificate into the certificate store from the command line, use the keytool utility (in the JRE's bin folder).
Grant AllPermissions in the Java policy file located at ${user.home}/.java.policy, or point to any Java policy file which has AllPermissions in the $(JRE_HOME)/lib/security/java.security file. Permissions can be granted to all applications or restricted to a particular URL. See Default Policy Implementation and Policy File Syntax for more details on .java.policy.

Thanks for prompt reply.Yes I agree with your above point.But still if I want to add that exception site list from developer end in-terms of any program or script, so that all end users will not need to add exception site url ? — Java, Dec 23 '14 at 07:42
@Java It won't be possible or it will be a highly unsecure feature. Basically if an app can bypass security itself there is no more security! — alain.janinm, Dec 23 '14 at 07:45
yes that's right ,its not even a formal way to bypass java security.Actually as per @Andrea I have also tried to add given properties in manifest file, but still it blocks application. — Java, Dec 23 '14 at 07:50
@Java All three options are listed in the link in my answer. Neither of them propose to do it through any code or script or manifest. — alain.janinm, Dec 23 '14 at 08:08

Andrea Baglioni · Answer 3 · 2014-12-22T06:30:49.570

0

Try to modify manifest, adding your server name into caller-allowable-codebase. Probably you don't need to add your site url into exception anymore

UPDATE:

This is an example of my manisfest file:

Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Application-Name: myApp
Name: MyName
Permissions: all-permissions
Created-By: 1.7.0_51 (Oracle Corporation)
Caller-Allowable-Codebase: MyServerName
Codebase: *

edited Dec 22 '14 at 06:30

answered Dec 19 '14 at 21:34

Andrea Baglioni

303
1
2
20

I have also tried to add all required manifest entries given in http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html. But still shows blocking . – Java Dec 22 '14 at 05:10
I have tried to add Caller-Allowable-Codebase:myservername, which I have not added in my manifest,rest of the things I have already added in my manifest,but still its showing me error as 'Your security settings have been blocked a self signed application from running' – Java Dec 22 '14 at 07:52
I am testing this application on Java 1.7.0._71. And if u see that error, its saying self signed application have been blocked.But I have created signed applet with third part application certificate.Then why its showing me this error? – Java Dec 22 '14 at 07:55

score -1 · Answer 4 · edited Oct 29 '15 at 20:38

-1

After having an codesigner, this twicks in may manifest make that works:

Manifest-Version: 1.4
Application-Library-Allowable-Codebase: *
Permissions: all-permissions
Caller-Allowable-Codebase: **http://yourIp:yourPort/-**
Codebase: *

An detail on the end of http://yourIp:yourPort/- put the "/-" to achive all your site...

edited Oct 29 '15 at 20:38

main--

3,873
1
16
37

answered Oct 29 '15 at 12:16

Luiz Frederico Jr

1

Avoid security level blocking without adding url in exception site list

4 Answers4