www.cendio.com
Bug 4896 - Java applet client verifier will not have enough permissions on Java 7u51 and later
: Java applet client verifier will not have enough permissions on Java 7u51 and...
Status: CLOSED FIXED
: ThinLinc
Web Access
: 4.1.0
: PC Unknown
: P2 Normal
: 4.2.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-11-13 09:51 by
Modified: 2014-04-14 16:21 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-11-13 09:51:41
If I understand
https://blogs.oracle.com/java-platform-group/entry/signing_applet_code_does_not
and
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
correctly, our ThinLincClientVerifier.jar will not run correctly on Java 7u25
and later: We will not get all-permissions by default. Thus, we need to start
including a proper manifest.
------- Comment #1 From cendio 2013-11-20 14:46:40 -------
I've added the Permissions attribute to a manifest file, but it does not work:
A warning is still displayed. 

Found
http://stackoverflow.com/questions/19564481/what-does-the-java-applet-security-warning-jar-file-manifest-does-not-contain-t.
Apparently I'm not the only one with problems.
------- Comment #2 From cendio 2013-11-20 15:47:08 -------
(In reply to comment #1)
> I've added the Permissions attribute to a manifest file, but it does not work:
> A warning is still displayed. 
> 
> Found
> http://stackoverflow.com/questions/19564481/what-does-the-java-applet-security-warning-jar-file-manifest-does-not-contain-t.
> Apparently I'm not the only one with problems.

On http://www.javaquery.com/2013/10/this-application-will-be-blocked-in.html
there are comments from other people with problems as well; seems to be related
to HTTPS.
------- Comment #3 From cendio 2013-11-20 16:25:38 -------
It's "interesting" that Java warns about missing attributes in the manifest in
the JAR file even *before* it has retrieved the JAR...!

This is obviously a bug in Java.
------- Comment #4 From cendio 2013-11-21 09:40:04 -------
(In reply to comment #3)
> It's "interesting" that Java warns about missing attributes in the manifest in
> the JAR file even *before* it has retrieved the JAR...!
> 
> This is obviously a bug in Java.

I've confirmed that it is possible to get rid of the warning dialog, using a
proper manifest file, when valid TLS certs are used. However, if the cert is
not valid (for example, by browsing to the IP instead of the DNS name), Java
will incorrectly claim that the "permissions" attribute is missing from the
Manifest, even though it has not even tried to load the Jar.
------- Comment #5 From cendio 2013-11-21 09:46:19 -------
Manifest added in 28158. We will need to continue monitor the Stackoverflow and
javaquery sites, as well as test new versions, to see if we can find a solution
which does not require valid certs.
------- Comment #6 From cendio 2014-02-26 11:38:33 -------
(In reply to comment #3)
> It's "interesting" that Java warns about missing attributes in the manifest in
> the JAR file even *before* it has retrieved the JAR...!
> 
> This is obviously a bug in Java.

Java SE 7 Update 51 has been released now. I cannot find anything about this in
the release notes, but the problem seems to be gone, at least on Windows 7.
Closing.
------- Comment #7 From cendio 2014-04-14 16:14:56 -------
(In reply to comment #6)
> (In reply to comment #3)
> > It's "interesting" that Java warns about missing attributes in the manifest in
> > the JAR file even *before* it has retrieved the JAR...!
> > 
> > This is obviously a bug in Java.
> 
> Java SE 7 Update 51 has been released now. I cannot find anything about this in
> the release notes, but the problem seems to be gone, at least on Windows 7.
> Closing.

Verified functionality using jre 1.7.0 update 51 on centos, works as expected.