Background
Java 7 has includes new security feature enhancements features that enables enable you to manage when and how untrusted Java applications will run if they are included on a web page. The security level setting within the Java Control Panel will determine whether you will be prompted before an untrusted java application is run or if the application will be blocked.
The latest release of
Java 7, Update 51 (7u51):i.
- Blocks
...
- self-
...
- signed and
...
- unsigned applets when the high security setting is selected
- Requires the permissions attribute to be included for applications to run when the high security setting is selected
- Warns users of missing permissions attributes when the medium security setting is selected
See Java 7 Release Highlights for changes in each Java releasemore details about each Java 7 update.
Information about Security security levels in the Java Control Panel can be found here.
See java security prompt Java Security Prompt to understand what security prompts are and why you are getting one.
Running
...
Nexaweb applications in
...
Java 1.7u51 and later with High Security Setting
To run a nexaweb Nexaweb application in Java 7 with High Security Setting, follow these steps -:
1.
...
Acquire and then use a certificate issued by a trusted certificate authority to digitally sign the application
...
|
2. Sign all client-side jars (see "signJars" ant macro below)
3. MANIFEST.MF files inside the jar file must
...
include a number of required attributes, including "Permissions"
...
(see "create-client-jar" ant macro below). For additional information, see JAR File Manifest Attributes.
Code Block | ||||
---|---|---|---|---|
| ||||
<macrodef name="signJars">
<sequential>
<signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true">
<path>
<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
</path>
</signjar>
</sequential>
</macrodef> |
Code Block | ||||
---|---|---|---|---|
| ||||
<macrodef name="create-client-jar"> <sequential> <jar jarfile="@{jar-location}/@{jar-name}" basedir="@{class-location}" includes="**" excludes="" > <manifest> <attribute name="Copyright-Notice" value="${copyright.notice}" /> <attribute name="Application-Name" value="${application.name}"/> <attribute name="Codebase" value="${codebase}"/> <attribute name="Permissions" value="${permissions}"/> <attribute name="Caller-Allowable-Codebase" value="${caller.allowable.codebase}"/> <attribute name="Application-Library-Allowable-Codebase" value="${application.library.allowable.codebase}"/> </manifest> </jar> </sequential> </macrodef> |
Code Block | ||||
---|---|---|---|---|
| ||||
<macrodef name="signJars">
<sequential>
<signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true">
<path>
<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
</path>
</signjar>
</sequential>
</macrodef> |
...
4. Sign all Nexaweb client jars and update the manifest attributes of jars files. Updating Client-Side Jar Manifests for Java 1.7u51 and Later describes how to update manifest attributes in greater detail.
...
5. To compress signed
...
jars, you will need to follow these steps (see "repack-and-sign" ant macro below). Additional information can be found at:
...
- Normalize the JAR file using the --repack option.
...
- Sign the normalized JAR file.
...
- Pack the signed JAR file, generating a .jar.pack.gz file
Code Block | ||
---|---|---|
| ||
<macrodef name="repack-and-sign"> <sequential> <echo message="Repacking libs in ${build.dir}/WEB-INF/Nexaweb/client"/> <apply executable="pack200" parallel="false"> <arg value="--repack"/> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" /> </apply> <echo message="Repacking libs in ${build.dir}/WEB-INF/client"/> <apply executable="pack200" parallel="false"> <arg value="--repack"/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" /> </apply> <echo message="Signing client libs in ${build.dir}/WEB-INF/"/> <signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true"> <path> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/> </path> </signjar> <echo message="Pack200 after signing"/> <apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/Nexaweb/client"> <arg value="--modification-time=latest"/> <arg value="--deflate-hint=true"/> <arg value="--segment-limit=-1"/> <targetfile/> <srcfile/> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" /> <mapper type="glob" from="*" to="*.pack.gz" /> </apply> <apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/client"> <arg value="--modification-time=latest"/> <arg value="--deflate-hint=true"/> <arg value="--segment-limit=-1"/> <targetfile/> <srcfile/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" /> <mapper type="glob" from="*" to="*.pack.gz" /> </apply> </sequential> </macrodef> |
...
6. Repackage and sign the Nexaweb plugin jars if you are using
...
any of them. This
...
will prevent a warning dialog that is raised for mixed signed and unsigned component in java 1.6.19 or later. Refer Mixed Signed and Unsigned code warning dialog in Java 1.6u19 and later for steps to repackage and sign
...
Nexaweb plugin jars.