javasecurityappletsigned-appletsecurity-warning

Security Warning in signed applet


The company I work for has an applet which requires special access to the client machine, so every Jar file is signed digitally. The applet and the company's web application interact using javascript to communicate.

The problem is that the first time the applet is used via javascript, Java throws a Warnign Security popup asking the user to "Allow" or "Do Not Allow" the access to the applet from the website.

I've checked the Oracle's guides to digitally sign applets, to Manifest parameters, but I can not remove the security warning. Also, everytime we test the application, we clear the browser's cache and Java Cache through the Java Control Panel. We work under Windows 7 and 8.

Here is a sample of the Manifest file in the main applet's jar:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.1
Trusted-Library: true
Application-Library-Allowable-Codebase: one.developdomain.net two.developdomain.net *.developdomain.net productiondomain1.net productiondomain2.net productiondomain3.net
Trusted-Only: false
Built-By: My Name
Application-Name: My Application Name
Permissions: all-permissions
Created-By: 1.7.0_45-b18 (Oracle Corporation)
Caller-Allowable-Codebase: one.developdomain.net two.developdomain.net *.developdomain.net productiondomain1.net productiondomain2.net productiondomain3.net
Codebase: one.developdomain.net two.developdomain.net *.developdomain.net productiondomain1.net productiondomain2.net productiondomain3.net

Name: services/xmpp/ChatPanel$4.class
SHA1-Digest: 7On19s6cztysSsrtARTlT5g1R8U=
....

Here is a sample of the JNLP file used to deploy the applet:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" href="launch-1.3.4.jnlp">
    <information>
        <title>Application Title</title>
        <vendor>Our Company</vendor>
        <homepage href="http://www.ourdomain.net" />
    </information>
    <security>
        <all-permissions/>
    </security>
    <update check="always" policy="always" />
    <resources os="Windows" arch="x86">
        <j2se version="1.7+" java-vm-args="-Djnlp.packEnabled=false" href="http://java.sun.com/products/autodl/j2se" />
        <jar href="firstjar.jar" version="1.3" download="progress"/>
        <jar href="secondjar.jar" main="true" version="1.49"/>
        ...
    </resources>
    <resources os="Windows" arch="x86_64">
        <j2se version="1.7+" java-vm-args="-Djnlp.packEnabled=false" href="http://java.sun.com/products/autodl/j2se" />
        <jar href="firstjar.jar" version="1.3" download="progress"/>
        <jar href="secondjar.jar" main="true" version="1.49"/>
        ...
    </resources>
    <resources os="Mac OS X">
        <j2se version="1.7+" java-vm-args="-Djnlp.packEnabled=false" href="http://java.sun.com/products/autodl/j2se" />
        <jar href="firstjar.jar" version="1.3" download="progress"/>
        <jar href="secondjar.jar" main="true" version="1.49"/>
        ...
    </resources>
    <applet-desc
        name="My Application Name"
        main-class="main.MainClass"
        width="300"
        height="300"
        progress-class="firstjar.ProgressIndicator">
        <param name="MAYSCRIPT" value="true" />
        <param name="scriptable" value="true" />
    </applet-desc>
</jnlp>

Also, each signed jar file contains the following two special folders and files:

jarfile.jar\
 +-META-INF\
 | +-MANIFEST.MF
 | +-CODESIGN.SF
 | +-CODESIGN.RSA
 +-JNLP-INF\
   +-APPLICATION.JNLP

The digital signature is done with a valid and CA approved certificate, so I am almost sure the problem is not the certificate.

Here is an screenshot of the warning security message:

Security Warning screenshot

Thank you very much for your attention and help.


Solution

  • There is a known issue in the current release of the Java plugin that causes the Caller-Allowable-Codebase attribute to be ignored if the Trusted-Library attribute is also present.

    Also, according to my tests the applet must be signed by a trusted certificate for Caller-Allowable-Codebase to be respected.