Running Nexaweb application in Java 1.7u51 and later

Background

Java 7 includes new security features that enable you to manage when and how untrusted Java applications will run if they are included on a web page. The security level setting within the Java Control Panel will determine whether you will be prompted before an untrusted java application is run or if the application will be blocked.

Java 7, Update 51 (7u51):

  1. Blocks self-signed and unsigned applets when the high security setting is selected
  2. Requires the permissions attribute to be included for applications to run when the high security setting is selected
  3. Warns users of missing permissions attributes when the medium security setting is selected

See Java 7 Release Highlights for more details about each Java 7 update.

Information about security levels in the Java Control Panel can be found here.

See Java Security Prompt to understand what security prompts are and why you are getting one.

Running Nexaweb applications in Java 1.7u51 and later with High Security Setting

To run a Nexaweb application in Java 7 with High Security Setting, follow these steps:

1. Acquire and then use a certificate issued by a trusted certificate authority to digitally sign the application|
2. Sign all client-side jars (see "signJars" ant macro below)
3. MANIFEST.MF files inside the jar file must include a number of required attributes, including "Permissions" (see "create-client-jar" ant macro below). For additional information, see JAR File Manifest Attributes.

Sample ANT task to sign jar
<macrodef name="signJars">
	<sequential>
		<signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true">
			<path>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
			</path>
		</signjar>
	</sequential>
</macrodef>
Sample ANT task to create client jar with manifest attributes
<macrodef name="create-client-jar">
    <sequential>
		<jar jarfile="@{jar-location}/@{jar-name}"
		basedir="@{class-location}"
		includes="**" 
		excludes="" >
			<manifest>
				<attribute name="Copyright-Notice" value="${copyright.notice}" />
				<attribute name="Application-Name" value="${application.name}"/>
				<attribute name="Codebase" value="${codebase}"/>					
				<attribute name="Permissions" value="${permissions}"/>
				<attribute name="Caller-Allowable-Codebase" value="${caller.allowable.codebase}"/>
				<attribute name="Application-Library-Allowable-Codebase" value="${application.library.allowable.codebase}"/>
			</manifest>
      </jar>
    </sequential>
</macrodef>


4. Sign all Nexaweb client jars and update the manifest attributes of jars files. Updating Client-Side Jar Manifests for Java 1.7u51 and Later describes how to update manifest attributes in greater detail.
5. To compress signed jars, you will need to follow these steps (see "repack-and-sign" ant macro below).  Additional information can be found at: Reducing the Download Time.

    1. Normalize the JAR file using the --repack option.
    2. Sign the normalized JAR file.
    3. Pack the signed JAR file, generating a .jar.pack.gz file

 

Sample ANT task to repack and sign
<macrodef name="repack-and-sign">
		<sequential>
			<echo message="Repacking libs in ${build.dir}/WEB-INF/Nexaweb/client"/>
			<apply executable="pack200" parallel="false">
				<arg value="--repack"/>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" />
			</apply>
			<echo message="Repacking libs in ${build.dir}/WEB-INF/client"/>
			<apply executable="pack200" parallel="false">
				<arg value="--repack"/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" />
			</apply>
			<echo message="Signing client libs in ${build.dir}/WEB-INF/"/>
			<signjar 
		            alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}"
		            lazy="true">
				<path>
					<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
					<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
				</path>
			</signjar>
			<echo message="Pack200 after signing"/>
				<apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/Nexaweb/client">
				<arg value="--modification-time=latest"/>
				<arg value="--deflate-hint=true"/>
				<arg value="--segment-limit=-1"/>
				<targetfile/>
				<srcfile/>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" />
				<mapper type="glob" from="*" to="*.pack.gz" />
			</apply>
			<apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/client">
				<arg value="--modification-time=latest"/>
				<arg value="--deflate-hint=true"/>
				<arg value="--segment-limit=-1"/>
				<targetfile/>
				<srcfile/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" />
				<mapper type="glob" from="*" to="*.pack.gz" />
			</apply>
		</sequential>
	</macrodef>

6. Repackage and sign the Nexaweb plugin jars if you are using any of them. This will prevent a warning dialog that is raised for mixed signed and unsigned component in java 1.6.19 or later. Refer Mixed Signed and Unsigned code warning dialog in Java 1.6u19 and later for steps to repackage and sign Nexaweb plugin jars.