javaappletsecurity-warning

Java applet: Caller-Allowable-Codebase does not work

I'm getting the dreaded LiveConnect warnings on an in-house self-signed applet. I'm using Java 1.7.0_45. According to what I've read, I should be able to get rid of these by adding Caller-Allowable-Codebase * to my manifest, and removing the Trusted-Library attribute. My ant target for building the applet looks like this:

<jar destfile="MyApplet.jar">
  <manifest>
    <attribute name="Main-Class" value="com.mycompany.MyApplet"/>
    <attribute name="Permissions" value="all-permissions"/>
    <attribute name="Codebase" value="*"/>
    <attribute name="Caller-Allowable-Codebase" value="*"/>
  </manifest>
  [...]
</jar>
<signjar jar="MyApplet.jar" [...] />

Unfortunately, this has no effect; I still get the warning. I have verified that I am running 1.7.0_45, and that the browser isn't using an old cached copy of the applet. The client is Firefox 25.0 running on OS X 10.7.5, for what it's worth... Any ideas would be greatly appreciated!

Solution

  • Found it -- the trick is to import the certificate into the right keystore. I exported the certificate from the keychain I use to build the applet:

    keytool -exportcert -file appletkey.cer -alias appletkey -keystore mykeystore

    ...and then import it into the global cacerts keystore:

    keytool -importcert -file appletkey.cer -alias appletkey -keystore $JRE_HOME/lib/security/cacerts -storepass changeit

    The tricky part is to figure out which instance of cacerts to import it to; depending on configuration, you may have a whole bunch of JVMs installed, and each one has their own cacerts. On the Mac, the right one turned out to be

    /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts

    and in Windows it is

    C:\Program Files (x86)\Java\jre7\lib\security\cacerts

    (substiture "Program Files" for "Program Files (x86)" in case you're using a 64-bit JVM.)

    I'm assuming in Linux it's $JRE_HOME/lib/security/cacerts as well, where your value of $JRE_HOME will depend on how you installed it.

    N.B. I did try importing the cert into a user-specific keystore as well, but I couldn't get that to work. Importing it into the global keystore is a bit brute force but for my use case it is good enough. The initial Java applet warning and the LiveConnect warning are both gone. Also note that this is using the applet manifest exactly as shown above; as other respondents suggested, there was nothing wrong with the manifest, I just had to get the JVM to trust the certificate.